Guest Library Sysadmin Posted September 25, 2007 Posted September 25, 2007 I've got an odd situation occurring with the domain administrator account. I log on to any domain server or workstation with the domain adminstrator account and map a network share to any shared folder on another server or workstation. If I try to access executable files on these shares, I am getting an error box saying that the user doesn't have permissions or rights. The domain admin account can open text files. If I log in using my own account (which is a member of the Domain Admins group) I can run any of these executable files in the same shares/folders/files. In checking the share permissions or folder NTFS security, the Domain Admins group, the local Adminstrators group (of which the domain administrator account is a member) are already listed as having Full Control for This folder, subfolders and files. Even if I specifically add the domain administrator's account to the list and grant full share and NTFS permissions, the same error occurs. It appears that the domain admin account has read-only permissions on all shares throughout the domain, no matter what the permissions specify on the share/folder/file. Has anyone else run across anything like this? This did not happen to the domain admin account under Windows 2000. How do you correct this? TIA Rick
Guest Coraleigh Miller Posted September 26, 2007 Posted September 26, 2007 Re: Domain Administrator permissions problem Hi Library Sysadmin, The Read Only on shares is a by default thing with Server 2003. The best thing to do is to change your shares permissions to be everyone (or authenticated users) to full access, and then manage your specific permissions on the NTFS level. The most restrictive access on a folder location will take presidence, so right now your share-level read-only perms are taking presidence over your NTFS file level perms. Coraleigh Miller "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in message news:6A6D730A-B205-4806-B817-6C6EDF68E89C@microsoft.com... > I've got an odd situation occurring with the domain administrator account. > > I log on to any domain server or workstation with the domain adminstrator > account and map a network share to any shared folder on another server or > workstation. If I try to access executable files on these shares, I am > getting an error box saying that the user doesn't have permissions or > rights. > The domain admin account can open text files. If I log in using my own > account (which is a member of the Domain Admins group) I can run any of > these > executable files in the same shares/folders/files. > > In checking the share permissions or folder NTFS security, the Domain > Admins > group, the local Adminstrators group (of which the domain administrator > account is a member) are already listed as having Full Control for This > folder, subfolders and files. Even if I specifically add the domain > administrator's account to the list and grant full share and NTFS > permissions, the same error occurs. > > It appears that the domain admin account has read-only permissions on all > shares throughout the domain, no matter what the permissions specify on > the > share/folder/file. > > Has anyone else run across anything like this? This did not happen to the > domain admin account under Windows 2000. How do you correct this? > > TIA > > Rick > > >
Guest Library Sysadmin Posted September 26, 2007 Posted September 26, 2007 Re: Domain Administrator permissions problem Coraleigh, Thanks for the response. I had already checked the share level permissions (many times) and had seen that the default share permissions is only set to read for the Everyone group. I had specifically set the share permissions for Full Control for Domain Admins, the local Administrators group and the specific Domain Adminstrator account. I also tried this with the Everyone group left in, as well as removing the permission for the Everyone group from the share permissions. I still get the message that the user doesn't have rights, when logged in with the domain administrator's account. Rick "Coraleigh Miller" wrote: > Hi Library Sysadmin, > > The Read Only on shares is a by default thing with Server 2003. The best > thing to do is to change your shares permissions to be everyone (or > authenticated users) to full access, and then manage your specific > permissions on the NTFS level. > The most restrictive access on a folder location will take presidence, so > right now your share-level read-only perms are taking presidence over your > NTFS file level perms. > > Coraleigh Miller > > "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in > message news:6A6D730A-B205-4806-B817-6C6EDF68E89C@microsoft.com... > > I've got an odd situation occurring with the domain administrator account. > > > > I log on to any domain server or workstation with the domain adminstrator > > account and map a network share to any shared folder on another server or > > workstation. If I try to access executable files on these shares, I am > > getting an error box saying that the user doesn't have permissions or > > rights. > > The domain admin account can open text files. If I log in using my own > > account (which is a member of the Domain Admins group) I can run any of > > these > > executable files in the same shares/folders/files. > > > > In checking the share permissions or folder NTFS security, the Domain > > Admins > > group, the local Adminstrators group (of which the domain administrator > > account is a member) are already listed as having Full Control for This > > folder, subfolders and files. Even if I specifically add the domain > > administrator's account to the list and grant full share and NTFS > > permissions, the same error occurs. > > > > It appears that the domain admin account has read-only permissions on all > > shares throughout the domain, no matter what the permissions specify on > > the > > share/folder/file. > > > > Has anyone else run across anything like this? This did not happen to the > > domain admin account under Windows 2000. How do you correct this? > > > > TIA > > > > Rick > > > > > > > > >
Guest Coraleigh Miller Posted September 27, 2007 Posted September 27, 2007 Re: Domain Administrator permissions problem Hi Rick, On one of the servers you are logged into run the gpresult command and then compare it against a gpresult run while logged in with a functioning domain admin account. This will quickly show you the full group memberships your accounts have. (running gpresult >gpresult.txt will port your info into a txt file for easy comparison) You can also try looking through your group policys to see whether this account has been set to deny access somewhere. If you dont have it already, the MS Group Policy Management Console is excellent for viewing enabled policys and their configs. http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en Coraleigh Miller "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in message news:AF9CDA07-0129-47FC-A15A-73A8FA294CB8@microsoft.com... > Coraleigh, > > Thanks for the response. > > I had already checked the share level permissions (many times) and had > seen > that the default share permissions is only set to read for the Everyone > group. I had specifically set the share permissions for Full Control for > Domain Admins, the local Administrators group and the specific Domain > Adminstrator account. I also tried this with the Everyone group left in, > as > well as removing the permission for the Everyone group from the share > permissions. > > I still get the message that the user doesn't have rights, when logged in > with the domain administrator's account. > > Rick > > "Coraleigh Miller" wrote: > >> Hi Library Sysadmin, >> >> The Read Only on shares is a by default thing with Server 2003. The best >> thing to do is to change your shares permissions to be everyone (or >> authenticated users) to full access, and then manage your specific >> permissions on the NTFS level. >> The most restrictive access on a folder location will take presidence, so >> right now your share-level read-only perms are taking presidence over >> your >> NTFS file level perms. >> >> Coraleigh Miller >> >> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in >> message news:6A6D730A-B205-4806-B817-6C6EDF68E89C@microsoft.com... >> > I've got an odd situation occurring with the domain administrator >> > account. >> > >> > I log on to any domain server or workstation with the domain >> > adminstrator >> > account and map a network share to any shared folder on another server >> > or >> > workstation. If I try to access executable files on these shares, I am >> > getting an error box saying that the user doesn't have permissions or >> > rights. >> > The domain admin account can open text files. If I log in using my own >> > account (which is a member of the Domain Admins group) I can run any of >> > these >> > executable files in the same shares/folders/files. >> > >> > In checking the share permissions or folder NTFS security, the Domain >> > Admins >> > group, the local Adminstrators group (of which the domain administrator >> > account is a member) are already listed as having Full Control for This >> > folder, subfolders and files. Even if I specifically add the domain >> > administrator's account to the list and grant full share and NTFS >> > permissions, the same error occurs. >> > >> > It appears that the domain admin account has read-only permissions on >> > all >> > shares throughout the domain, no matter what the permissions specify on >> > the >> > share/folder/file. >> > >> > Has anyone else run across anything like this? This did not happen to >> > the >> > domain admin account under Windows 2000. How do you correct this? >> > >> > TIA >> > >> > Rick >> > >> > >> > >> >> >>
Recommended Posts