Non domain admins can't auththenticate

Similar Messages

• Premiere and Photoshop CC Crashes at launch on a Domain Non-Domain Admin Computer

  On Windows 7 Domain computer lab as a non domain admin but local admin, program launches and then closes with the error codes below. As domain admin account, it works fine. This is a K12 education institution, so giving student's domain admin status is unacceptable. Please advise, any help is greatly appreciated.
  FYI, things i have tried:
  Integrated graphics cards, I have uninstalled and re-installed drivers. No luck. I have also made the pslog.txt file and given appropriate permissions to all users.
  Error Codes:
  Windows Error Code - Application error
  Faulting application name: Adobe Premiere Pro.exe, version: 8.0.1.21, time stamp: 0x53c7b17f
  Faulting module name: dvaui.dll, version: 8.0.1.21, time stamp: 0x53c76970
  Exception code: 0xc0000005
  Fault offset: 0x00000000002f4e39
  Faulting process id: 0xf28
  Faulting application start time: 0x01d01a2c32635355
  Faulting application path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\Adobe Premiere Pro.exe
  Faulting module path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2014\dvaui.dll
  Report Id: 924f6336-861f-11e4-821e-0024811149b1
  Fault bucket 45383478, type 20
  Event Name: APPCRASH
  Response: Not available
  Cab Id: 0
  Windows Information - Windows Error
  Problem signature:
  P1: Adobe Premiere Pro.exe
  P2: 8.0.1.21
  P3: 53c7b17f
  P4: dvaui.dll
  P5: 8.0.1.21
  P6: 53c76970
  P7: c0000005
  P8: 00000000002f4e39
  P9:
  P10:
  Attached files:
  C:\Users\esdstudent\AppData\Local\Temp\WER9443.tmp.WERInternalMetadata.xml
  These files may be available here:
  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Adobe Premiere P_ad637fa2c8bd70d3e74771b4be53569c25a980_00c3bab6
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 924f6336-861f-11e4-821e-0024811149b1
  Report Status: 0

  I think you have answered your own question... you must have BOTH types of user accounts set to Administrator
  This is an open forum with a mix of program users and Adobe staff, not Adobe support... you need Adobe support
  Adobe contact information - http://helpx.adobe.com/contact.html may help
  -Select your product and what you need help with
  -Click on the blue box "Still need help? Contact us"

• Windows 7 on domain, only domain admins can install/uninstall and update

  We are rolling out some Windows 7 PC's at work and are noticing some problems with Adobe Reader and Adobe Acrobat 8 on these new machines.  If a normal user is logged in to a Win 7 computer he/she cannot install, uninstall or update either adober reader x or Acrobat 8, they are met with the following error:
  Error 1324: The path to My Documents or the volume is invalid. Please enter it again
  This pops up immediatly when the choose to install.  All of our domain users are set up as local admins on their macines (Domain Users has been added to the local Adminstrators group).  The only way anyone can install or update without the errors is if we add them to the Domain Admins group which for obvious reasons we can't do.
  Any ideas?  I can't seem to find a solution for this searching online.
  Thanks

  SAME PROBLEM I HAVE.

• Non-domain computer cannot connect to server

  I have a unique issue. 
  I have a Windows 2008 server running Exchange 2010 (all roles on single server )
  I have a Windows 7 Pro client that is not a member of the domain.
  When setting up Outlook 2010 I enter user's name, email address and password.  The system starts configuring, it successfully searches for [email protected] settings.  It then prompts for credentials.  I cannot get it to take them.
  However, If I user the domain admin account I can successfully setup the domain admin email in Outlook.  I just cannot do it with a standard user.
  Also, I noticed that this non-domain computer can access domain member server if I provide credentials (domain\username). This does not work with this or any of my other Windows 2008 servers.
  I have been fighting this with no relief in sight...
  Thanks
  Wayne 

  Let me be clear about my symptoms.
  Exchange with domain joined computers autodiscover/Outlookworks fine....
  DC's and exchange server all have same time/date otherwise nobody would be able to authenticate.
  The problem only exists with non-domain computers (both within the network and outside of the network)
  The autodiscover tests fine with exchange connectivity tester.  I cannot test outlook as I have a certificate from an untrusted root that is installed manually on the non-domain computers.
  The non-domain computers can connect to windows 2003 member server (with appropriate domain credentials) but not to this 2008 (or the other 2 2008 member servers)
  Update-  If I configure the domain administrator account on that same non-domain connected machine, it retrieves the domain admin email just fine.....

• Disjoin computer from domain without being domain admin

  Windows Server 2008 R2 AD
  I have created a group to enable non-domain admin user/s to join computers to domain. we're trying to have the same set of users join computers to domain but we are unable to unless a domain admin deletes the old computername from the domain.
  is what we're trying to achieve possible? to allow non-domain admin users disjoin computers from domain?

  Any local administrator can remove the computer from the domain but if the user has no appropriate permissions on AD, it will leave the computerobject orphaned in AD.
  If you need a user to be able to remove a computer object from AD you can delegate permissions for that. By default the Account Operators Group has the appropriate permissions.
  note that both permissions to create, change or delete (computer) objects in AD should not be granted lightly.
  http://support.microsoft.com/kb/818
  MCP/MCSA/MCTS/MCITP

• File sharing permissions for AD Domain Admins?

  I've binded Mavericks to a Windows network with Active Directory, turned on File Sharing under System Preferences > Sharing, and added the Domain Admins group; how can I configure permissions so that the Domain Admins can read and write to and from all files and folders on the MAC HD without affecting other user's permissions?
  If I "apply to enclosed items..." the Domain Admins' Read & Write permissions from the root volume then Everyone (gets unintentionally propagated) can access all files!
  Ideally, the Domain Admins need the same permissions as the root administrator even after a new user has logged onto the MAC and had their Home Folders created in the future; In other words I need them to be able to access files and folders for all accounts past, present and future, but all other user's access must stay the same. Does that make sense?
  Is this even possible with AD binding? Would having a MAC OSX Server/Open Directory facilitate this better?
  Any help would be much appreciated!

  I tried adding the Domain Admins to the wheel group, but that never helped either. Also the "apply to enclose items" only seems to work for the entire share (left side)--not individual users or groups (right sde).

• Domain user network share browsing slow, but domain admin is fast

  I've seen quite a few threads about slow network share browsing in Windows 7, and I've tried every fix to no avail.  I did notice something that has not been mentioned in any threads that I've seen though, and that's the behavior is different when using
  a user account with administrative privileges.
  Environment: SBS2011, domain, 14 Windows 7 PC's that all exhibit the same behavior
  As an account in the domain users group, browse to a network share with approx. 400 items to display, and it takes 4-5 seconds for explorer to show them.  Same delay exists when creating new folders in this folder.  Displaying this folder in any
  way reproduces this delay, whether navigating up or down the file system, or by going straight to the share's UNC path.
  Folders with fewer items have less of a delay, the effect seems proportional.
  As an account in the domain admins group, navigation is lickety split.  Tested with two different administrative accounts.  Tested on multiple PC's.  Also took a user account that exhibited the issue, added them as a member of domain admins,
  and this resolved the issue for that user account.
  Any ideas?

  Did you ever find a solution to this issue?  
  We are running into a similar issue.  We have a few specific Domain Users who are reporting difficulty navigating or searching network shares.  Searching a small folder of files is taking 30+ seconds.  All of our domain admins can search the
  same folder instantly.  If we add this Domain User into Domain Admins his searching is instant, when we demote him back down to Domain user its slow again.  The Domain User is having the same issue no matter what computer he uses.  Us Domain
  Admins can log into the same computer and it comes up with search results instantly, log out and log back in as the Domain User and suddenly its slow again.
  Any help would be appreciated.

• Domain Admins have Send As feature by Default?

  We have discovered that all our Domain Admins can utilise the "send as" feature and send on behalf of any other user, by default. How do we go about resolving this, so that this is not the case anymore?

  Clarify: “Domain Admin” has “Send As” right to all mailboxes
  Collect unmentioned info:
  Version: windows server, exchange [03/07]?
  Notes: domain admin has “send as” right by default in ex07, but based on your description, it seems to be ex2k3, right?
  Troubleshooting:
  1.     Add a registry in HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
  Type: REG_DWORD
  Name: ShowSecurityPage
  Data: 1
  2.     Check the permission in ESM
  a.     Right-click your org icon on the top level of ESM
  b.    Go to “Security” tab
  c.     Check permission on “Domain Admin” is ok.
  d.    Also check your “Server” and “Mailbox” objects, make sure the “Allow the inheritable permissions to propagate..” has been checked
  3.     Run Domainprep to make sure that everything is ok at the permission
  PS: Wait until all the permissions propagate to child objects

• Powershell script to get the domain admin list from non domian member server

  hello Script guys!
  I am new of the powershell scripting.
  currently I am working on autometion project , we would like generate a privilege report for our existing servers.
  in our environment, there are many seprated domain , we would like generate the report from one server instead to login each server to check , could you provide some guide on how can we get the specific domain admin list for each domain from a non domain
  membership server by using the powershell script? many thanks for your help.

  You could remote to the domain controller or use ADSI to query the domain.
  Look inth eGallery as ther eare many scripts there tha will return group membership using ADSI.
  ¯\_(ツ)_/¯

• Windows Server 2012 R2 non-default domain admin limitations

  Enivronment: Windows Server 2012 R2Problem: members of Domain Admins group are restricted in ways the default domain admin account is not. This is with or without UAC disabled; there are even more prompts with UAC enabled. Here are two examples:Attempt to copy to Public Desktop. Built-in domain admin or local admin account can do so without restriction; any other member of Domain Admins group is prompted for administrator permission (although clicking Continue proceeds without actually requiring further authentication/permission)Right-click -> Properties of hard drive in Explorer is missing Shadow Copies tab for non-default Domain Admin. Yes, I can simply right-click the drive and go to Configure Shadow Copies, so this one is not so important. But it is an inconsistency that means I have to access things just a bit differently...
  This topic first appeared in the Spiceworks Community

  I have already replied to that here: https://social.technet.microsoft.com/forums/windowsserver/en-US/b57abf72-90e6-44d7-93a5-0e57cb5404c9/nic-teaming-with-ws2012-ad
  I still do not see an MS statement saying that it is supported for DCs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Which unity accts can I take off "domain admin" group after install

  Hi
  Unity 5.X in UM mode - Which unity accts can I take off "domain admin" group after install (ie unityinstall, unityadmin, UnityMsgStoreSvc, UnityDirSVC etc..)
  and if I do so, what is the impact or if I want to upgrade in the future?
  Thanks

  UnityInstall should be the most powerful account and is the only account that should be added to the Domain Admins group by the Permissions Wizard.  This is definitely true for Exchange 200, 2003, and 2007.  I've not dealt with a lot of customers on 2010 yet so this could have changed; however, I doubt it.  You can verify what I'm telling you here:
  http://www.ciscounitytools.com/Applications/Unity/PermissionsWizard/Unity403_411/Help/PWHelpPermissionsSet_ENU.htm
  This link will tell you what permissions and group memberships are set at a high level for all the Unity service accounts.
  To clarify what Jonathan said, by "downgrade" the UnityInstall account - the rule of thumb is this:
  Cisco supports that you DISABLE the UnityInstall account, if desired, after an installation.  This account should only be used during installation activities.  However, DO NOT DELETE the account in AD.  So, again - disabling the account is OK.
  Hailey
  Please rate helpful posts!

• Domain Admin that can't create another administrator

  Any and all that can provide assistance,
           I am in the military and semi-new to the whole system administration scene. I belong to the administrators group, domain admins, schema admins and enterprise admin. Back in November, i was able to create admin
  accounts with no issue. Recently, I tried creating another administrator account similar to mine and the account that I created is immediately disabled and the user is removed from all of the aforementioned groups.
           Now back in November all of my servers were Windows Server 2003 and now our Exchange is Windows Server 2008, which has caused us some issues creating users with a mailbox but I don't think this is causing
  this particular dilemma. I had two other system administrators try creating the same account and they were met with the same exact issues.
           My thought is that someone had changed something in group policy or the registry that prevents Domain Admins from creating any other sort of administrative account. However, this is highly unauthorized in
  my organization so I sincerely hope this is not the case. My team and I have combed through group policy and have not been able to find anything that would cause this.
          If anyone has seen this, or if anyone can provide any guidance, I would greatly appreciate it. I am not too sure what additional troubleshooting I can do that I haven't done already.

  It sounds like you have a group policy using restricted groups.
  - Open GPMC.msc
  - Look at the GPOs linked to your "Domain Controllers" OU.
  - One of those policies will likely have the following setting:
       - EDIT each GPO and check for the setting:
       - Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.
  When you set these groups by policy, you can add a member for about 5-15 minutes until the GPOs refresh on your domain controllers.  If you want to add users to these groups, you must add them with this policy.
  http://technet.microsoft.com/en-us/library/cc785631(v=WS.10).aspx
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

• Why can't I, a Domain Admin, see certain attributes of certain users.

  I'm trying to run a powershell command that lets me figure out the last time users have set their password (on a Server 2008 R2 domain)
  PS C:\Users\me> get-aduser -credential MDX\me -filter * -properties * | sort | Foreach-Object { echo "$($_.Name + "," + $_.passwordlastset)" }
  My User 1,07/01/2013 08:31:17
  My User 2,
  Some users, this works well... I get their passwordlastset data. Other users, the pwdLastSet is not returned to get-aduser and it doesn't format it into the passwordLastSet field. I'm in the domain admin and enterprise admin groups. The other admin here
  sees the field for the users I can't see but is missing some users. In the AD Users and Group console the attribute for all the users is properly formatted. 
  I think its permissions related, but I'm not sure why it would block me from seeing that attribute. The one thing I think may be common to all the users I can see were created by me through the GUI. The users that i can't see properly were created using
  the new-aduser powershell command by a service account that has rights to create users in only one OU. 
  Question, any reason that a domain admin shouldn't have access to all the attributes in the directory?

  Thanks Isaac. What am I looking for in particular?
  The user was created in the AD users and computers GUI. I then ran the delegate control wizard to grant the user create user and delete user access to the OU my users sit in.
  The new-aduser command we run looks like this. I build the string below then connect to the domain controller to run it. There are no other commands run after this. 
  my $cmd = "new-aduser -Name \'$args{firstname} $args{lastname}\' " .
  "-AccountPassword (ConvertTo-SecureString " .
  "-AsPlainText \'$args{password}\' -Force ) -Enabled 1 " .
  "-ChangePasswordAtLogon 1 " .
  "-DisplayName \'$args{firstname} $args{lastname}\' " .
  "-EmailAddress \'$args{email}\' " .
  "-GivenName \'$args{firstname}\' " .
  "-SamAccountName \'$args{login}\' " .
  "-UserPrincipalName \'$args{login}\@$args{domain}\' " .
  "-Surname \'$args{lastname}\' " .
  "-Path \'$args{location}\'";
  Thanks for the help.

• Domain Admin Account cannot logon to member servers by remote. It can only logon to Domain Controllers

  Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
  "To log on to this remote computer, you must be granted the Allow log on through Terminal
  Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
  Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
  All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
  right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not  involve creating a new account. The account was recently used to implement
  a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.

  Hi,
  Does that user has permission for remoting before?
  To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are: 
  1) Remote Logon: rights to machine
  2) Logon: privileges for access to the RDP-TCP Listener
  The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  Also check RDP-TCP listener properties. More information.
  “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Domain Admins and RDP Users can not RDP into Computers (Access Denied)

  Dear All,
  I got some users with Domain Admins Right and Remote Desktop Users Right. But, they are denied to access Remote Desktop services to other servers. I have confirmed that since set up I have no Remote Desktop Related GPO in Domain. I tried to create but issue
  still persists.
  Regards,
  Zaw Tun Naing
  ZAW

  YOu need to track down the machines that are denying the authentication and then look thorugh the member server and DC's to find any events within the Security Event log and post those errors.  This should define ehat specifically is the reason why
  you are being denied.
  One thought, not sure how the service accounts were intially created but someone could have gone into the local security policy and DENIED the right to remotely or locally logon.  Basically only allow to run as a service right.
  http://technet.microsoft.com/en-us/library/cc957048.aspx
  http://www.alexheer.co.uk/it-blog/deny-interactive-logon-for-service-accounts
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.