Member of Administrators group id's issue

Similar Messages

• Cannot use Set-Acl properly despite being file owner and being a member of Administrators Group.

  Hi,
  sorry if this question is already answered but i didn´t find a solution to this ...
  Situation:
  - Running powershell with administrator privileges.
  - I am the owner of file to be modified.
  - Full Control privileges holded by TrustedInstaller.
  - Administrators have no modify privilege to change the file.
  - i can modify acl of that file by GUI
  - I cannot modify acl using Set-Acl snapin.
  This is the executed command:
  Get-Acl C:\inetpub\custerr\en-US\401.htm  |Set-Acl C:\inetpub\custerr\en-US\500-100.asp
  and this the result:
  Set-Acl : Attempted to perform an unauthorized operation.
  At line:1 char:44
  + Get-Acl C:\inetpub\custerr\en-US\401.htm  |Set-Acl C:\inetpub\custerr\en-US\500- ...
  +                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : PermissionDenied: (C:\inetpub\custerr\en-US\500-100.asp:String) [Set-Acl], UnauthorizedAccessException
      + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  I dont want to use external modules. This will be a part of a script to fully automate iis installation on windows 2012 and 2008..
  Thanks in advance guys.

  I get the same thing.  I found this post that should help you:
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell
  Scroll down to one of the last posts, a long one by barnabya, I tested it and it works.  Note that you do not have to execute the bits at the very end to take ownership of the file if the account you're using is already the owner, but you DO need to
  run all three bits to establish SeBackupPrivilege, SeRestorePrivilege, and SeTakeOwnershipPrivilege before running the get-acl | set-acl command.
  I hope this post has helped!

• User is not a member of the Administrators group but they Can Access anything the Administrators group is assigned to!!

  Ouch!
  Did a Server migration from Server 2003 to Server 2012 R2. Virtualized the Domain controller and a File Server.
  Used Robocopy, icacls and takeown to get the permisions and access to work correctly.
  One user we will call here Mary is a member of three groups: HR, HRA and Boardroom but when I give a test file Administrators only access she can breeze right in!
  I do not know if this was how it worked before the migration but how do I stop it.
  Effective permissions appear correct but she just tra-la-la's right on in!
  Any ideas?
  Liam

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Group policy - restricted groups. How to specify a -local- user as member of the administrators group in group policy

  Hi
  With restricted groups I can specify the end user -domain- accounts that are members of the local administrators group on domain PCs. But - I need a particular LOCAL account on all the machines to keep its membership of the local administrators group for testing reasons. At the moment restricted groups is striping this local account of its admin access.
  Is it possible to specify a -local- computer account as admin on all the PCs via group policy or it can only be done with domain accounts?
  thanks

  You are asking for local accounts to be managed via "Restricted Groups".
  Yes, it is possible.
  Rajesh showed you one way with domain groups. In his version "Administrators" group will only contain those accounts
  that are specified in the GPO, no manually added accounts. This is not always desired.
  If you wish to have an account (group or user, local or domain) to be added to "Administrators" group while keeping all the other
  members, proceed like this:
  - create the local account on the client(s)
  - in the GPO select "Add Group" in "Restricted Groups".
  - type in the name of the local account, e.g. "TestID"
  - in the appearing dialogue choose "This group is a member of" => Add
  - type in "Administrators"
  Link the GPO and that's all.
  The original MS description for "Restricted Groups".is here:
  http://support.microsoft.com/kb/279301/en-us
  Another nice one here:
  http://www.frickelsoft.net/blog/?p=13
  Besides that, a great solution to manage local accouts is GP Preference Extension "Local Users and Groups".
  You can simply create a "Local Users and Groups" Item (computer or user based) and specify the needed options.
  http://technet.microsoft.com/en-us/library/cc731972.aspx
  Of course you need some prerequisites (at least one Vista or Winows 2008 for management and the GPP CSE on each target machine).
  If you are new to GPP, these links will help you to get into it:
  http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790&displaylang=en
  http://support.microsoft.com/kb/943729/en-us
  http://technet.microsoft.com/en-us/library/cc732027.aspx
  http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
  Patrick

• Not a member of the Administrators group

  My wife wants to use my iMac to do office work for her employer at home. 
  To do this, she has to install some employer software on my iMac.  But when she tries to install her employers Mac software, she get the message "Hardware installation cannot start with this user account.  Make sure that the user is a member of the Administrators group on the computer."
  To make her a User/Admistrator, do I do the following:
  1)  Go into System Preferences and clicked on Users & Groups. 
  2)  With the Current User as Admin checked, clicked on the padlock to unlock it and type in my password.
  3)  With the padlock unlocked, under Login Options, do I click on the + to establish a new user account for her?
  4)  Then, highlight the new account and click on the box "Allow user to administer this computer" and relock the padlock?
  5)  When the computer reboots, will it reboot with her as Administrator so she can load her employers software?
  Once I have done this, in the future when she wants to use her new account, does she go into System Preferences - Users & Groups, unlock the padlock, click on her account to highlight it, relock the padlock and reboot the computer.
  Thanks,
  jzach52

  Yes to 1 thru 5
  To access the account it is faster just to logout and login rather than rebooting.

• Can't get Administrator Privileges/Rights for Local Account in Administrators Group

  I'm using a Custom Command Shell, and for now just booting to cmd.exe. I've done the following:
  1) Added a LocalAccount under UserAccounts/LocalAccounts (pass 7) with Name, DisplayName, Password, Group
  2) Entered "Administrators" as the LocalAccount/Group (yes, it's definitely spelled correctly.)
  3) Set AutoLogon/Username to the Username created in Step 1, Enabled, LogonCount 9999, Password as per Step 1
  4) Added the "Application Security" package and set EnableLUA=False.
  The system boots after install, and it successfully logs in automatically to the command prompt. However, the user DOES NOT have Administrator privileges. For example, when trying to run Regsvr32 from the command prompt, I receive the following error message: 
  "dllregisterserver failed with error code 0x8002801c," which indicates some sort of privilege/rights issue.
  At the command prompt, when I type Net User LocalUserWhoShouldBeAdmin, I get the following:
      Local Group Memberships
      Global Group Memberships   *None
  Whereas when I type Net User Administrator, I get:
      Local Group Memberships    *Administrators
      Global Group Memberships   *None
  What must I do to successfully give the local user Administrator rights?

  Jamster,
  I figured out the solution, but I'm not sure your problem is the same...
  In my case, the problem was that the LocalAccount/Name was the same as the ComputerName. As a last resort, all I did was change the LocalAccount/Name to something other than the ComputerName, and voila, after re-installing the image the local account was
  suddenly a member of Administrators. Crazy... you'd think they'd be able to tell the difference between the ComputerName and a local account name! In case anyone's wondering, it has nothing to do with the length of the local account Name (I tested that.)

• Nested User Groups (Groups In Groups) to add in Local Built-in Administrators group of a workstation

  Hi,
  I'm a little bit confused with the way Microsoft design the nested groups.
  Scenario:
  We implement Restricted groups group policy to control the members of built-in Administrators group of every workstation in our office. The design was, to make managers domain user account to be member of built-in Administrators group of their subordinates
  workstations if ever they need administrative rights. So, result was there were many group policies created because we have some 30 departments. We come up to the solution that we create a domain global security group and add all the managers account as members
  and corporate help desk group, create a one single policy and join the created global security group, corporate help desk group and domain admins group to the built-in Administrators group of every workstation.
  Problem:
  We test the policy before we implement it, and a member of our created global security group successfully done an administrative action. But when we implement it, some manager user account doesn't recognize as administrator to the workstation. We did a little
  bit of research and supports the idea that nested groups was not good in the implementation of Nested groups.
  http://bittangents.com/2010/07/13/nested-user-groups-groups-in-groups-built-in-local-groups-issue/
  Question:
  Why is there a different effect of the policy? In our testing environment, it was successful, even a member of a nested group successfully done an administrative action, but some members of the global group declared as local Administrator group of the workstation
  was not?
  Appreciate any feedback.
  thanks.

  > when we implement it, some manager user account doesn't recognize as
  > administrator to the workstation.
  How many group memberships does this account have?
  run "dsquery user -samid <userid> | dsget user -memberof -expand" to
  enumerate.
  If the number is above 80 or 100, you might experience token bloat:
  http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Add Windows 7 local administrators group to another local group

  So I have the local group MyLocalGroup and I need to add the local Administrators group as member of MyLocalGroup
  I'm working with Windows 7 Professional with Windows Management 4
  I have tried:
  [ADSI]$LocalAdmonistratorGroup="WinNT://$Env:COMPUTERNAME/Administrators,Group"
  [ADSI]$MyUsersGroup="WinNT://$Env:COMPUTERNAME/MYLOCALGROUP,Group"
  $MyUsersGroup.Add($LocalAdmonistratorGroup.Path)
  Exception calling "Add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist."
  BUT:
  $LocalAdmonistratorGroup.Add($MyUsersGroup.Path)
  It's work! And MyLocalGroup is member of administrator.
  I have made some test and:
  1. A user can be added to any local group (ok)
  2. A local group can be member of any local group (ok)
  3. A group or a user can be added to local Administrators group
  4. If I try to add local administrators group as member of any other local group I receive the error!
  How I can add the Local Administrators group as member of another local group using PowerShell (with interface work)?
  Thanks,
  Lorenzo Soncini
  LSo Lorenzo Soncini Trento TN - Italy

  Hi Lorenzo,
  Nesting local groups (add a local group to the group membership of another local group on the same client )is not recommended.
  Refer to:
  Nesting of local groups is not supported on workstations or member servers
  If we execute this operation via Computer Management Interface, it will produce error.
  Some group authoring tools can add local Group To local Built-in Groups, however, our suggestion is to never nest local groups even when it is allowed by a group authoring tool like “net local group” because such nesting doesn’t reflect the group expansion
  constraints and the end results would be different from the expected results.”
  Refer to:
  Nested User Groups (Groups in Groups) / Built-in Local Groups Issue
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Is there anything the Administrator can do that Administrators Group cannot?

  We have a situation where we are implementing SSO and will no longer be able to log in as a Plumtree database user. (A valid AD account will be required.) Is there anythingthat theAdministrator (User ID = 1) can do that a member of the Administrators Group cannot? I mean anything. I need a definitive answer on this to make a call on if we need to take the time now to find a way to map an AD account to a Plumtree database user so we can log in as the Administrator through SSO. Thanks, Plumtree!
  Sarah

  This is critical for us as well. Currently we are only using the Administrators Group so that auditable AD accounts are recorded as performing administrative actions. We haven't run into any issues but also need a Plumtree absolute committment that we are in the clear only using the Adminstrators Group.

• User with Farm Administrator rights, but NOT in Farm Administrators Group

  I have an account that we recently discovered has Farm Administrator rights and was used to access Central Admin and cause some harm.  When I use the "Check Permissions" on the Central Admin site, it says that account has Full Control via
  the Farm Administrators Group.  However, that account is not in the Farm Adminstrators group.
  There is an entry in the Farm Administrators group for "BUILTIN\Administrators" and this account is in the Local Admin group on this server.  However, there are other accounts in the Local Admin group too, and when I "Check Permissions"
  for them, it returns 'None'. 
  I am confused as to how this one account has Farm Administration level access, while others in Local Admin do not, and how can I remove this accounts Farm Administration rights if it is NOT in the Farm Adminstrators Group?
  What are the potential problems/issues if I remove the "BUILTIN\Administrators" entry from the Farm Adminstrators Group?
  Thanks in advance for any feedback/help.

  If you have BUILTIN\Administrators as part of the Farm Admins, any user that is a Local Administrator will have Farm Admin rights. SharePoint doesn't enumerate groups when checking permissions, so the behavior you're seeing is correct. If you do not want
  Local Admins to have Farm Admin rights, remove BUILTIN\Administrators from the Farm Admins group in SharePoint.
  There should not be any issue with removing the group from Farm Admins, only that users will need both rights to fully manage SharePoint.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• WSUS Administrators group and CleanUp error

  Hi,
  I try to do automatic cleanup of WSUS parent and downstream servers.
  My script run fine with my account (domain admin) but I want to run the script with low rights.
  So, I created a local account on each server, member of WSUS Administrators local group.
  This works fine for Windows 2008 (R2) downstream servers but for 2012 Servers, i get an error: acces denied when performing cleanup.
  After reviewing WSUS logs, it seems that it's impossible to stop WSUS Service with this account accros WSUS Remoting API.
  Why WSUS administrators group isn't sufficient for 2012 R2 servers ?
  Thanks.

  Hi Steven,
  My script is freely inspired by
  this script
  http://community.spiceworks.com/scripts/show/336-wsus-automatic-cleanup-script
  I will publish it as soon as my account is validated (cannot copy code block...).
  With the function $cleanupManager.PerformCleanUp([...]), it works on 2008 R2 servers but on 2012 R2 servers, I get this error:
  System.Management.Automation.MethodInvocationException: Exception lors de l'appel de « PerformCleanup » avec « 1 » argument(s) : « Accès refusé » ---> System.ComponentModel.Win32Exception: Accès refusé
     à Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow(SoapException soapException)
     à Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.StopWSUSService()
     à Microsoft.UpdateServices.Administration.CleanupManager.PerformCleanup(CleanupScope cleanupScope)
     à CallSite.Target(Closure , CallSite , Object , Object )
     --- Fin de la trace de la pile d'exception interne ---
     à System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
     à System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
     à System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
     à System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
  I tried with the PS Module WSUS and function Invoke-WSUSCleanUp, but i get this error for ALL servers:
  System.ComponentModel.Win32Exception (0x80004005): Accès refusé
     à Microsoft.UpdateServices.Internal.BaseApi.SoapExceptionProcessor.DeserializeAndThrow(SoapException soapException)
     à Microsoft.UpdateServices.Internal.DatabaseAccess.AdminDataAccessProxy.StopWSUSService()
     à Microsoft.UpdateServices.Administration.CleanupManager.PerformCleanup(CleanupScope cleanupScope)
     à Microsoft.UpdateServices.Commands.InvokeWsusServerCleanupCommand.ProcessRecord()
  No idea what's the différence between this two functions...
  But as you write above, an account in WSUS administrators group cannot stop service on 2012 server, nor on 2008 server !
  I've searched the WEB but could not find anything speaking on a limitation for cleanup for WSUS administrators group.
  Thank for your help.

• BPM 11g - FYI task to send a copy to each member of a group

  In BPM 11g I am trying to send an FYI task to each member of a group. They should each get their own copy of the task so that it does not get removed from their inbox when the first person dismisses it.
  I was not successful in getting multiple copies of the task using FYI type even when multiple users were defined in the participant list. So, I changed the participant type to parallel. This was successful in sending mulitiple copies when I defined a participant list of hard coded users, but the process stopped and waited until at least one of the users dismissed it (so the FYI only behavior changed, but I can get around that with a parallel process flow).
  Still using parallel participant type, I have been trying to change from my hard coded list of users to a security group of users. If I set assignment to the group, only one task is created for the group. So, I have been trying to assign to users and use the expression ids:getUsersInGroup('LoanAnalyticGroup') to get the users in this group. I have tried several approaches to this expression but can't get it to work.
  Has anyone else successfully implemented sending tasks to all members of a group in 11g? Any advice?

  Hi all,
  We are also facing same issue.
  The function ids:getUsersInGroup doesnt return value.
  Even i imported identityservice.xsd and is_config .xsd and created variable using the *"users"* element of identityservice.xsd schema and assigned the value to this variable.
  But Audit always says
  *"XPath query string returns multiple nodes.*
  *According to BPEL4WS spec 1.1 section 14.3, The assign activity part and query should not return multipe nodes.*
  *Please check the BPEL source at line number "72" and verify the part and xpath query "*
  Help me to resolve this issue.

• Project Online - Schedule PDP disappearing for some Project Owners and Project Server Administrators Group

  Current Project Online environment is currently setup with Project Server Permissions Mode. All projects follow a customized workflow that enables Schedule PDP on Planning Phase/Stage, among other rules. For some users the workflow and
  expected PDPs are working fine, but for other the Schedule PDP just disappears under unknown conditions, even if they are part of the Administrators Group. Has anyone come across these behaviour?
  Saludos!

  As you said they belongs to Admin group it means they have required permission still double check the permission assigned to the users.
  Also ask those users to try to log in form different system then check is issue is occurring. 
  If this issue is occurring for few users then this may be because of Browser. check the following :
  1. Open IE then internet options --> Security --> Trusted Site and add your PWA site. then check
  2. If still issue is occurring then click on F12 button then select browser mode as IE 9 then check.
  kirtesh

• Portal Error (A critical error...) after removing "Administrators" group

  Hello experts,
  I'm very new on the Portal topic and faced with an error on our portal environment (SAP ECC 6.0 and SAP Netweaver 7.01)
  I've created a custom role with some worksets, folders and SAP standard delivered iView inside.
  My portal dummy user is owner of this role. Furthermore he's assigned to the groups: "Everyone", "Administrators" and "Authenticated Users". The corresponding user in R/3 backend has SAP_ALL.
  When I log-on to portal it's working fine, iViews, etc. are properly loaded. But thanks to the "Administrators" group, the user can access the tabs "Content Administration", "System Administration" and "User Administration" which should be obviously not the case. When I remove the group "Administrators" from the portal user, the 3 tabs are not displayed anymore. Therefore the iView from my custom role are not loaded any more. I get an error message in main screen saying "Critical Error. A critical error has occured. Processing of the service was terminated. Unsaved data has been lost. Contact your system administrator".
  A colleague told me that it might be an issue on portal permission. I went via tab "System Administation" > "Permission" into the PCD and gave to my roles, folders and an example iView the following permissions:
  - Name: Everyone; Administrator: Full Control; End User: checked
  - Name: Authenticated Users; Administrator: Full Control; End User: checked
  As I've used Delta Links I gave these permission to the SAP delivered iViews, too. Unfortunately the error stays the same.
  Please advice what's missing.
  Thank you so much, Jessica

  Hi,
  Thanks for your reply.
  I started the NWA and went to Analysis > Debug > Logs and Traces.
  There is a fatal error stated but the explanation is not very detailed:
  Severity: fatal; Message: n/a; Category: /Applications/Xss; Location: com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent; Application: sap.com/tcwddispwda; Host: pesap57; Node: Server 0 26_91224
  The message is displayed twice (again: Severity: fatal; Message: n/a; Category: /Applications/Xss; Location: com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent; Application: sap.com/tcwddispwda; Host: pesap57; Node: Server 0 26_91224)
  These errors are not in the log when I add the Administrators Group.
  Thanks for your advice, Jessica

• Windows Administrators group privilege and behavior.

  Hi,
  I am trying to run the command remotely, net user username /domain , but it fails saying "System error 5". This behavior is seen as a domain user which is part of Administrators group, but not from any local administrators member.
  I need help on the following.
  1. I have seen that the Administrators group in Windows is very flexible. Any documentation links or samples how the privileges can be modified?
  2. How i resolve the "System error 5" when the net command is run remotely as a domain user part of Administrators.
  Thanks

  Hi,
  Here is a list about possible reason of this problem:
  There is a time synchronization problem.
  Permissions to access the remote computer (Share, NTFS, GPO) are missing.
  A firewall or third-party product may eliminate the connection to the remote computer.
  The computer account is disabled, has an expired password, or doesn’t exist in the domain.
  There is an Active Directory replication problem.
  Please access to the link below for more details and take its solution for reference:
  https://support.microsoft.com/en-us/kb/555644
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]