Puzzled - parent domain user as administrator in child domain cannot add printer

Similar Messages

• New Macbook Pro user (left my Dell laptop world) cannot get printer working

  Need some serious help, looks like my snazzy new purchase does not work with my Dell Color Laser Printer 3110cn. Apple tells me its not their problem, call Dell....well Dell says the driver they have does not work on Mac 10.5.2 or Leopard. What to do.
  i hope someone has encountered this and found a work around....
  Help needed....Thanks

  Follow up to my previous post--
  If the Dell driver for your printer does not work at all, it would appear that you have a couple of choices. One is to use the Generic PostScript Printer driver as I mentioned before.
  The other choice would be to use either the Generic PCL 6/XL pxlmono driver or the HP Color LaserJet 5000 pxlmono or similar driver. You can find installation instructions for the pxlmono drivers at _http://www.linux-foundation.org/en/OpenPrinting/MacOSX/pxlmono_
  When I was looking at the Dell 3110cn driver for Mac OS X, however, at least the basic functions seemed to work. Did you actually try printing with the driver from the Dell web site?
  It looks like the security filter and the printer extension plug-ins are what may be failing in OS X 10.5. I was able to set up a pseudo printer that prints its output to a file using the Dell 3110cn driver. I was able to produce a document that was valid PostScript. Preview was able to open the resulting PostScript file. Printing to file is not the same as actually getting the job printed on an actual Dell 3110cn printer. The PostScript file did contain extra PJL data (job features/choices). If these are not coded correctly, the print job could fail when going to a printer but seem to work fine when printed to file.
  Matt

• Administrator in parent domain has no administrator rights when logging into child domain systems.

  We have a simple layout, parent domain in the office is foo.com, I've adding a child domain in the datacenter called prod.foo.com (we have machines with the same names in the office and production, not my doing :p)  Prior to this all of our production
  machines were standalone and various users just had the local administrator account, which has led to some problems. 
  Anyway, on to my issue;
  I have a security group in foo.com called Production Logins that I've added myself to, and on the test windows 2003 server I've allowed FOO\Production Logins the ability to remote desktop, and I'm able to remote into the box web01.prod.foo.com
  just fine, however;   When I log into web01.prod.foo.com under my admin account in the parent domain, I only have basic user rights on that machine, not administrator rights.  Shouldn't administrator rights carry over to the child domain for
  my account?  Is there something specific I need to do to allow that?

  Hi,
  To
  do what
  the friend
  said
  above you need
  to configure
  restricted groups
  GPO
  More
  information:
  http://www.windowsecurity.com/articles/Using-Restricted-Groups.htmlMCP, MCDST e MCSA 2003

• User Migration from Parent Domain to Child Domain..The user is enabled with Exchange 2010 Mailbox in Parent Domain

  We currently have a single Windows 2008 R2 Active Directory domain controller, and an Exchange 2010 server. We are in the process of adding a child domain on a second Active Directory server for an offsite office location for a subdivision of our company.
  The two locations will be connected via VPN.
  Currently users exist on the root domain with Exchange accounts who will be moving to the new offsite company/location. We would like to be able to move these user accounts to the child domain while maintaining their existing Exchange mailboxes and
  email addresses. Is this possible, and if so how would we do it?

  Hi Srinivasa,
  According to your description, I think you have done all the preparation.
  For DL migration, the following article may give your some hints:
  How to Migrate Distribution Groups Across a Forest
  Good Luck!
  Niko Cheng
  TechNet Community Support

• Can't create Exchange users in a new child domain

  Hi,
  i have an Exchange 2010 SP3 ( 1 CAS/Hub + 1 mailbox) server running in a parent domain. Few days ago i've created a new child domain, but i can't create mailbox for users coming from this new child domain.
  The error message says that i don't have enough rights to do this operation (can't copy the error, translation from frecnh will be a disaster :p )
  That's what i get :
  Réponse d'Active Directory : 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  I'm doing this with my parent domain administrator.
  I've read that the exchange infra had to be prepared for all domains with command
  setup.com /PrepareAllDomains
  is it possible with an existing exchange?
  Thanks for your replies

  Yes, you need to prepare any domain that will have mail-enabled accounts in it.
  You can run this for a specific domain:
  setup /PrepareDomain:<FQDN of domain you want to prepare> to prepare a specific domain.
  Its safe to run this in an existing Exchange org.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• Added existing domain to the parent domain and now permission not inheriting on the child domain

  Hi Friends
  There was a existing Domain but we bought the company and make that Domain as a child domain of our Domain, problem is that users of Parent domain does not have access to the child domain. permissions are not inheriting from parent domain to child domain. 
  for e.g i created user on the parent domain i cant even login to the machine in other domain or access the resources which are on the child domain.

  Simply delegate the permissions you want to grant so that users from the root domain can have access to resources in the child domain.
  As an example, you make users from the parent domain login to computers from the child domain using
  Allow logon locally group policy: http://technet.microsoft.com/en-us/library/cc756809%28v=ws.10%29.aspx
  You can also make them able to RDP the computers if you add them to Remote Desktop Users
  group. This could be done by Restricted Groups Group Policy.
  So, for security reasons and depending on your current configuration, it is normal that users from the root domain might not have by default access to resources in the child domain. This could be fixed by doing the proper delegation.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• Manage client in parent domain from child domain

  My site has a root domain (mydomain.net) and a parent domain (ent.mydomain.net).
  My primary SCCM site is installed in ent.mydomain.net and is managing all my clients.
  I have 4 DC's installed in mydomain.net that I would like to manage from my child domain (ent.mydomain.net).
  It is my understanding that if the schema has been extended in the parent domain, and I manually install the client on the DC, it should be able to be managed from the child domain.  
  I have installed the client in the parent, but it cannot find the site in the child (I have not extended the schema yet).  i know that the client will not be able to find the site until the system management container has been created and populated
  (does not currently exist).  I know that I can create the container, but how would it get populated with the correct site information.  
  If anyone has any experience with this kind of configuration, the help would be appreciated.
  Thanks

   i know that the client will not be able to find the site until the system management container has been created and populated (does not currently exist).  I know that I can create the container, but how would it get populated with the
  correct site information.  
  You could enable AD publishing to that domain, but site assignment is also a matter of site assignment boundary groups. You can also assign a client to a site manually though.
  Torsten Meringer | http://www.mssccmfaq.de

• RDS 2012 R2 cannot add 3rd party (parent domain) licensing server

  Hi,
  I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
  user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
  Any ideas?
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for posting in Windows Server Forum.
  1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
  2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed.  If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
  listed.  If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
  3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
  Add-WindowsFeature RDS-Licensing-UI
  4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to.  Please note that it is more important to have the licensing configured properly in deployment properties and your
  RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers. 
  (Above one quoted from beneath thread)
  Source:
  RDS 2012 Can't add a licensing server
  In addition, check below article.
  RD Licensing Configuration on Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Child DC cannot Replicate to Parent DC, because of connection errors. MS PortQryUI shows that ports 3268 and 3269 are not listening,

  I started a support case with Microsoft to help me with raising the our domain Forest level because i received a message stating that there were Windows 2000 PDC still listed in the database. These PDCs were removed years ago. The tech saw all of the problems
  i was having with domain replication so that is where he started. running the MS PortQryUI shows that ports 3268 and 3269 are not listening, (TCP port 3268 (unknown service): NOT LISTENING) when run FROM a Child domain controller against the Parent
  Domain controller. Between the 2 Child domain controllers these ports are listening.
  The Windows firewall is not running on any of the controllers, i removed a virus protect client from all of the servers, although i didn't enable the firewall there either, but these ports are still not listening on the Parent DC.
  I need help debugging this. I am not very familiar with network sniffers so if i need to run one i'll need some guidance. This DC only has one NIC, all IP addresses are static, all servers are setup like this. All servers are in the same subnet, on the same
  lan, on the same cisco switch, there shouldn't be anything blocking this port from starting.
  I looked over other post that show this same problem, but they don't give a solution. If i am not using the Windows firewall why wouldn't these ports be open?
  Any ideas? web searches are all over the map on trying to find the reason for this.
  Bobby

  Try running the below command on the DCs that you think have the ports blocked or all the DCs.
  netdiag /test:ipsec /debug > c:\dcname-ipseclog.log
  Open that from the C drive and see if there is anything saying block or filters. 
  Also, just for kicks have you disabled the firewall service on the DCs? 
  And just for kicks have you tried enabling firewalls ports on all the DCs?  The KB is below
  http://support.microsoft.com/kb/555381/en-us
  Step 1 - netdiag results
  Step 2 - disable the firewall service on all DCs if step 1 was negative
  Step 3 - enable the firewalls on all DCs per KB 555381 if step 2 doesn't work
  Let us know how it goes!
  If it answered your question, remember to “Mark as Answer”.
  If you found this post helpful, please “Vote as Helpful”.
  Postings are provided “AS IS” with no warranties, and confers no rights.
  Active Directory: Ultimate Reading Collection

• Best pattern to signal a parent control from a deeply nested child control

  #1
  The application i created hosts intially a logincontrol.
  The login control signals the application with
  OnAuthenticationPassed to move states.
  This state change removes the login control and loads the
  administration control.
  this one level nesting is okay to be handled by having the
  parent listen to an event the child makes... but when multiple
  levels of nesting occurs... chaining events just to propagate the
  message up .. is not a flexible solution... example:
  The administration control hosts a lot of specific task
  controls.
  [ArticleManagement - (contains categorymanagement, new
  article, edit article -- further nesting controls)]
  eventually the session will die out on the server... so when
  a task (example: submit new article) the server response will be:
  <response>
  <isAuthenticated value="false" />
  </response>
  I will then have to propagate this message up to the
  application parent level so that administration control panel is
  removed and replaced with the login control.
  what is the best way to handle this?
  #2
  what are common transition patterns when removing one panel
  and putting another in its place? [i'm an application developer not
  an animator.]
  thanks,
  Leblanc Meneses

  thanks for the bubbling information. for a minute I thought i
  had to create a singleton to centralize registering events. I'm
  glad the framework manages this inside UIComponent .. less things i
  have to worry about.
  about animiation: thanks first of all.. looking nice now.
  my current implementation works but you can see where the
  viewstack starts and ends by when the control and leaves, enters
  the scene through the animation.
  If i change the viewstack width and height to 100% i loose
  the ability to center the inner contents...
  i want the viewstack width and height to 100% and still be
  able to center vertically and horizontally the inner contents. do
  you know how to do this?
  Thanks again,
  Leblanc Meneses
  <mx:states>
  <mx:State name="OnAuthenticationPassed">
  <mx:SetProperty name="selectedChild"
  target="{this.viewstack1}" value="{this.administrationmain1}" />
  </mx:State>
  </mx:states>
  <mx:Script>
  <![CDATA[
  import flash.events.*;
  import mx.effects.easing.Bounce;
  public function init():void
  //register to global event manager
  this.addEventListener("OnAuthenticationPassed",
  OnAuthenticationPassed);
  this.addEventListener("OnAuthenticationFailed",
  OnAuthenticationFailed);
  private function OnAuthenticationPassed(event:Event):void
  this.currentState="OnAuthenticationPassed";
  private function OnAuthenticationFailed(event:Event):void
  this.currentState="";
  this.viewstack1.selectedChild = this.login1;
  ]]>
  </mx:Script>
  <mx:Parallel id="outEffect">
  <mx:Dissolve duration="1000" alphaFrom="1.0"
  alphaTo="0.0"/>
  <mx:Move duration="500" xTo="-9000" xFrom="0" />
  </mx:Parallel>
  <mx:Parallel id="inEffect">
  <mx:Dissolve duration="1000" alphaFrom="0.0"
  alphaTo="1.0"/>
  <mx:Move duration="500" xTo="0" xFrom="-9000" />
  </mx:Parallel>
  <mx:ViewStack id="viewstack1" resizeToContent="true"
  horizontalCenter="0" verticalCenter="-5">
  <comp:login id="login1"
  hideEffect="{this.outEffect}" showEffect="{this.inEffect}"
  />
  <administration:administrationmain
  id="administrationmain1"
  hideEffect="{this.outEffect}" showEffect="{this.inEffect}"
  />
  </mx:ViewStack>

• Cannot add users to new domains anymore

  I got messaging server and delegated admin to work just fine recently until I tried getting LDAP authentication to work so LDAP users could log into Sunrays.
  I used idsconfig and saw that it added a bunch of stuff to the directory so I deleted that stuff after I realized I couldn't add users to a new domain anymore. It just says "cannot create user - unknown error". I can still add users to old domains just fine.
  And I tried both DA and commadmin, neither work. Heres my Messaging server and DA version:
  Sun Java(tm) System Messaging Server 6.2-3.04 (built Jul 15 2005)
  libimta.so 6.2-3.04 (built 01:43:03, Jul 15 2005)
  SunOS testy.i-n-control.com 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire-V440
  Delegated Administrator 6.3-0.09
  I turned on debugging for DA and heres the output:
  TRACE [Wed Aug 02 10:10:47 MDT 2006] Default people container = ou=People,o=domain,dc=mail,dc=example,dc=com
  TRACE [Wed Aug 02 10:10:47 MDT 2006] ServerPushThread: setting stop flag
  TRACE [Wed Aug 02 10:10:47 MDT 2006] commTaskManager: progress thread stopped
  TRACE [Wed Aug 02 10:10:47 MDT 2006] com.iplanet.am.sdk.AMException: Unable to create entry.
       at com.iplanet.am.sdk.ldap.DirectoryManager.processInternalException(DirectoryManager.java:433)
       at com.iplanet.am.sdk.ldap.DirectoryManager.createUser(DirectoryManager.java:1046)
       at com.iplanet.am.sdk.ldap.DirectoryManager.createEntry(DirectoryManager.java:1525)
       at com.iplanet.am.sdk.AMDirectoryManager.createEntry(AMDirectoryManager.java:651)
       at com.iplanet.am.sdk.AMCacheManager.createEntry(AMCacheManager.java:337)
       at com.iplanet.am.sdk.AMObjectImpl.create(AMObjectImpl.java:1009)
       at com.iplanet.am.sdk.AMPeopleContainerImpl.createUser(AMPeopleContainerImpl.java:285)
       at sun.comm.cli.server.servlet.CreateUser.create(CreateUser.java:677)
       at sun.comm.cli.server.servlet.CreateUser.doTask(CreateUser.java:91)
       at sun.comm.cli.server.servlet.commTaskManager.execute(commTaskManager.java:196)
       at sun.comm.cli.server.servlet.commServlet.doPost(commServlet.java:90)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
       at org.apache.catalina.core.StandardWrapperValve.invokeServletService(StandardWrapperValve.java:771)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:322)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
       at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
       at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
  TRACE [Wed Aug 02 10:10:47 MDT 2006] After AM Exception , msg being sent is Unable to create entry.^324^NONE
  TRACE [Wed Aug 02 10:10:47 MDT 2006] in CLIPageData constructor:status = 1
  TRACE [Wed Aug 02 10:10:47 MDT 2006] commTaskManager - execute => generateOutput
  TRACE [Wed Aug 02 10:10:47 MDT 2006] In CLIPageGenerator ....
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : cliData.status = 1
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : CLIPageData.OK = 0
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput : CLIPageData.FAIL = 1
  TRACE [Wed Aug 02 10:10:47 MDT 2006] Failed: Unable to create entry.^324^NONE
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - Printing successfull results
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - status => FAIL
  TRACE [Wed Aug 02 10:10:47 MDT 2006] CLIPageGenerator - generateOutput - message => Unable to create entry.^324^NONE
  TRACE [Wed Aug 02 10:10:48 MDT 2006] ServerPushThread: done
  TRACE [Wed Aug 02 10:10:48 MDT 2006] ServerPushThread: done
  TRACE [Wed Aug 02 10:10:49 MDT 2006] ServerPushThread: done
  TRACE [Wed Aug 02 10:10:58 MDT 2006] sun.comm.cli.server.servlet.commLDAPAuth: shutting down. Total access count = 1
  Message was edited by:
  nate.wheeler

  Frankly, I'm new to LDAP so I don't know really what
  changed.No time like the present to start learning.
  Its weird, I can do some things, but not
  others. Like I can assign service packages, but not
  change the login id or password of a user. So it
  doesn't look like amadmin can't change things.LDAP provides "ACI", or Access Control settings that can be changed, and create exactly the kinds of things you're looking at.
  The Directory Console can view ACI
  >
  The password encryption seemed to have changed from
  {SSHA} to {CRYPT}. Although I have no idea how to
  switch it back or where to look to see if it did.Unlikely to have made any difference. That should be transparent to the application using DS.
  Most of our applications don't compare the password entry, but attempt a BIND for that very reason.
  Again, I'd be looking at your LDAP access logs for a clue to what's happening.
  >
  Message was edited by:
  nate.wheeler

• How to allow domain users to customize page Size in Adobe PDF printer.

  Hi all,
  I am not able to customize page size in Adobe PDF printer when I logged in with Domain user login. But I am able to Customize PDF printer in admin Login.
  I need a solution to allow Domain users to customize page size for Adobe PDF printer.
  Looking for a solution ASAP
  Regards
  Nagesh

  Oops, I misread your question, so I edited my response.

• How do I allow parental controlled users to access third party apps on the admin account?

  I just set my son up with a separate parental controlled user account and he can't seem to access some third party games that we installed for him under my admin account. He has saved progress on these games that we don't want to lose, so I don't want to reinstall them. I checked them off as allowed apps, but when he tries to play- the game icon shows up in the doc then changes to the updater icon and they won't run. I've searched for answers to this question, but can't seem to find any. Please help? My son and I would be very grateful!

  jeremiahfromva wrote:
  Mavericks (isn't that an old Ford model?
  Sure was! They used it on 4 different models. But that was Maverick, as in horse. This will be Mavericks as in ocean waves.