Domain Administrator Accounts
In 2003 there are Schema Admin accounts etc. I don't see these in 2008. Is it all inclusive in the Built-In Admin group?
I have been looking around but can't find anything about it.
Hi
We have Schema Admin, Enterprise Admin, Domain Admin built in security groups and you add your self in to these groups to get the permissions.
If you search in AD for schema admin you will find it as group.
Similar Messages
-
Domain Administrator account being locked up by PDC
Hi everyone,
My PDC is locking up my domain administrator (administrateur in french) account.
System event logs :
The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.
Level : Error
Source : Directory-Services-SAM
Event ID : 12294
Computer : Contoso-PDC
User : System
There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
I tried to change the name of the domain administrator account from "administrateur" to "administrator".
Now there is "Audit failure" events poping up in the security event logs.
Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
Here is the detail log :
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrateur
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-PDC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
On the PDC i checked :
Services : None of them are started with the "administrateur" account
Network Share : There is no network share ...
Task Scheduler : None of the tasks are launch with the "administrateur" account.
And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
Any ideas?
ps : Sorry for the probable english mistakes :(Hi,
Thanks for you answers.
San4wish :
Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
fixed this vulnerabilty.
So i doubt its a conficker type worm.
Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs. -
Built-in domain Administrator account not given full access to new Exchange 2013 server
I migrated from Exchange 2010 to 2013 over the weekend. I cannot log into the EAC with my domain administrator account I use to log into all my other servers. I also cannot run the clean-mailboxdatabase cmdlet logged in as this user. I
had no trouble moving mailboxes from the old server to the new server with this account though.
This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
I can log into the EAC with another admin account that has the same memberships as the Administrator account.
I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
The Administrator mailbox has been moved to the new database on the Exchange 2013 server. The Exchange 2010 has been decommissioned and is turned off.Hi,
Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
Hope it can help you.
Thanks,
Angela Shi
TechNet Community Support -
Cannot connect Workgroup Manager using a domain administrator account
Hello,
I'm trying to determine if this is normal behavior or something is not working right:
When using Workgroup Manager (remotely or locally on the server) it will only let me connect with the local (Netinfo) administrator account that was created upon install of the server. It will NOT let me log in with the diradmin account that was created when promoting the server to an OD master (or any other accounts I created (under the LDAP directory) and checked User can "administer the server" and "administer this directory domain").
Once connected to WGM with the local admin account I then can (and still need to) authenticate to the directory database using the diradmin account (which works). Is this normal behavior?
From reading Apple's User Management documentation it seems to indicate that once a domain administrator account is set up you can use that account to log into WGM.
Thanks in advance.
- Brian
Mac OS X (10.4.6)OK, it looks as though I've figured this out. Using the Directory Access utility on the server itself, I needed to add the "LDAPv3/127.0.0.1" directory domain to the list of domains to search for authentication.
-
Server restrict from domain administrator account
I have a server 192.168.1.XXX which is added in AD domain but I would like to restrict this server from domain administrator account.
192.168.1.XXX server will be access by local account only.
Please help..I have a server 192.168.1.XXX which is added in AD domain but I would like to restrict this server from domain administrator account.
192.168.1.XXX server will be access by local account only.
Please help..
You received some great suggestions and info. Curious, why would you want to remove the domain admin account from accessing the server?
Maybe a stand alone server may be a better solution? You can still access domain resources from a stand alone using specific domain accounts, but the machine won't be joined to the domain preventing the domain admin account from accessing it.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Built-in Domain Administrator Account Repeated Locks
This account was disabled years ago and is not used. However, event 4740 are regularly generated, It shows the calling computer name as one of our servers. So, I logged into the that server and look in the local security event log and there
are no references to account lockouts at the time the 4740s are generated on the domain controllers.
I checked for services running on the server using administrator credentials and I checked for scheduled tasks using administrator credentials and I don't see anything on the server listed as caller computer.
I renamed the "User logon name" for this account to something different so that would not longer be a match if something is try to authenticate using the logon name of "administrator." However, this has not helped. The account
still generates the 4740.
I checked the domain "Administrator" account again today and it was no longer disabled. So, I disabled it again and will see if it still gets locked out again in the next 24 hours.
How can an account with the user id changed still get locked out? It seems very strange that the account can be locked out when the user name no longer matches anything that could have ever had that user id saved.
What can be done to fix this issue?hi,
If possible please do the following steps.
Note: here I have taken user account name as User1
1.Using ADSIEDIT changed the value of UserAccountControl attribute of the User1 account to 66082(numerical) i.e. 0x10222(in hex) and disabled it which is the sum of the following attributes:
a. ACCOUNTDISABLE; PASSWD_NOTREQD; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
b.
It’s current value was 0x10202 aka 66050 in dec (I believe this implies ACCOUNTDISABLE | NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD)
2. Then for the account (in ADUC) do the following:
a. Unchecked the "user cannot change password" -> OK
b. Right-clicked on the
‘user1’ account and selected reset password and kept it blank and clicked OK
i.
This step is to set a NULL password for the User1 account and keep it disabled
c.
Right-clicked on the User1 account and checked the "user cannot change password" again
https://support.microsoft.com/en-us/kb/305144?wa=wsignin1.0 -
Old domain was removed and Unable to login as domain administrator account in windows 7 laptop
I have a problem with a laptop which is in old domain, due to some issue I need to uninstall some of the programs on that machine for
that it is asking administrator password, so when I was entering old domain’s administrator account password it is not logging in, and there is no other local administrator account configured on that machine, how to log in into that machine and join that to
the new domain.
I am trying to log in as <domain-name>\administratorHi,
Logon to a domain with domain account is an interactive process, which needs cooperation of both DC and DNS. Since the old domain is delete, then, log in as <domain-name>\administrator to the old domain will failed.
Open CMD, type “net user”, and press Enter to display user account of this computer. Check to see if any account which has administrator permission you can remember.
Besides, type “net user administrator”, if the Account Active is YES, try to use this built-in administrator account to logon:
Press Alt + Ctrl + Delete, select Switch User -> Other User, type <computer name>\administrator. (there may be no password if you haven’t set this)
If there is no administrator permission account which you can use to logon, reinstall the system should be needed.
Best Regards,
Eve Wang -
Installing software from a Domain Administrator account
I have a machine on a domain. I have logged into that machine using a Domain Admin account, and am trying to install some software. Theoretically, a Domain Admin should have full rights on that local machine, yes? However, when I try to do that install I
get an error message:
"The system administrator has set policies to prevent this installation."
Any ideas of why this is occurring? What settings might I need to adjust to give the domain admin installation access?It works with a local admin account. Doesn't work with domain account. I installed my first domain server 2 days ago and have no idea what I'm doing, which may be contributing to the problem, but from everything I can tell it seems like the "Domain Admins"
group has full permissions on all computers in the domain. I'm very confused why this is happening when, as you said, the domain admin should become a local admin by default (and I never messed with any default settings).
If it works with a local account, but is denied with a domain account, then it is either permissions (unlikely based on what you've described), a domain policy setting denying installations to domain accounts, or possibly some other software/security blocking
the installation.
examine the eventlogs on the pc, for events relating to the attempted installation.
these articles may help you to check for settings that can cause this, you would then need to work out where those settings are coming from, so you can consider changing them.
http://social.technet.microsoft.com/Forums/windows/en-US/6c62e6cc-7893-421d-8b90-8e14eaa1eb48/the-system-administrator-has-set-policies-to-prevent-this-installation?forum=itprovistasecurity
http://www.itninja.com/question/the-system-administrator-has-set-policies-to-prevent-this-installation-1?from=appdeploy.com
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Administrator account is disable when deploying windows 7 x64 captured image
I’m using MDT 2012 update 1. I create one deployment share with two task sequence.
The task sequences are: one for windows 7 x86 and the other one is windows 7 x64.
Both are working fine until I try to sysprep and capture with all the windows updates.
Sysprep and capture windows 7 x86 with all windows update work fine. I’m able to deploy the captured image without an error.
My problem is with the windows 7 x64 captured image. I’m able to sysprep and capture the windows7 x64 with all the windows update. Once the capture is completed, I change the .win file in my windows 7 x64 task sequence to point to the new .win file (capture
image with all the windows update). When I deploy windows 7 x64 on a pc, the OS get install but boot up to the sign on screen. The Task sequence does not complete. No error message. Cannot log in as local or domain administrator, account is disable.
Why does it work with my windows 7 x86 image and not with my windows 7 x64 image?
With my windows 7 x86 image the task sequence completed successfully with no error and it logon automatically in windows but not with my windows 7 x64 image.
Both task sequences are the same.
Let me know if any info for this please.
thanksThey should both work, perhaps you missed a step when creating the x64 image.
1. Verify that the Windows 7 x64 image was created cleanly, with no errors. Sysprep ran with no errors.
2. Verify that you created the windows 7 deployment task sequence cleanly. I would do a windiff of the TS.xml and unattend.xml file from both folders in the deployment share.
3. Try running without a domain. Some domain's have a GP set to disable the local administrator account.
Keith Garner - keithga.wordpress.com -
Can't login in to OS X 10.6.7 without domain admin account
Have just bought a mac mini to test in a Windows server environment.
I successfully bound to the Acitve Directory server and was able to login as my default user account;
I moved on and did a software update which moved me from 10.6.4 to 10.6.7 and since this I have not been able to logon using that or any normal user accounts.
I can successfully login as the administrator (default account created during install) and surprisingly can login as any Domain Administrator account, something I don't want to be doing. I tested with other normal users with the same issue and can sucessfully install with any Domain Administrator account.
I have seen a few things that are similar but none of the fixes seem to work...
This doesn't bode well for Macs in the workplease :SI would recommend preparing your system first and then update by following these instructions:
1. Backup first using Time Machine!
2. Disconnect all peripherals except the keyboard and mouse.
4. Download the Combo Update from Apple Downloads.
5. Boot computer in Safe Mode. Note: Safe Boot loads a stripped down system which may reduce any chance of incompatibility while the update is running. Keep all Applications closed.
6. Repair Permissions from Disk Utility while booted in Safe Mode.
7. Install the update from Safe Mode.
8. Restart as you normally would if prompted. -
Can I disable (or remove) the "migration administrator" account?
I installed a SBS 2011 server about two years ago - and migrated from an old SBS 2003 server.
In the process of migration, a "migration administrator" account was created. Now, I see it in my list of users and was wondering if I missed a step somewhere that should have deleted (or disabled) this account.
Is it safe to disable?Its always a good practice to Disable a NON required account. You can read the description of the user account "If Any" . If its an account that is apart from BuiltInAdministrator, go ahead and delete or disable.
Normally in SBS 2008 and SBS 2011 Domain "Administrator" account as it is disabled by default. This is for security reasons as the most common account for hackers to use when launching an attack on your server is the default administrator account
name. If you need the "Administrator" account for some reason, though I don't recommend using it, it is in AD under the Uses OU not the MyBusiness\Users\SBSUsers OU. You will need to enable it, and assign a password.
Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help. -
This is a new domain-joined Server 2012 member server with no data. Domain Administrator account is in the Organization Management group. Domain functional level is Server 2012.
Setup /m:RecoverServer fails because "...server roles are already installed..."
Uninstall fails because the "mailbox database contains one or more mailboxes..." which I can't delete.Hi,
I recommend you refer to the following article to troubleshoot the issue:
https://social.technet.microsoft.com/wiki/contents/articles/14874.error-the-user-domain-localusersadministrator-isnt-assigned-to-any-management-roles-on-exchange-2010-management-console.aspx
we may try to propagate the RBAC permissions for the user again! procedure is as below:
1.
Open Windows Powershell as “Run As Administrator”
2.
Load the setup Snapin with the command: Add-Pssnapin *Setup*
3.
Run the commands one after the other to propagate the RBAC to the user who is logged on to the Exchange Server.
a. Install-CannedRbacRoleAssignments –InvocationMode Install
b.
Install-CannedRbacRoles
c.
Install-CannedRbackRoleAssignmentsRAP
d.
Install-CannedAddressLists
Thanks.
Niko Cheng
TechNet Community Support -
Strange profile when I access with Domain Administrator accout
Hello,
It's the first time that I got this issue (I used to install Windows 2008 Server R2 many times a month) :
These are different steps :
- Windows 2008 Server R2 installed normally
- access with local administrator (account : administrator)
- doing updates
- creating new local user (account : admin)
- add this user to local administrator group ( group : Administrators)
- access with that new admin user
- delete administrator profile and disable that user
- restart
- add the server to a domain and then restart
- access to the server with domain administrator (account : domain\Administrator)
- then there's no mention of the domain administrator name in the profile
hatemI'd check it again in between each of the steps you mentioned to see where it happens. Can't make much from the last screen shot since its blacked out. It may have been a one-off and will not happen next time.
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
"Administrator" Domain Admin account is loggen in on temporary profile.
Good day,
I have an issue on logging in on my "Administrator" domain admin account on windows server 2008r2. I noticed it because my wallpaper, and desktop shortcuts are different from what I set before. Also, I checked the path for my docs and noticed
that it's no longer pointing where it has should be.
I attached pictures for more details of my problem.
akosijesyang - the conquerorHi,
Checkout the below thread for similar discussion,
http://social.technet.microsoft.com/Forums/en-US/43c7c956-7f15-4e51-bf99-f775cd2fb5e9/windows-server-2008-r2-temporary-profile-for-admin-account?forum=winservergen
Regards,
Gopi
JiJi
Technologies -
Here is the case:
OS environment: Windows 7
There are two user accounts in my system, standard user "S" and administrator account "A", and there is a windows service running with "Local System" privilege.
Now i logged-in with account "S", and i want to launch an application with elevated administrator account "A" from that service program, so here is the code snippet:
int LaunchAppWithElevatedPrivilege (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute e.g. L"C:\\windows\\regedit.exe"
DWORD dwExitCode = 0;
HANDLE hToken = NULL;
HANDLE hFullToken = NULL;
HANDLE hPrimaryFullToken = NULL;
HANDLE lsa = NULL;
BOOL bResult = FALSE;
LUID luid;
MSV1_0_INTERACTIVE_PROFILE* profile = NULL;
DWORD err;
PTOKEN_GROUPS LocalGroups = NULL;
DWORD dwLength = 0;
DWORD dwSessionId = 0;
LPVOID pEnv = NULL;
DWORD dwCreationFlags = 0;
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
__try
if (!LogonUser( lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if( !GetTokenInformation(hToken, (TOKEN_INFORMATION_CLASS)19, (VOID*)&hFullToken,
sizeof(HANDLE), &dwLength))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if(!DuplicateTokenEx(hFullToken, MAXIMUM_ALLOWED, NULL,
SecurityIdentification, TokenPrimary, &hPrimaryFullToken))
LOG_FAILED(L"DuplicateTokenEx failed!");
__leave;
DWORD dwSessionId = 0;
WTS_SESSION_INFO* sessionInfo = NULL;
DWORD ndSessionInfoCount;
bResult = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &sessionInfo, &ndSessionInfoCount);
if (!bResult)
dwSessionId = WTSGetActiveConsoleSessionId();
else
for(unsigned int i=0; i<ndSessionInfoCount; i++)
if( sessionInfo[i].State == WTSActive )
dwSessionId = sessionInfo[i].SessionId;
if(0 == dwSessionId)
LOG_FAILED(L"Get active session id failed!");
__leave;
if(!SetTokenInformation(hPrimaryFullToken, TokenSessionId, &dwSessionId, sizeof(DWORD)))
LOG_FAILED(L"SetTokenInformation failed!");
__leave;
if(CreateEnvironmentBlock(&pEnv, hPrimaryFullToken, FALSE))
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
else
pEnv=NULL;
if (! ImpersonateLoggedOnUser(hPrimaryFullToken) )
LOG_FAILED(L"ImpersonateLoggedOnUser failed!");
__leave;
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = L"winsta0\\default";
bResult = CreateProcessAsUser(
hPrimaryFullToken, // client's access token
NULL, // file to execute
lpCommandLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
RevertToSelf();
if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
WaitForSingleObject(pi.hProcess, INFINITE);
GetExitCodeProcess(pi.hProcess, &dwExitCode);
else
LOG_FAILED(L"CreateProcessAsUser failed!");
__finally
if (pi.hProcess != INVALID_HANDLE_VALUE)
CloseHandle(pi.hProcess);
if (pi.hThread != INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
if(LocalGroups)
LocalFree(LocalGroups);
if(pEnv)
DestroyEnvironmentBlock(pEnv);
if(hToken)
CloseHandle(hToken);
if(hFullToken)
CloseHandle(hFullToken);
if(hPrimaryFullToken)
CloseHandle(hPrimaryFullToken);
return dwExitCode;
I passed in username and password of account "A" to method "LaunchAppWithElevatedPrivilege", and also the application i want to launch, e.g. "C:\windows\regedit.exe", but when i run the service program, i found it do launch
"regedit.exe" with elevated account "A", but the content of regedit.exe is pure back. screenshot as below:
Can anyone help me on this?You code is not dealing with the DACL access to Winsta0\Default. Only the LocalSystem account will have full access and the interactively logged on user which is why regedit is not displaying properly. You'll need to grant access to your user.
You also need to deal with UAC since that code is going to give you a non-elevated token via LogonUser(). You need to get the full token via a call to GetTokenInformation() + TokenLinkedToken.
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK.
Maybe you are looking for
-
Installed splashy and now I just get a black screen
Hi everyone. I am fairly new to Arch (just installed it last week) and just messed up my computer... please bear with me. I wanted to install a splash screen so I installed splashy. I might have been a little reckless with the installation which resu
-
Downloaded an audio book to my macbook. How do I get it on my it on my Imac? Imac?
-
What classes should I use to send/receive bytes inmediately?
What classes should I use to send/receive bytes inmediately? I mean, without using any buffers or whatever (I will implement this on my app), just the faster method. Is InputStream/OutputStream the lowest level choice? Thanks!
-
Cash Book printing through TCode : S_ALR_87012309
Hi I am not getting the opening and closing balance (amount) when I am printing Cash Book using TCode : S_ALR_87012309 What configurations I need to do for getting the opening and closing balance. Pls suggest alternative TCodes, if any, for printing
-
How can I edit a working WordPress site installed on a working local server in "Live Mode"?
Although I can successfully edit the site in "Design" mode, it's pointless when I just see "PHP" icons everywhere thus I'm editing blindly hoping the edits turn out after constantly saving and then heading over to the WordPress site and reloading the