Domain Admin access to workstations

Similar Messages

• Why is Domain Admin access required for NTFS crawling?

  Need some assistance from the experts in here..
  Our company has a policy against granting Domain Admin access to service accounts.
  Oracle states that Domain Administrative priviledges are required for NTFS crawling. However, they aren't able to provide a reasonable explanation as to why such a high level of access is necessary. In theory, Local Administrative privildges on the target file host should suffice if the crawler is grabbing ACL details, but in practice does not seem to work.
  Can anyone point me to some technical documentation on SES NTFS crawling or help me understand what actions are being invoked?
  Many thanks.
  LC

  They do seem confused. I have heard on a few occasions, someone has taken their computer in for some major work and it comes back with the latest OS! I think some Service technicians have the opinion that any OS less than the latest is a kind of defect that they can remedy.
  I suppose they are trying to be helpful, but as you say, compatibility with existing applications can be a pitfall when doing that.
  The main thing is you have your OS backed up. I keep a clone (made by SuperDuper!) of my OS on a backup disk, and if you were really worried about a service technician trawling through your hard drive on their lunch break, having the working clone would allow you to reinstall a fresh OS and hand it to them with nothing of yours on it whatsoever.
  When it comes back fixed, copy the external clone back onto your Mac. This is a bit of trouble, but it ensures the integrity of your data.

• Exchange 2013 Give domain Admin access to all users inbox

  In the old 2007 exchange server we had domain admin access to everyones mailbox so we could open anyones email box using outlook client.
  But in 2013 exchange the mailbox delegation does not give us the option to add a "group" to the full access area, old allows to add a "user" who has a mailbox setup in exchange. I see there is Exchange Server group listed under Full Access
  , but it does not work added our domain Admin user to that group rebooted exchange and the test machine but did not work.
  Only option that works to allow mounting of xyz users mailbox via abc admin user is to actually add that abc admin user to the xyz mailbox under mailbox delegation > Full Access.
  Is  there a work around this, so we can simply have a group ABCD with user ABC or DEF etc. etc. so they can access everyones mailbox instead of going in and changing all users mailbox delegation one by one for the new user etc. ?

  Have you tried using the Exchange Management Shell?
  Get-Mailbox | Add-MailboxPermission -User Name_of_Group -AccessRights FullAccess -InheritanceType All
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
  I did i tried get-mailboxpermission and other than NT Authority and the end user the Deny was set to True for all inheritance rights. I tried your command, added user to the group i wanted under Enterprise OU in AD and restarted transport on exchange and
  logged in on the test machine again.
  Still no go, the user I am trying to add when using get-mailboxpermission shows up as Denied for fullaccess so is that overriding the group permissions ?
  RunspaceId      : 2xxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : True
  InheritanceType : All
  User            : domain\abc
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  And for the group i just added with the above abc user inside it:
  RunspaceId      : 2xxxxxxxxx0
  AccessRights    : {FullAccess}
  Deny            : False
  InheritanceType : All
  User            : domain\newgroupadded
  Identity        : domain/Users/xyzuser
  IsInherited     : False
  IsValid         : True
  ObjectState     : Unchanged
  So is the users deny is causing this ? Not really sure why ABC domain admin/enterprise admin is the only one listed as no deny, there are other mailbox users that do not show up, I am assuming I have to create a new user a domain local user and that might
  work ? I wanted the Domain/Enterprise Manager/admin to have access so we would not have to keep toggling between users just to access someones inbox.
  Also further down the list of mailboxpermission i see the user abc (the user i want to add to the group to have access) is listed with Full access and Deny flag is set to False instead of True.
  So have two entries for user abc one with deny flag set to true and one with deny flag to false.
  AccessRights    : {FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner}
  Deny            : False
  InheritanceType : All

• Folder Share with Child Domain. Access Denied

  I have a  Primary domain controller and a Child domain controller, both running Server 2012 Standard.
  Let's call them:
  dns.com
  child.dns.com
  In File & Storage Services on Server 2k12, I have create my Share folder.
  On the share folder, I create Permissions for the Security Group on the Child Domain to access the folder.
  The primary domain and the child domain admin can access the folder.
  On the workstation connected to the Child domain, I get an access denied message.
  Any suggestions?

  Hi,
  Here are my suggestions:
  1. Make sure the account you logged on workstation below to the group you added onto the Shared folder, in both Shared tab and Security tab.
  2. Test to add the user specifically to the Shared tab and Security tab with Full Control permission and test again. 
  3. Logon a user below to Primary domain onto the same workstation and see if the account could access the folder.
  4. If not tested, try to logon both primary and child domain admin onto the workstation and let us know the result. 
  If you have any feedback on our support, please send to [email protected]

• Need recommendation regarding domain admin permission

  Hi,
  Recently we got the request from IT security team to remove domain admin privileges for any IT user account even Sr. System Administrator. As per them it is not recommended to login with domain admin account on workstation so they asked me to create
  standalone account for workstation and use domain admin account only for login to servers.
  I need someone recommendation regarding this and if yes then please mention some points why it not recommended to have domain admin privileges for System Administrator for daily usable account.
  Appreciate your quick response regarding them.
  Regards,
  Hakim. B 
  Hakim.B Sr.System Administrator

  1. Do not provide the domain admin permission more that 3/4 persons. No matter however big is the env.
  2. ADDS Audit should be enabled.
  ADDS 2008 Audit  
  3. Restricted group is ok but that is overwritten the existing admins.
  Regards,
  Biswajit
  MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
  Blog:
    Script Gallary:
    LinkedIn:
  Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

• Group Policy changes cause Access Denied error for Domain Admin account

  Hi All,
  I am battling to get WSUS to work, and I think the route cause is problems editing the domain and domain controller group policy objects.
  We have 1 DC, approx 20 clients. 1 GPO for DC, 1 GPO for clients. Ther e is a link to the default domain GPO in our staff (users) OU, I don't know if it should be there or not.
  I log in as domain administrator, right-click the domain GPO in GPMC, click Edit.
  Find the setting I want to edit (specify intranet microsoft update service location), double click.
  Change something, click OK.
  I get error:
  Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continute.
  Access is denied. (Exception from HRESULT: 0x80070005
  (E_ACCESSDENIED)).
  I have followed the steps in the links posted by Brent in another post called: "restricting-domain-admin-account-to-edit-group-policies" (no links allowed for my account yet sorry) and the user does have edit settings, delete, modify security delecation.
  PLEASE NOTE: the solution may very well be something very simple/basic. I am reasonably computer savvy, but have just upgraded the whole network for an NGO on a voluntary basis. Never seen a sever before I came here, but I'm the best they have. Please bare
  that in mind when offering advice :)
  Any help appreciated!
  James

  More diagnostic info:
  Inside GPMC, there's Group Policy Results.
  If I right-click, Result Wizard, choose this computer, it works fine showing default domain controllers policy with alert that it's enforced.
  If I browse for another PC (it comes up as Domain\PC name), click Next, I get error:
  Failed to connect to DOMAIN\PCNAME due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details.
  Details: the RPC server is unavailable.
  If you need the recent related events, I will post them. I also checked that service on the client - it's automatic and started.
  PPS Clients are all Win 7, PCs are 32bit, laptops are 64. Server is Windows Server 2012 Datacenter. WSUS when clicking Help -> About from the snap-in/GUI: 6.2.9200.16384.
  PPPS Directory browsing for the whole WSUS object in IIS is enabled, thanks to SorinAlbu over at Spiceworks post WSUS and IIS.
  PPPPS Launching IE and loading http://servername:8530/iuident.cab fails 404 error from both clients and server. That file in C:\Program Files\Update Services\WebServices\Root\iuident.cab doesn't exist. Maybe because we recently removed the WSUS role and reinstalled
  it, to check if something went wrong the first time? It's all been configured using the snapin/GUI, but the new installation of the role hasn't yet connected to the Microsoft Update servers.
  PPPPPS Added the Application Server role with default settings as recommended by the step by step guide to WSUS at Technet. Still no dice.

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• Domain Admins and RDP Users can not RDP into Computers (Access Denied)

  Dear All,
  I got some users with Domain Admins Right and Remote Desktop Users Right. But, they are denied to access Remote Desktop services to other servers. I have confirmed that since set up I have no Remote Desktop Related GPO in Domain. I tried to create but issue
  still persists.
  Regards,
  Zaw Tun Naing
  ZAW

  YOu need to track down the machines that are denying the authentication and then look thorugh the member server and DC's to find any events within the Security Event log and post those errors.  This should define ehat specifically is the reason why
  you are being denied.
  One thought, not sure how the service accounts were intially created but someone could have gone into the local security policy and DENIED the right to remotely or locally logon.  Basically only allow to run as a service right.
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  http://www.alexheer.co.uk/it-blog/deny-interactive-logon-for-service-accounts
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Membership of Domain Admins group not providing full NTFS access?

  I recently tried to check the properties of a folder on the network to see what the total file size of its contents was (on a Server 2008 R2 server, logged on using my domain admin account).The total size of the contents reported was ony 6 MB. This was a folder I knew to contain subfolders totalling in excess of 300 GB, so something wasn't right. When I drilled down a level, I realized that the subfolders would also not let me check their properties or browse to them until I elevated my access in a UAC prompt. Apparently, I don't have read access to those folders, even though Domain Admins has full access to them and I am a member of Domain Admins.
  This makes no sense!On the other hand...
  If I add my domain admin account directly to the root folder and give myself full control this way, instead of relying on my membership of the Domain...
  This topic first appeared in the Spiceworks Community

  I recently tried to check the properties of a folder on the network to see what the total file size of its contents was (on a Server 2008 R2 server, logged on using my domain admin account).The total size of the contents reported was ony 6 MB. This was a folder I knew to contain subfolders totalling in excess of 300 GB, so something wasn't right. When I drilled down a level, I realized that the subfolders would also not let me check their properties or browse to them until I elevated my access in a UAC prompt. Apparently, I don't have read access to those folders, even though Domain Admins has full access to them and I am a member of Domain Admins.
  This makes no sense!On the other hand...
  If I add my domain admin account directly to the root folder and give myself full control this way, instead of relying on my membership of the Domain...
  This topic first appeared in the Spiceworks Community

• Access to all servers (except DC´s) without Domain Admins privilegies

  Hi,
  We would like to allow some functional accounts (ITS Accounts)can access to all company´s servers but without be domain admin and neither add them manually on local admin group in each server.
  Could we do this using Group Policy management? or Active Directory delegation? (our AD is 2012).
  Could anyone help me please?
  Thanks and regards
  Manuel Osorio

  Hi Manuel,
  >We would like to allow some functional accounts (ITS Accounts) can access to all company´s servers but without be domain admin and neither add them manually on local admin group in each server.
  It depends on which kind of access you intend to achieve. If you just want these accounts to be able to log onto these servers, you can assign
  log on locally or log on through terminal services user rights through group policy.
  In addition, you may find some built-in groups like Backup Operators, Network Configuration Operators or Performance Log Users useful.
  More information for you:
  User Rights
  http://technet.microsoft.com/en-us/library/dd349804(v=WS.10).aspx
  Default local groups
  http://technet.microsoft.com/en-us/library/cc771990.aspx
  Best Regards,
  Amy

• Restricted Group as like as domain admins

  I have configure Restricted Group in GPO in mydomains.com.
  So I added a group called 'ABC_Support' and on the second box (This is group is a member of) was Administrators.
  in ABC_Support group, there is one user called 'tech_admin'. 
  Result: GPO was successfully pushed into workstations, and ABC_Support is a member of local administrators and tech_admin can able to administer the workstations.
  Problem: The problem is that, in domain controller, you will see the ABC_Support is also a member of built-in   Administrators. The tech_admin is able to access domain controller remotely and can create users and really like domain admins. 
  Is there any solutions that prevent the problem?  and is this behaviour is normal? is restricted group designed like that? I know there is a GPO under user configuration "local users and group".

  Hi Ben,
  As others suggested, please make sure that the Restricted Groups setting was not applied to domain controllers. To do this, we can link the GPO to the OU where all workstations reside,  or we can use security filtering or WMI filter to filter out domain
  controllers if we link the GPO to the domain scope. 
  Besides, as you know, instead of Restricted Groups, we can also use Group Policy Preferences Local Users and Groups extension to make a domain user a local admin. In this way, we can use GPP item-level targeting to apply our settings to specific targets.
  Regarding this point, the following article can be referred to for more information.
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  In addition, regarding security filtering, WMI filtering, and ILT, the following blog can be referred to for more information.
  Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
  http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
  Best regards,
  Frank Shen
  I have applied the GPO of ABC_support (restricted group) with WMI filtering and it is not applied to domain controller. On Domain controllers OU, I made another GPO to deny this group to remote desktop and login locally so that the group will not able to
  do unexpected activity.
  However, I found that that the "\\mydomaincontrollers\Anydrive$ such as \\c$" can be accessible from workstations ou. If I deny the terminal service in GPO on Domains abc.local, it will apply to all computers and shared folders '\\servers\example' cannot
  be accessible if I deny login through terminal services. why is that? suppose network and shared map folder use different ports and remote desktop/terminal service use different ports.
  there are lot of thousands workstations in computerOU with different child domains and parent domains as well I need to manage. so it's really hard for me to move to another ou.
  please advise

• Domain Admin locked out of local logon

  I have a customer we just took over for. They have an existing issue where the domain administrator cannot log in locally to the DC. I've looked through all their GPOs and cannot find any instance of the domain admin groups being specially being denied this
  right. In fact, it says right in the DC GPO that domain admins have the rights for local log in yet I can't seem to log in. Remote desktop works fine and that is how I've been accessing their DC but I cannot find an answer to this problem. Any ideas? 

  Policy Computer Setting
  Source GPO
  Access Credential Manager as a trusted caller
  Not Defined
  Access this computer from the network kcengr\IWAM_DELL-OFV7446Y6N,Everyone,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,Authenticated Users,ENTERPRISE DOMAIN CONTROLLERS,Pre-Windows 2000 Compatible
  Access,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
  Default Domain Controllers Policy
  Act as part of the operating system kcengr\bkupexec
  Default Domain Controllers Policy
  Add workstations to domain Authenticated Users
  Default Domain Controllers Policy
  Adjust memory quotas for a process NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,IIS APPPOOL\DefaultAppPool,NT
  SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
  Allow log on locally kcengr\IUSR_DELL-OFV7446Y6N,Administrators,Backup Operators,Account Operators,Server Operators,Print Operators,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
  Default Domain Controllers Policy
  Allow log on through Remote Desktop Services
  Not Defined
  Back up files and directories Administrators,Backup Operators,Server Operators
  Default Domain Controllers Policy
  Bypass traverse checking NT SERVICE\MSSQL$SCANMAIL,Everyone,Administrators,Authenticated Users,Pre-Windows 2000 Compatible Access,NT SERVICE\SQLAgent$SCANMAIL
  Default Domain Controllers Policy
  Change the system time Administrators,Server Operators,LOCAL SERVICE
  Default Domain Controllers Policy
  Change the time zone Not Defined
  Create a pagefile Administrators
  Default Domain Controllers Policy
  Create a token object kcengr\bkupexec
  Default Domain Controllers Policy
  Create global objects Not Defined
  Create permanent shared objects Default Domain Controllers Policy
  Create symbolic links Not Defined
  Debug programs Administrators
  Default Domain Controllers Policy
  Deny access to this computer from the network
  kcengr\SUPPORT_388945a0 Default Domain Controllers Policy
  Deny log on as a batch job Default Domain Controllers Policy
  Deny log on as a service Default Domain Controllers Policy
  Deny log on locally kcengr\SBS Remote Operators,kcengr\SUPPORT_388945a0,kcengr\SBS STS Worker
  Default Domain Controllers Policy
  Deny log on through Remote Desktop Services
  Not Defined
  Enable computer and user accounts to be trusted for delegation
  Administrators Default Domain Controllers Policy
  Force shutdown from a remote system Administrators,Server Operators
  Default Domain Controllers Policy
  Generate security audits LOCAL SERVICE,NETWORK SERVICE,IIS APPPOOL\Classic .NET AppPool,IIS APPPOOL\DefaultAppPool
  Default Domain Controllers Policy
  Impersonate a client after authentication Not Defined
  Increase a process working set Not Defined
  Increase scheduling priority Administrators
  Default Domain Controllers Policy
  Load and unload device drivers Administrators,Print Operators
  Default Domain Controllers Policy
  Lock pages in memory Default Domain Controllers Policy
  Log on as a batch job kcengr\bkupexec,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,kcengr\IIS_WPG,kcengr\SUPPORT_388945a0,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG,IIS_IUSRS
  Default Domain Controllers Policy
  Log on as a service kcengr\Administrator,NT SERVICE\MSSQL$SCANMAIL,kcengr\SQLServer2005SQLBrowserUser$KC01,IIS APPPOOL\Classic .NET AppPool,kcengr\bkupexec,NETWORK SERVICE,IIS APPPOOL\DefaultAppPool,SYSTEM,NT SERVICE\SQLAgent$SCANMAIL
  Default Domain Controllers Policy
  Manage auditing and security log kcengr\Exchange Servers,kcengr\Exchange Enterprise Servers,Administrators
  Default Domain Controllers Policy
  Modify an object label Not Defined
  Modify firmware environment values Administrators
  Default Domain Controllers Policy
  Perform volume maintenance tasks Not Defined
  Profile single process Administrators
  Default Domain Controllers Policy
  Profile system performance Administrators
  Default Domain Controllers Policy
  Remove computer from docking station Administrators
  Default Domain Controllers Policy
  Replace a process level token NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,IIS APPPOOL\DefaultAppPool,NT SERVICE\SQLAgent$SCANMAIL
  Default Domain Controllers Policy
  Restore files and directories Administrators,Backup Operators,Server Operators
  Default Domain Controllers Policy
  Shut down the system Administrators,Backup Operators,Server Operators,Print Operators,SYSTEM
  Default Domain Controllers Policy
  Synchronize directory service data Default Domain Controllers Policy
  Take ownership of files or other objects Administrators
  Default Domain Controllers Policy
  I am using the domain administrator account to try and log on locally and I cannot see a reason within the DC's GP why it would be prevented. 

• Difference between Domain Admins & Built-In Administrators Group ?

  Hi,
  I am new to AD and would like to seek your advice.
  If a user (say Peter) is a member of the Built-In Administrators Group but not a member of the Domain Admins Group in Active Directory, does it mean that
  1) Peter can still manage Domain Objects but with some limitations ?  What he cannot manage ?
  2) Peter can remote access all workstations and servers in the Domain ?
  Thanks

  See: 
  http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
  Administrators:
  Description:  Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default
  member. Because this group has full control in the domain, add users with caution.
  Default user rights:  Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user
  accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process;
  Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
  Domain Admins:
  Description:  Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are
  joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.
  Default user rights:  Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user
  accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process;
  Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
  These groups are the most powerful in a domain and should NOT be used for day-to-day (lower level) administration.  That's the beauty of Active Directory Domain Services.  You don't need god-like rights to operate a domain (create users, groups,
  manage attributes, etc.) and should not use these accounts for this kind of administration.
  Additionally, don't logon locally to your workstations, notebooks etc. with these accounts.  Doing so leaves data behind on the computer that is possible to compromise of the domain.
  David Shaw [MSFT]

• Domain Admins not able to run executable on Domain Servers

  I have built a VM domain of Windows 2008 R2 SP1 x64 machines.  One Domain controller, 4 member servers.  I have built a couple users, and put them into the following domain groups:
  Domain Admins
  Enterprise Admins
  Schema Admins
  However, if I log into any of the machines as the two users I created, I cannot run, for instance, setup.exe for SQL server.  I am invariably told :
  "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."
  I CAN access stuff on the Domain Controller logged in as one of those users.  So all these problems only apply to the member servers.
  I have checked to unblock the files (not an issue)
  I have modified UAC settings through SECPOL.msc
  I have confirmed that the users in question (as well as the groups above) are members of the local Administrators group on each node.  The only way for me to run these programs (things like regedit also won't run either) is to log in as Administrator
  (domain and local work for this) 
  I have removed a member server from the domain and re-added it.  I did so using one of the userids that have been problematic.  It added it to the domain fine, but upon reboot, that userid had effectively no rights on the box.
  I have no idea what the problem is.  I can't even elevate a command prompt to administrator - it gives the error above.
  I built this system for some exercises and testing for a cert test I am taking.  If I can't get these (or any other) accounts working, I am kinda stuck.  
  Any help would be great, because none of this makes sense.
  Thanks,
  Todd 

  Hi,
  Would you please check the below article and try the suggestions in it:
  "Windows cannot access the specified device, path, or file" error when you try to install, update or start a program or file
  http://support.microsoft.com/kb/2669244
  Regards,
  Yan Li
  Regards, Yan Li

• Non domain admins can't auththenticate

  I'm setting up a new ACS 5.6.  It has an external identity store connected to our AD.  The RADIUS client is an ASA5510 with 9.1(5)21.  My issue is I can only authenticate accounts in the Domain Admins group.  Accounts not in the Domain Admins group fail authentication.  The message I see in the ACS log has Failure Reason "15039 Selected Authorization Profile is DenyAccess.  Access Service is "Default Network Access", Authorization Profiles is "DenyAccess".
  The account I'm testing with is in the "ACS Remote VPN Devices" group.  I added this group in Users and Identity Stores > External Identity Stores > Active Directory > Directory Group tab by using select and adding the group.  I did not type in the group name.  I created an access Policy and added the ACS Remote VPN Devices group to this policy.  The Domain Admins group is also on this policy.
  The test I am using to generate successful or failed logins is on the ASA.  I use the command "test aaa authentication RADIUS user ??? password ????
  With an account in the Domain Admins group the test is successful.  With an account not in the Domain Admins group the test fails.
  Thanks for any help.
  Bill

  hmmm.  If your computer is on a domain, and you plug it into someone else's network running workgroup, you should be OK, if the workgroup is on single segment.  Your computer will resort to Netbios name resolution if host name resolution fails.
  You can remove the primary dns suffix from your computer, but if the DHCP server that negotiates the lease on the network you are on supplies option 015, it will add the domain suffix to that NIC.
  Since I do not know the exact situation you are facing, you can try this...
  Open the control panel--> system--> advanced settings --computer name tab --> change button --> more button --> uncheck "change primary dns suffix... & also clear the text box that contains the primary dns suffix.
   Overview regarding name resolution for windows:
  Microsoft Windows TCP/IP NetBIOS and Host Name Resolution
  http://www.anitkb.com/2010/08/microsoft-windows-tcpip-netbios-and.html
  Visit: anITKB.com, an IT Knowledge Base.