Domain Administrator Problem
I created a new domain admin account that is part of AD Administrators, Domain Admins and Enterprise Admins. I have been using this account for a couple of years with no issue. However after promoting the domain to W2k3 and adding 2012 R2 domain controllers
I keep running into issues with the account.
The most recent was using the command 'appcmd list backup' in preping for IIS migration. I received and Access is denied error. I tried this with another account that should have domain admin privileges and got the same error. When using
the original Administrator account there is no issue.
Does anyone have any thoughts on this? Is there a way to check rights and permissions for a domain admin, Enterprise admin and Administrator account? So far all I have found is stuff related to the SID but I don't believe this is a true check or rights.
Thanks
> Yes but isn't is a best practice to rename and disable it? Shouldn't
> there be a way to create an equivalent account without the -500 SID or
> am I missing something ?
"Disable", yes. "Rename", no - renaming it has no benefit, the SID stays
with him :)
This is an old tale of the "security by obscurity" days.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Similar Messages
-
hi, I'm using windows server 2012 R2 and I was Just wondering how to make the Remote Desktop enable connection through domain\administrator before actually creating the domain... In other words, I wanted to create an Active Directory Domain User and connect
to the server from the RDP. The problem is that I can only connect through the RDP considering that I'm using Windows Azure, so the physical server isn't actually sitting on my desk... Anyway when I create an AD DS the system automatically reboots and I'm
not able to connect to it anymore, so all I need to do right now is enable somehow the Remote Desktop Services to connect through "Domain\Administrator" before I actually create the AD DS and assign it to my server so that when the system reboots
and I open the RDP I can connect to the server.
Thanks in advance.Hi,
Thank you for posting in Windows Server Forum.
As per your comment, it seems that you are managing the server with .RDP file. I can suggest you to run
"Remote Desktop Connection Manager” for maintaining server. With that you can specify the credential for domain\administrator and when you setup the AD DS, after that you can open the connection through domain\administrator and not as local user.
Hope it helps!
Thanks,
Dharmesh -
Good morning all,
I took over as IT director for the school district in my town about 2 years ago, and we've had some techs come and go, all of which have had the domain administrator password (not my call, but my fault for not changing it by now). I am about to change
it, but before doing so I want to know how I can make sure what all this will break so I can quickly change the cached/saved password on whatever supporting services use this user/pass.
Can anyone help here?
Thank you!Hello,
In my point of view if I were in this situation I would Change the domain administrator password. By
Resetting the domain administrators all the services which use domain administrator as their logon user, will lose their functionality. I had this experience and I did change the domain administrator password with no problem. However do not
forget to have a account lockout tool or script for locating the place where the account was locked out.
But to keep it short most of the time. lockout problems are arise from mapped drives, credential manager and saved RDP sessions and etc.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Install Oracle XE in a domain without domain administrator credential
Hi,
I work in a company. My Windows 7 64b and my login are identified in a Windows domain. For test purpose, I would like to install Oracle XE on my computer so that I can connect on it.
I tried many things and I had always credential problems or Oracle problems. As I understand the behavior of Oracle :
- if you install it being connected to the domain, you enter during the install a system password that is useless : the domain administrator password should probably be used
- if you logged in the domain but you disconnect your network cable, you cann connect with the given system password
- if after installation you change SQLNET.AUTHENTICATION_SERVICES to (NONE) then you can connect but Oracle isn't started. From the logs, it seems that Oracle hadn't the correct password itself to initialize itself
- if you create, on your computer, a local account with administratror credential, it works all fine from this account but not from your domain account !
My question is : how to install Oracle XE being identified on the domain, without needing administrator credential ? Or once Oracle is installed and authentification set to local, is it possible to initialize Oracle again ?how to install Oracle XE being identified on the domain, without needing administrator credential Add your domain login to the local administrators group. Per the XE install guide for Windows, the installing user must have administrator rights on the host. See the section "Permission Requirement for Installing Oracle Database XE" at:
http://docs.oracle.com/cd/E17781_01/install.112/e18803/toc.htm#BABIHEJC
Also note the System Architecture requirement, Intel x86, which is not X64. Not to say that it won't work, but there will be challenges getting a successful installer run with a Windows X64 OS. -
How to Reset Windows 2008/R2 Domain Administrator Password
How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
An accessible PC.
A USB/CD/DVD flash drive.
The Windows password reset tool Daossoft Windows Password Rescuer.
Then it requires 4 steps as below:
Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
Step 2: Burn it to the flash drive.
Step 3: Boot your Windows Server computer from the flash drive.
Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks, -
Domain Administrator account being locked up by PDC
Hi everyone,
My PDC is locking up my domain administrator (administrateur in french) account.
System event logs :
The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.
Level : Error
Source : Directory-Services-SAM
Event ID : 12294
Computer : Contoso-PDC
User : System
There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
I tried to change the name of the domain administrator account from "administrateur" to "administrator".
Now there is "Audit failure" events poping up in the security event logs.
Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
Here is the detail log :
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrateur
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-PDC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
On the PDC i checked :
Services : None of them are started with the "administrateur" account
Network Share : There is no network share ...
Task Scheduler : None of the tasks are launch with the "administrateur" account.
And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
Any ideas?
ps : Sorry for the probable english mistakes :(Hi,
Thanks for you answers.
San4wish :
Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
fixed this vulnerabilty.
So i doubt its a conficker type worm.
Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs. -
Built in domain administrator... locked out?
PART-1
Today our built in domain administrator got locked out. From what I've read this is not possible. We were alerted on it and when I opened the object it said it was locked out. (I'll admit, I didn't try logging in with it). I double checked and the objects
SID does indeed end in -500 which is indicative of it being the built in account.
I ran this query:
$BA=(get-addomain).domainsid
$BA.tostring() + "-500"
and the only result I got back was the SID that matched the user in question.
What's going on? Was it truly locked out? I guess we will run a test tomorrow but I wanted to reach out to the forums too.
PART-2
Once this account was locked out we went to the source server and found that it was no longer on the domain. Instead it was in a workgroup that had a name that resembled our domain. I checked the event log and there were a ton of errors with event ID 4097
that said "The machine [machine-name] attempted to join the domain [FQ-domain-name]\[FQDN-of-PDC] but failed. The error code was 1326". These errors correspond with the time that the account was locked out. There were a ton of them...
The account that was originally used to join this machine to the domain was the built in admin above (I know, not best practice). Regardless, why would it switch from domain to a workgroup? Why would it attempt to auto re-join? And why would it use the account
originally used to join the domain?I have found my answers...
Part 1:
The built-in administrator will get locked out and marked as locked out - however, when you go to log in with it, it will AUTOMATICALLY unlock the account. So essentially it cannot be locked out but it will give off the impression that it is.
you can however disable the account. .... supposedly if you ever have to recover your domain in restore mode it will enable the account for you... .never had an opportunity to test that and I hope I don't
Part 2:
This is a vmware related issue. The machine tried to re-run custom specs. Please see the following vmware article if you are having the same issue.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2078352
This is related to deploying machines with custom specs in 5.1 with hosts on build 1743533 (ESXi 5.1 patch 4) -
I've used the Domains Administrator and added 45 domains. Where is that information recorded ?
Thanks,
Bob LarsenThe should be in defaultdomains.xml which will be in your system types directory (if you defined one), otherwise it is in a folder where you installed data modeler.
-
Built-in domain Administrator account not given full access to new Exchange 2013 server
I migrated from Exchange 2010 to 2013 over the weekend. I cannot log into the EAC with my domain administrator account I use to log into all my other servers. I also cannot run the clean-mailboxdatabase cmdlet logged in as this user. I
had no trouble moving mailboxes from the old server to the new server with this account though.
This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
I can log into the EAC with another admin account that has the same memberships as the Administrator account.
I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
The Administrator mailbox has been moved to the new database on the Exchange 2013 server. The Exchange 2010 has been decommissioned and is turned off.Hi,
Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
Hope it can help you.
Thanks,
Angela Shi
TechNet Community Support -
Domain Administration Server HA
Greetings,
I'm in the process of setting up a Appserver cluster, with four nodes.
Originally I planned to install domain administration server on one machine, then install nodeagents on all four machines.
I was going to create a cluster and add the node agents.
However, what I have run into is, if I lose the machine that is the domain adminstration server, what will I do?
Can I install domain adminstration servers on multiple machines and manage the same cluster configuration? do I just need to mirror the "domains" directory to another server, and if that macine fails I can start that domain on another machine?
I guess my questions would be what the best practices are for deploying applications server cluster and how to maintain high availability on the administration servers.
I'm using Version 8 Enterprise Addistion btw.
Thanks in advance!
Jeremy
3nt3r 7h3 r341m http://www.society86.com
What the blog?! http://trellipses.blogspot.comI am in the same place as Jeremy and would like an answer to his question.
Also regarding recreating the the DAS:
Lets say you set up a cluser with 2 server instances across 2 machines with the Admin (DAS) server on the first nodeagent/server instance machine. Can you use the second nodeagent/server instance machine as the backup machine to recreate the DAS? If so, any special instructions? I certainly do not want to have to involve a 3rd machine. -
WRV210 web administration problem
I have a Wireless G VPN Router with Range booster, it was configured for a classroom by someone who left the company, and now i have to recover administration without resetting configuration or flashing the firmware. This because i need to configure 200 more devices with the same problem.
All i want is to see the web page of this device properly.
Belive me i have tried every option Internet Explorer 7 on windows 7, Internet Explorer from Windows XP, Firefox 6, Google-Chroome.
All with the last version of Java Runtime Environment, the resulting page is always the same.I tried accesing with the cd, and magicly the web page worked fine once more
and then back to the broken page.
At least i got to recover the web access once.
2011/8/28 gstefanick
Cisco Support Community Re: WRV210 web administration problem created by George
Stefanick in *Getting
Started with Wireless* - View the full discussion -
Need to provide local administrator access without domain administrator rights
Hi All,
I need to provide local admin access to one account in windows environment without providing domain administrator rights.
Windows 2008 DC. Desktops : windows 7
So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
Need suggestions.Hi,
I agree with Senne, in addition, we can also use net command to perform local group management.
More information for you:
Add a member to a local group
http://technet.microsoft.com/en-us/library/cc772524.aspx
How to Make a Domain User the Local Administrator for all PCs
http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
This is a new domain-joined Server 2012 member server with no data. Domain Administrator account is in the Organization Management group. Domain functional level is Server 2012.
Setup /m:RecoverServer fails because "...server roles are already installed..."
Uninstall fails because the "mailbox database contains one or more mailboxes..." which I can't delete.Hi,
I recommend you refer to the following article to troubleshoot the issue:
https://social.technet.microsoft.com/wiki/contents/articles/14874.error-the-user-domain-localusersadministrator-isnt-assigned-to-any-management-roles-on-exchange-2010-management-console.aspx
we may try to propagate the RBAC permissions for the user again! procedure is as below:
1.
Open Windows Powershell as “Run As Administrator”
2.
Load the setup Snapin with the command: Add-Pssnapin *Setup*
3.
Run the commands one after the other to propagate the RBAC to the user who is logged on to the Exchange Server.
a. Install-CannedRbacRoleAssignments –InvocationMode Install
b.
Install-CannedRbacRoles
c.
Install-CannedRbackRoleAssignmentsRAP
d.
Install-CannedAddressLists
Thanks.
Niko Cheng
TechNet Community Support -
Cannot connect Workgroup Manager using a domain administrator account
Hello,
I'm trying to determine if this is normal behavior or something is not working right:
When using Workgroup Manager (remotely or locally on the server) it will only let me connect with the local (Netinfo) administrator account that was created upon install of the server. It will NOT let me log in with the diradmin account that was created when promoting the server to an OD master (or any other accounts I created (under the LDAP directory) and checked User can "administer the server" and "administer this directory domain").
Once connected to WGM with the local admin account I then can (and still need to) authenticate to the directory database using the diradmin account (which works). Is this normal behavior?
From reading Apple's User Management documentation it seems to indicate that once a domain administrator account is set up you can use that account to log into WGM.
Thanks in advance.
- Brian
Mac OS X (10.4.6)OK, it looks as though I've figured this out. Using the Directory Access utility on the server itself, I needed to add the "LDAPv3/127.0.0.1" directory domain to the list of domains to search for authentication.
-
Notification for domain administrator
Hi pls help me.How can a domain administrator get notification through email or any others option when domain users install software in their own PC and they are all local administrator on their own PC.
This topic first appeared in the Spiceworks CommunityHi pls help me.How can a domain administrator get notification through email or any others option when domain users install software in their own PC and they are all local administrator on their own PC.
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
Custom Error Messages in Sourcing Cockpit do not prevent PO creation
Hi forum gurus, We are implementing SRM 5.5 SP 9 in extended classic mode. We have implemented sourcing cockpit too. We have coded an error message in the 'BBP_ITEM_CHECK' BADI for the sourcing cockpit and it appears correctly in the sourcing cockpit
-
Remote is no longer working with itunes on one computer since updating to IOS 6
-
I am creating a form in Adobe Acrobat 8 Professional and I want it to automatically fill in the rest of the field once the user types what they need in it. A good example of this is when you fill out a check and draw a line through the end of the pay
-
How can I download a dvd into I Movie?
I have various dvds of my daughter's dance performances and I would like to compile them and make a movie. How can I download the movies into I movie?
-
hi, i got a iphone 4s in AU, but it was locked, would you like to help me to check which carrier is this? <Edited By Host>