First of all, this server is a Domain Controller. Thus I
have no ability to login locally to the machine. I must
always login to the domain as a domain user. I am a
member of an administrative group that gives me rights to
my OU but it is very limited. The error I get when I go
into Computer Management, Shared Folders, Open Files is:
"System encountered the following error while reading the
list of open files: Error 5: Access denied"
I'm not privy to group policies so not sure if I am cut
off there or not. All the domain admins will tell me is
that I have to be a domain admin to be able to see the
open files. Not fair! I cannot do my job effectively
without this ability. Oh I yearn for the old days of
Novell.
-----Original Message-----
A local administrator on a domain [or any] computer has a lot of power. Why do you
believe you can not see who has files open? What error do you get? It is possible
that there are Group Policy restrictions that can also apply to the local
administrator while logged on as a domain member. If you logon to the local machine
as administrator then user configuration Group Policy
from the domain or OU would not
apply to you. There is a user right for debug programs that by default has the
administrators group as members. If that has been removed then some system utilities
will not run or only run with certain features. Many of the utilities from
SysInternals require debug user right. If that user right has been configured at the
domain/OU level as shown by local setting being different than "effective" setting in
Local Security Policy, there is nothing you can do about it. Of course the local
administrator can always remove a computer from the
domain, but I would not recommend
that without permission from domain admins and the local administrator may not be
able to join the computer to the domain. --- Steve
