| Author |
Message |
JohnHorb
Guest
|
 Posted:
Thu Dec 23, 2004 12:55 am Post subject:
Admin permissions |
|
|
I'm in the process of migrating from NT4 to Win2003 using ADMT 2, and have
come across what, to me, is a strange 'access' issue. If I log on to the
Win2K3 server as 'administrator', I get 'access denied' on certain things,
e.g. If I try to access WINS on the server, or if I try to access group
policies.
However, if I log on to a workstation(XP) using the same 'Administrator'
account, I CAN access WINS and Group Policy on the server. |
|
| Back to top |
|
 |
Bob Qin [MSFT]
Guest
|
| Posted:
Thu Dec 23, 2004 1:29 pm Post subject:
RE: Admin permissions |
|
|
Hi John,
Thanks for your posting here.
Based on your posts, I am not very clear about the problem. Let's confirm
the following information.
1. When you log in the Windows Server 2003, is the "administrator" you
meant domain administrator account?
2. How did you access WINS server? Is WINS server in Windows 2003 domain?
What is the detailed error message?
3. How did you access Group Policy? Is it domain group policy or local
group place? What is the detailed error message?
4. Is there any related error in the Event Logs?
I am looking forward to your response.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?=" <JohnHorb@discussions.microsoft.com>
Subject: Admin permissions
Date: Wed, 22 Dec 2004 10:55:08 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm in the process of migrating from NT4 to Win2003 using ADMT 2, and
have
come across what, to me, is a strange 'access' issue. If I log on to
the
Win2K3 server as 'administrator', I get 'access denied' on certain
things,
e.g. If I try to access WINS on the server, or if I try to access
group
policies.
However, if I log on to a workstation(XP) using the same
'Administrator'
account, I CAN access WINS and Group Policy on the server. |
|
| Back to top |
|
|
JohnHorb
Guest
|
| Posted:
Thu Dec 23, 2004 2:59 pm Post subject:
RE: Admin permissions |
|
|
Bob
Thanks for you response. Replies below:-
"Bob Qin [MSFT]" wrote:
| Quote: | Hi John,
Thanks for your posting here.
Based on your posts, I am not very clear about the problem. Let's confirm
the following information.
1. When you log in the Windows Server 2003, is the "administrator" you
meant domain administrator account?
|
Yes.
| Quote: |
2. How did you access WINS server? Is WINS server in Windows 2003 domain?
What is the detailed error message?
|
It is a small domain I am setting up, and the Domain Controller is also
running WINS, DHCP and DNS servers. It is the WINS server on the DC which I
cannot access if I log directly onto the DC, but CAN if I log on as domain
administrator on a client PC (XP). The server is shown in red, with an error
in the right-hand pane 'Cannot find the WINS Server - the WINS server you
specified cannot be located. The WINS Server may be down, there might be
network problems, or the WINS service might not be insyalled. The error was:
Access is denied". I can stop, restart, etc from the right-click menu, but
most other options are greyed out.
| Quote: | 3. How did you access Group Policy? Is it domain group policy or local
group place? What is the detailed error message?
If I go into Active Directory Users and Computers, right-click the domain |
name and select 'Group Policy', I get a dialogue box stating that the domain
controller for Group Policy operations is not available. I then have three
options to select a domain controller (The one with the Operations Master
token for the PDC Emulator, the one used by the active directory snap-ins or
any available DC). If I select any one of these, I get 'You do not have
permission to perform this operation' Details: Access is denied'. (This is
the only DC on the domain). Again, if I do the same from a client PC, I have
no problems.
I know this problem has not always been there, as I did edit group policy
successfully at one point. It MAY have occured after I raised the function
level to Win2000 native.
| Quote: | 4. Is there any related error in the Event Logs?
Yes - 'Windows cannot access the file gpt.ini for GPO..... The file must be |
in location ....'
I have verified that the file IS in the location specified, and both it and
the SYSVOL share appear to have the correct (full) permissions for domain
admins.
| Quote: | I am looking forward to your response.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?=" <JohnHorb@discussions.microsoft.com
Subject: Admin permissions
Date: Wed, 22 Dec 2004 10:55:08 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm in the process of migrating from NT4 to Win2003 using ADMT 2, and
have
come across what, to me, is a strange 'access' issue. If I log on to
the
Win2K3 server as 'administrator', I get 'access denied' on certain
things,
e.g. If I try to access WINS on the server, or if I try to access
group
policies.
However, if I log on to a workstation(XP) using the same
'Administrator'
account, I CAN access WINS and Group Policy on the server.
|
|
|
| Back to top |
|
|
JohnHorb
Guest
|
| Posted:
Thu Dec 23, 2004 10:37 pm Post subject:
RE: Admin permissions |
|
|
I'm beginning to tear my hair out over this. It does seem to be some sort of
weird authentication issue. If I try to map to a share (e.g C$, or SYSVOL) on
the server itself, whilst logged in as domain admin, I get a login prompt,
and it will not let me access with the administrator account! However, I can
map to the shares on the server from a workstation by logging in as the
domain admin, and the permissions on both the share and the file structure
seem OK.
Hope you can shed some light!
John
"Bob Qin [MSFT]" wrote:
| Quote: | Hi John,
Thanks for your posting here.
Based on your posts, I am not very clear about the problem. Let's confirm
the following information.
1. When you log in the Windows Server 2003, is the "administrator" you
meant domain administrator account?
2. How did you access WINS server? Is WINS server in Windows 2003 domain?
What is the detailed error message?
3. How did you access Group Policy? Is it domain group policy or local
group place? What is the detailed error message?
4. Is there any related error in the Event Logs?
I am looking forward to your response.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?=" <JohnHorb@discussions.microsoft.com
Subject: Admin permissions
Date: Wed, 22 Dec 2004 10:55:08 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm in the process of migrating from NT4 to Win2003 using ADMT 2, and
have
come across what, to me, is a strange 'access' issue. If I log on to
the
Win2K3 server as 'administrator', I get 'access denied' on certain
things,
e.g. If I try to access WINS on the server, or if I try to access
group
policies.
However, if I log on to a workstation(XP) using the same
'Administrator'
account, I CAN access WINS and Group Policy on the server.
|
|
|
| Back to top |
|
|
Bob Qin [MSFT]
Guest
|
| Posted:
Sat Dec 25, 2004 9:19 am Post subject:
RE: Admin permissions |
|
|
Hi John,
Did the problem occur when you built up the Windows Server 2003 Domain? Or
it occurred after migration from NT 4 domain?
Do you use the Windows 2003 Domain administrator account?
How did you set the network properties on the DC? Did you point the DNS and
WINS settings in Windows 2003 DC to itself?
In addition, please run Netdiag and DCdiag on the Windows 2003 DC to check
if there is any error message.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?=" <JohnHorb@discussions.microsoft.com>
Subject: RE: Admin permissions
Date: Thu, 23 Dec 2004 08:37:13 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm beginning to tear my hair out over this. It does seem to be some
sort of
weird authentication issue. If I try to map to a share (e.g C$, or
SYSVOL) on
the server itself, whilst logged in as domain admin, I get a login
prompt,
and it will not let me access with the administrator account!
However, I can
map to the shares on the server from a workstation by logging in as
the
domain admin, and the permissions on both the share and the file
structure
seem OK.
Hope you can shed some light!
John
"Bob Qin [MSFT]" wrote:
| Quote: | Hi John,
Thanks for your posting here.
Based on your posts, I am not very clear about the problem. Let's
confirm
the following information.
1. When you log in the Windows Server 2003, is the "administrator"
you
meant domain administrator account?
2. How did you access WINS server? Is WINS server in Windows 2003
domain?
What is the detailed error message?
3. How did you access Group Policy? Is it domain group policy or
local
group place? What is the detailed error message?
4. Is there any related error in the Event Logs?
I am looking forward to your response.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your
newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?="
JohnHorb@discussions.microsoft.com
Subject: Admin permissions
Date: Wed, 22 Dec 2004 10:55:08 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm in the process of migrating from NT4 to Win2003 using
ADMT 2, and
have
come across what, to me, is a strange 'access' issue. If I
log on to
the
Win2K3 server as 'administrator', I get 'access denied' on
certain
things,
e.g. If I try to access WINS on the server, or if I try to
access
group
policies.
However, if I log on to a workstation(XP) using the same
'Administrator'
account, I CAN access WINS and Group Policy on the server.
|
|
|
| Back to top |
|
|
JohnHorb
Guest
|
| Posted:
Mon Dec 27, 2004 5:27 pm Post subject:
RE: Admin permissions |
|
|
Bob
Because I wanted to get this migration completed over the Christmas period,
and wasn't sure what response I would get here over the holiday period, I
'chickened out' and reinstalled from scratch, and, so far, everything is OK.
The only difference I can think of, is that I did not select the option to
transfer group memberships from the NT domain. Even though the problem has
gone for now, any assistance in understanding what went wrong would be
extremely useful, as we have another NT domain to migrate shortly. Replies to
your queries below:-
"Bob Qin [MSFT]" wrote:
| Quote: | Hi John,
Did the problem occur when you built up the Windows Server 2003 Domain? Or
it occurred after migration from NT 4 domain?
|
Difficult to say. I did not realise I had a problem until I installed WINS
and found I could not access the properties, but it is possible the problem
arose earlier. I SUSPECT it was something which happened during the migration
of accounts from the NT domain.
| Quote: | Do you use the Windows 2003 Domain administrator account?
|
Yes - this is the account which gave the problem. I tried creating another
account and giving it the same group memberships, and it had the same issues.
| Quote: | How did you set the network properties on the DC? Did you point the DNS and
WINS settings in Windows 2003 DC to itself?
|
From memory - no. I think I left both blank. (Though I have done now, after
the rebuild).
| Quote: | In addition, please run Netdiag and DCdiag on the Windows 2003 DC to check
if there is any error message.
|
I did run DCDiag, and received several Access error (5) messages, confirming
my suspicion that there was something wrong with the admin account. What I
can't understand is why this problem only manifested itself when I logged on
to the server. Logging on to a client with the same Domain admin account
seemed to give me the correct access rights on the server.
| Quote: | Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?=" <JohnHorb@discussions.microsoft.com
Subject: RE: Admin permissions
Date: Thu, 23 Dec 2004 08:37:13 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm beginning to tear my hair out over this. It does seem to be some
sort of
weird authentication issue. If I try to map to a share (e.g C$, or
SYSVOL) on
the server itself, whilst logged in as domain admin, I get a login
prompt,
and it will not let me access with the administrator account!
However, I can
map to the shares on the server from a workstation by logging in as
the
domain admin, and the permissions on both the share and the file
structure
seem OK.
Hope you can shed some light!
John
"Bob Qin [MSFT]" wrote:
Hi John,
Thanks for your posting here.
Based on your posts, I am not very clear about the problem. Let's
confirm
the following information.
1. When you log in the Windows Server 2003, is the "administrator"
you
meant domain administrator account?
2. How did you access WINS server? Is WINS server in Windows 2003
domain?
What is the detailed error message?
3. How did you access Group Policy? Is it domain group policy or
local
group place? What is the detailed error message?
4. Is there any related error in the Event Logs?
I am looking forward to your response.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your
newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "=?Utf-8?B?Sm9obkhvcmI=?="
JohnHorb@discussions.microsoft.com
Subject: Admin permissions
Date: Wed, 22 Dec 2004 10:55:08 -0800
Newsgroups: microsoft.public.windows.server.migration
I'm in the process of migrating from NT4 to Win2003 using
ADMT 2, and
have
come across what, to me, is a strange 'access' issue. If I
log on to
the
Win2K3 server as 'administrator', I get 'access denied' on
certain
things,
e.g. If I try to access WINS on the server, or if I try to
access
group
policies.
However, if I log on to a workstation(XP) using the same
'Administrator'
account, I CAN access WINS and Group Policy on the server.
|
|
|
| Back to top |
|
|
Bob Qin [MSFT]
Guest
|
| Posted:
Tue Dec 28, 2004 2:34 pm Post subject:
RE: Admin permissions |
|
|
Hi John,
Thanks for your reply.
First, it is recommended to point the DNS and WINS server to itself on DC
in Windows 2003 domain. Or it may cause problems since it cannot register
DNS records correctly.
In addition, you should install DNS and WINS services before migration. You
can check if these services work properly in the new domain. In general,
migrating user accounts into the new domain will not cause any problem for
the existed user accounts.
Here are some useful documents:
Restructuring Windows NT 4.0 Domains to an Active Directory Forest
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/deployguide/dssbh_rera_usbf.asp
Domain Migration Cookbook
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windows2000serv/deploy/cookbook/cookintr.asp
How to Migrate Your Windows NT 4.0 Directory Services to Windows 2000
Active Directory
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/tcevents/
itevents/ad/tnq20003.asp
I hope the information above helps.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
-------------------- |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in