"Access Denied" to local machine mgmt console

[MandG]

I'm running my Domain Controller on Windows 2000 server. I go into the
the Active Directory Users and Computers snap-in, right-click on a
computer, and then select 'Manage'. When the Computer Management
console opens up for that particular machine, and I select 'Local Users
and Groups' I recieve an error in the main windows that states: "Unable
to connect to computername.domain.com. The error was: Access is
denied."

Is this by design or is something misconfigured on my DC?

Thanks!

 

[Hakan GOKCOL]

Because, domain controller can not use Local Users and Groups.

Hakan GOKCOL

 

[MandG]

Because, domain controller can not use Local Users and Groups.

I understood that to be the case for the server that's has DC running
on it, but I always thought that I could manage domain computers from
the Users and Computers snap-in.

What I'm ultimately trying to do is add the 'Enterprise Admin' AD group
to the 'Remote Desktop Users' group on everyones local machine. Is this
something that I'll have to do manually on everyones local macine and
not through the DC?

 

[Ace Fekay [MVP]]

In

I understood that to be the case for the server that's has DC running
on it, but I always thought that I could manage domain computers from
the Users and Computers snap-in.

What I'm ultimately trying to do is add the 'Enterprise Admin' AD
group to the 'Remote Desktop Users' group on everyones local machine.
Is this something that I'll have to do manually on everyones local
macine and not through the DC?

That's already in there by default by the fact that the Domain Admins group
is automatically part of the workstation's Local Admin group once the
workstation is joined to the domain. Domain Admins, and you don't need to be
an Enterprise Admin to be able to remotely control/connect to a workstaion
using RDP. If in a multi-domain scenario, the Domain Admin of each domain is
sufficient. Enterprise Admin is only for forest procedures, such as with
DHCP management and other forest specific stuff and not required for what
you are trying to do.

If I didn't understand what you are trying, please elaborate further. You
can also roll this out with a GPO using restricted groups.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

 

[MandG]

That's already in there by default by the fact that the Domain Admins group
is automatically part of the workstation's Local Admin group once the
workstation is joined to the domain. Domain Admins, and you don't need to be
an Enterprise Admin to be able to remotely control/connect to a workstaion
using RDP. If in a multi-domain scenario, the Domain Admin of each domain is
sufficient. Enterprise Admin is only for forest procedures, such as with
DHCP management and other forest specific stuff and not required for what
you are trying to do.

If I didn't understand what you are trying, please elaborate further. You
can also roll this out with a GPO using restricted groups.

Well this is a single domain/forest so then I guess I can simply ensure
that I'm a member of the Domain Admins group and not even worry about
the Enterprise Admin group.

You say that the Domain Admins Group is automatically included in the
local RDU group, correct? Will this be shown on a users local computer
(that the local RDU group includes the domain Domain Admin group) or is
this just an invisible inheritance?

Also, thanks for the tip on setting up a restricted groups GPO - I'm
configuring that now

And lastly, I'm still not 100% certain on my original question about
not being able to manage computers through my W2k server DC - why does
it give me Access Denied?

 

[Ace Fekay [MVP]]

In

Well this is a single domain/forest so then I guess I can simply
ensure that I'm a member of the Domain Admins group and not even
worry about the Enterprise Admin group.

You say that the Domain Admins Group is automatically included in the
local RDU group, correct? Will this be shown on a users local
computer (that the local RDU group includes the domain Domain Admin
group) or is this just an invisible inheritance?

When you go into RDP properties to allow access to users, it says that the
Local Admin account is already allowed. The Local Admin account is part of
the Local Admin Group, which also has the Domain Admin group added to it by
the mere fact it is joined to the domain (one of the security features that
occur in the background).

Also, thanks for the tip on setting up a restricted groups GPO - I'm
configuring that now
cool...


And lastly, I'm still not 100% certain on my original question about
not being able to manage computers through my W2k server DC - why does
it give me Access Denied?

That is the right question.

This can be caused by other issues. If domain communication, DNS can be a
cause. If not pointing to ONLY the internal DNS in all machines' IP
properties, this can be a great concern. Even mixing the internal DNS server
and an ISP's DNS server in a machine (any internal machine) can cause
NUMEROUS AD problems.

Let's see an unedited ipconfig /all from the DC and a client you are trying
to connect to, please.

Happy Holidays!

Ace

 

[MandG]

Let's see an unedited ipconfig /all from the DC and a client you are trying
to connect to, please.

Happy Holidays!

Ace

I think I may be onto something with the Access Denied issues. As I
stated earlier this is a W2K DC but all clients are XP machines. XP
machines have a built-in firewall that, in some cases, may be blocking
me from accessing/managing them from the W2K based DC.

First, does that make sense to anyone else?

And second, can I create a GPO on W2K server that will disable the XP
client side firewall?

 

[Ace Fekay [MVP]]

In

I think I may be onto something with the Access Denied issues. As I
stated earlier this is a W2K DC but all clients are XP machines. XP
machines have a built-in firewall that, in some cases, may be blocking
me from accessing/managing them from the W2K based DC.

First, does that make sense to anyone else?

And second, can I create a GPO on W2K server that will disable the XP
client side firewall?

The firewall could be causing it.You'll need to open and allow ports TCP
3389 and UDP 3389.

You may have to install an ADM template, but can't remember. The first
article discusses it. Win2003 is no problem. Check to make sure by creating
a new OU and create a test GPO. Drill down (going by memory) in the Computer
section, Adminsitrative Templates, Network, Interfaces. You should see a
Domain Firewall and Local Firewall. Choose the Domain Firewall. If it
exists, then the options are all there.

Here's some more info on it:

Configuring Windows Firewall in a Small Business Environment Using Group
Policy:
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx

Managing Windows XP Service Pack 2 Features Using Group PolicyDeploying
Group Policy Settings in SP2:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx

Windows Server Reference Guide How Group Policy Enables Remote Firewall
Control:
http://www.informit.com/guides/content.asp?g=windowsserver&seqNum=189&rl=1

Ace