Re: 2003 Server Client/Delegation and Data Issues

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello again Ace -

I'm sorry I have not been in touch for a few days. I got redirected to a
user with a huge data load for an application. That is under control, so I
am back looking at AD.

A few updates - The win2003 server is now showing the proper AD data. I
really don't know what caused this change, but it is for the better. The
junior admin still cannot unlock - the last issue. As I learn my way around
AD, I am starting to suspect a permissions conflict as I have poked around
further into the various groups this user is a member of. This may be a
case of a little knowledge being dangerous as I can clearly see there is a
ton to learn here - if you can bear with me, this is what I observed.

The jr admin is a member of the Remote Desktop Users group at the domain
level which has no AD permissions. On the win23k server, there is also a
local Remote Desktop Users group. I added the junior admin group to the
local Remote Desktop to give them terminal services access. That works fine.
Logging on as the administrator on the win23k server, I can look at the jr
admin and see she has the read/write lockout capability as a member of the jr
admins group (properties/advanced/effective permissions). When I look at her
remote desktop group effective permissions, that permission does not exist.
I did some research on permission precedence and my head is now spinning. I
saw that precedence started with the local system and worked up to the
domain. I know there are also various places where I can allow inheritance.
If you think this is a reasonable source of the problem, could you please jot
down what needs to be set where for inheritance and permissions on the domain
and local system? I also noted a few entries with account unknown with a red
question mark. My "keep things clean" attitude really wants to delete them,
but I could not find a good description of why they occur and if it's OK to
just delete them. I would very much appreciate it if you could point me to a
resource, or help me understand their source.

Thank you very much for your continuing help and support.

"Ace Fekay [MCT]" wrote:

"Diane" <Diane@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1DEA045-2935-47CA-B60B-B3D4D25FBA9F@xxxxxxxxxxxxxxxx
Hi Ace,

Thanks for checking the DNS settings - good news there! I will make the
second DC a GC, it is one domain - should have done that before, so thank
you
for the reminder.

I decided to test another win2003/R2 member server - same issue! I'm
kicking myself for not looking at this earlier. So, the *potential* for a
schema difference is looking stronger. I do have another win2k server
which
has been taken offline. I'll get it back online for a test, though it may
take a day or two to arrange it. It's pretty clear the win2K AD is old
because of the product age. I am wondering though, what is the update
process for AD within an OS version? I do not think I have seen an update
via the "normal" channels for AD. If it is the schema, are there any
updates
I could "safely" apply to the win2k DCs at this point to help this
situation?

Thanks very much again. I'll report back when I have more news.

Diane

You can just update the Schema to the 2003 R2 version by running from the
2003 CD or from one of the 2003 machines (logged on as EA, of course):
adprep /forestprep
adprep /domainprep

If you get any errors, such as if you have Exchange 2000 installed, we'll
address that as we go along.



Ace


.

Relevant Pages

  • Re: have to add user to local admin group
    ... I don't know the exact permissions you need but you are heading the right ... > local admin group on the Exchange/DC/GC server. ... In order to fully Administer an Exchange ...
    (microsoft.public.exchange.admin)
  • Re: Server Operator Role
    ... >domain admin and then keep in mind that a domain admin ... >Joe Richards Microsoft MVP Windows Server Directory ... >> have a number of users with Domain Admin permissions. ... the group cannot run the TS Policy. ...
    (microsoft.public.win2000.active_directory)
  • IIS 6 Authentication Problem - Not Happening
    ... are given access through the FrontPage Server Extensions ... 2002 admin web tool. ... The root site and most subsites have the same permissions ... can edit subwebs where they have advanced ...
    (microsoft.public.inetserver.iis.security)
  • Re: Users Cant Open Access Database Security Or Corruption ??
    ... Why did you copy the FE to the server? ... This Database has been converted from a prior version of microsoft ... The admin group was stripped of the usual design change permissions ...
    (microsoft.public.access.security)
  • Re: Problems with WSS 2.0 and Remote SQL
    ... Do you have correct permissions on the %temp% directory for Network ... Make sure that the account group for SharePoint is set to the ... For the Virtual Server Admin account I ...
    (microsoft.public.sharepoint.windowsservices)