Disabling local admin account prevents a Domain Admin access



Kevin3DR
07-09-2005, 10:53 PM
I am running serveral Windows 2003 Servers, and I am having a very odd
problem.

One one server (not a domain controller), I have the following default
accounts:

Local Account: Administrator

Local Group: Administrators: Members: domain\Domain Admins,
Administrator (local)

Domain Group: Domain Admins: domain/Administrator, domain/Turner,
domain/Green

The problem is this. When I disable the local administrator account on
the file server, domain/Green is denied access. All my other users, as
well as domain/Turner and domain/Administrator still have complete
access. If I reenable the local administrator account, access for
domain/Green comes back.

This is a very odd problem does anyone now of a utility to check the
integrity of local security accounts, or have any idea what this could
be?

Kevin

Steven L Umbach
07-09-2005, 10:53 PM
What is the exact message that user domain/Green gets when he is denied
access?? Auditing of logon events is probably already enabled on the Windows
2003 Server so look in the security log to see if a logon failure has been
recorded and possibly the reason why. One though is that domain/Green is
using an XP Pro computer with stored credentials that match the credentials
of the local administrator account on the server. You could also check
Computer Management/shared folders - sessions to see as what account
domain/Green is connected to the server with when the local administrator
account is enabled. --- Steve



"Kevin3DR" <dont.spam@me.com> wrote in message
news:incba114md7t02l3dmikeguai66ge64pek@4ax.com...
>I am running serveral Windows 2003 Servers, and I am having a very odd
> problem.
>
> One one server (not a domain controller), I have the following default
> accounts:
>
> Local Account: Administrator
>
> Local Group: Administrators: Members: domain\Domain Admins,
> Administrator (local)
>
> Domain Group: Domain Admins: domain/Administrator, domain/Turner,
> domain/Green
>
> The problem is this. When I disable the local administrator account on
> the file server, domain/Green is denied access. All my other users, as
> well as domain/Turner and domain/Administrator still have complete
> access. If I reenable the local administrator account, access for
> domain/Green comes back.
>
> This is a very odd problem does anyone now of a utility to check the
> integrity of local security accounts, or have any idea what this could
> be?
>
> Kevin

Kevin3DR
07-09-2005, 10:53 PM
The error message is just a plain Access Denied. It seems that my
domain account is logging into that server as the local Administrator,
for some reason, as both Computer Management - Sessions, and Event log
are showing my login as the local Administrator. The event log entry
is below.

How do I check to see if the stored credentials match, and how to I
get my system to logon as the user account?





Jun 8 13:33:43 xxxxxxxxxxxxxx
MSWinEventLog<009>0<009>Security<009>1644392<009>Wed Jun 08 13:33:12
2005<009>560<009>Security<009>Administrator<009>User<009>Success
Audit<009>server<009>Object Access<009><009>Object Open: Object
Server: Security Object Type: File Object Name:
F:\Dev\User\Green\Drew_Womack-Hey_Daisy.mp3 Handle ID: 1672
Operation ID: {0,113994271} Process ID: 4 Image File Name:
Primary User Name: server$ Primary Domain: domain Primary
Logon ID: (0x0,0x3E7) Client User Name: Administrator Client
Domain: server Client Logon ID: (0x0,0x6C33D24) Accesses:
READ_CONTROL ReadData (or ListDirectory) ReadEA ReadAttributes
Privileges: - Restricted Sid Count: 0 Access Mask: 0x20089
<009>1643575




On Tue, 7 Jun 2005 12:34:49 -0500, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>What is the exact message that user domain/Green gets when he is denied
>access?? Auditing of logon events is probably already enabled on the Windows
>2003 Server so look in the security log to see if a logon failure has been
>recorded and possibly the reason why. One though is that domain/Green is
>using an XP Pro computer with stored credentials that match the credentials
>of the local administrator account on the server. You could also check
>Computer Management/shared folders - sessions to see as what account
>domain/Green is connected to the server with when the local administrator
>account is enabled. --- Steve
>
>
>
>"Kevin3DR" <dont.spam@me.com> wrote in message
>news:incba114md7t02l3dmikeguai66ge64pek@4ax.com...
>>I am running serveral Windows 2003 Servers, and I am having a very odd
>> problem.
>>
>> One one server (not a domain controller), I have the following default
>> accounts:
>>
>> Local Account: Administrator
>>
>> Local Group: Administrators: Members: domain\Domain Admins,
>> Administrator (local)
>>
>> Domain Group: Domain Admins: domain/Administrator, domain/Turner,
>> domain/Green
>>
>> The problem is this. When I disable the local administrator account on
>> the file server, domain/Green is denied access. All my other users, as
>> well as domain/Turner and domain/Administrator still have complete
>> access. If I reenable the local administrator account, access for
>> domain/Green comes back.
>>
>> This is a very odd problem does anyone now of a utility to check the
>> integrity of local security accounts, or have any idea what this could
>> be?
>>
>> Kevin
>

Kevin3DR
07-09-2005, 10:53 PM
I wasn't able to get the full error message previously, as I was
running a batch job, and could test it.

Here it is:

\\server is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find
out if you have access permissions.

Logon failure: account currently disabled





On Wed, 08 Jun 2005 13:58:39 -0500, Kevin3DR <dont.spam@me.com> wrote:

>The error message is just a plain Access Denied. It seems that my
>domain account is logging into that server as the local Administrator,
>for some reason, as both Computer Management - Sessions, and Event log
>are showing my login as the local Administrator. The event log entry
>is below.
>
>How do I check to see if the stored credentials match, and how to I
>get my system to logon as the user account?
>
>
>
>
>
>Jun 8 13:33:43 xxxxxxxxxxxxxx
>MSWinEventLog<009>0<009>Security<009>1644392<009>Wed Jun 08 13:33:12
>2005<009>560<009>Security<009>Administrator<009>User<009>Success
>Audit<009>server<009>Object Access<009><009>Object Open: Object
>Server: Security Object Type: File Object Name:
>F:\Dev\User\Green\Drew_Womack-Hey_Daisy.mp3 Handle ID: 1672
>Operation ID: {0,113994271} Process ID: 4 Image File Name:
>Primary User Name: server$ Primary Domain: domain Primary
>Logon ID: (0x0,0x3E7) Client User Name: Administrator Client
>Domain: server Client Logon ID: (0x0,0x6C33D24) Accesses:
>READ_CONTROL ReadData (or ListDirectory) ReadEA ReadAttributes
>Privileges: - Restricted Sid Count: 0 Access Mask: 0x20089
><009>1643575
>
>
>
>
>On Tue, 7 Jun 2005 12:34:49 -0500, "Steven L Umbach"
><n9rou@nospam-comcast.net> wrote:
>
>>What is the exact message that user domain/Green gets when he is denied
>>access?? Auditing of logon events is probably already enabled on the Windows
>>2003 Server so look in the security log to see if a logon failure has been
>>recorded and possibly the reason why. One though is that domain/Green is
>>using an XP Pro computer with stored credentials that match the credentials
>>of the local administrator account on the server. You could also check
>>Computer Management/shared folders - sessions to see as what account
>>domain/Green is connected to the server with when the local administrator
>>account is enabled. --- Steve
>>
>>
>>
>>"Kevin3DR" <dont.spam@me.com> wrote in message
>>news:incba114md7t02l3dmikeguai66ge64pek@4ax.com...
>>>I am running serveral Windows 2003 Servers, and I am having a very odd
>>> problem.
>>>
>>> One one server (not a domain controller), I have the following default
>>> accounts:
>>>
>>> Local Account: Administrator
>>>
>>> Local Group: Administrators: Members: domain\Domain Admins,
>>> Administrator (local)
>>>
>>> Domain Group: Domain Admins: domain/Administrator, domain/Turner,
>>> domain/Green
>>>
>>> The problem is this. When I disable the local administrator account on
>>> the file server, domain/Green is denied access. All my other users, as
>>> well as domain/Turner and domain/Administrator still have complete
>>> access. If I reenable the local administrator account, access for
>>> domain/Green comes back.
>>>
>>> This is a very odd problem does anyone now of a utility to check the
>>> integrity of local security accounts, or have any idea what this could
>>> be?
>>>
>>> Kevin
>>

Steven L Umbach
07-09-2005, 10:53 PM
If you are using XP Pro as the client see the link below about managing
stored credentials. Mapped network shares can also use persistent user
credentials. Can that user account logon directly to the server at the
keyboard or from a different domain client computer? --- Steve

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp
OR in case of wrap
http://tinyurl.com/6qlzj

"Kevin3DR" <dont.spam@me.com> wrote in message
news:eifea19pmgj5affmiov27cn56lmc40t1ae@4ax.com...
> The error message is just a plain Access Denied. It seems that my
> domain account is logging into that server as the local Administrator,
> for some reason, as both Computer Management - Sessions, and Event log
> are showing my login as the local Administrator. The event log entry
> is below.
>
> How do I check to see if the stored credentials match, and how to I
> get my system to logon as the user account?
>
>
>
>
>
> Jun 8 13:33:43 xxxxxxxxxxxxxx
> MSWinEventLog<009>0<009>Security<009>1644392<009>Wed Jun 08 13:33:12
> 2005<009>560<009>Security<009>Administrator<009>User<009>Success
> Audit<009>server<009>Object Access<009><009>Object Open: Object
> Server: Security Object Type: File Object Name:
> F:\Dev\User\Green\Drew_Womack-Hey_Daisy.mp3 Handle ID: 1672
> Operation ID: {0,113994271} Process ID: 4 Image File Name:
> Primary User Name: server$ Primary Domain: domain Primary
> Logon ID: (0x0,0x3E7) Client User Name: Administrator Client
> Domain: server Client Logon ID: (0x0,0x6C33D24) Accesses:
> READ_CONTROL ReadData (or ListDirectory) ReadEA ReadAttributes
> Privileges: - Restricted Sid Count: 0 Access Mask: 0x20089
> <009>1643575
>
>
>
>
> On Tue, 7 Jun 2005 12:34:49 -0500, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
>>What is the exact message that user domain/Green gets when he is denied
>>access?? Auditing of logon events is probably already enabled on the
>>Windows
>>2003 Server so look in the security log to see if a logon failure has been
>>recorded and possibly the reason why. One though is that domain/Green is
>>using an XP Pro computer with stored credentials that match the
>>credentials
>>of the local administrator account on the server. You could also check
>>Computer Management/shared folders - sessions to see as what account
>>domain/Green is connected to the server with when the local administrator
>>account is enabled. --- Steve
>>
>>
>>
>>"Kevin3DR" <dont.spam@me.com> wrote in message
>>news:incba114md7t02l3dmikeguai66ge64pek@4ax.com...
>>>I am running serveral Windows 2003 Servers, and I am having a very odd
>>> problem.
>>>
>>> One one server (not a domain controller), I have the following default
>>> accounts:
>>>
>>> Local Account: Administrator
>>>
>>> Local Group: Administrators: Members: domain\Domain Admins,
>>> Administrator (local)
>>>
>>> Domain Group: Domain Admins: domain/Administrator, domain/Turner,
>>> domain/Green
>>>
>>> The problem is this. When I disable the local administrator account on
>>> the file server, domain/Green is denied access. All my other users, as
>>> well as domain/Turner and domain/Administrator still have complete
>>> access. If I reenable the local administrator account, access for
>>> domain/Green comes back.
>>>
>>> This is a very odd problem does anyone now of a utility to check the
>>> integrity of local security accounts, or have any idea what this could
>>> be?
>>>
>>> Kevin
>>
>

Kevin3DR
07-09-2005, 10:53 PM
Found it.

The server had a different set of credentials setup in it, and by
going to manage passwords, as described in the link you gave me, I was
able to remove it, and it works fine now.

Thanks a bunch for your help.

Kevin


On Wed, 8 Jun 2005 16:10:21 -0500, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>If you are using XP Pro as the client see the link below about managing
>stored credentials. Mapped network shares can also use persistent user
>credentials. Can that user account logon directly to the server at the
>keyboard or from a different domain client computer? --- Steve
>
>http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp
>OR in case of wrap
>http://tinyurl.com/6qlzj
>
>"Kevin3DR" <dont.spam@me.com> wrote in message
>news:eifea19pmgj5affmiov27cn56lmc40t1ae@4ax.com...
>> The error message is just a plain Access Denied. It seems that my
>> domain account is logging into that server as the local Administrator,
>> for some reason, as both Computer Management - Sessions, and Event log
>> are showing my login as the local Administrator. The event log entry
>> is below.
>>
>> How do I check to see if the stored credentials match, and how to I
>> get my system to logon as the user account?
>>
>>
>>
>>
>>
>> Jun 8 13:33:43 xxxxxxxxxxxxxx
>> MSWinEventLog<009>0<009>Security<009>1644392<009>Wed Jun 08 13:33:12
>> 2005<009>560<009>Security<009>Administrator<009>User<009>Success
>> Audit<009>server<009>Object Access<009><009>Object Open: Object
>> Server: Security Object Type: File Object Name:
>> F:\Dev\User\Green\Drew_Womack-Hey_Daisy.mp3 Handle ID: 1672
>> Operation ID: {0,113994271} Process ID: 4 Image File Name:
>> Primary User Name: server$ Primary Domain: domain Primary
>> Logon ID: (0x0,0x3E7) Client User Name: Administrator Client
>> Domain: server Client Logon ID: (0x0,0x6C33D24) Accesses:
>> READ_CONTROL ReadData (or ListDirectory) ReadEA ReadAttributes
>> Privileges: - Restricted Sid Count: 0 Access Mask: 0x20089
>> <009>1643575
>>
>>
>>
>>
>> On Tue, 7 Jun 2005 12:34:49 -0500, "Steven L Umbach"
>> <n9rou@nospam-comcast.net> wrote:
>>
>>>What is the exact message that user domain/Green gets when he is denied
>>>access?? Auditing of logon events is probably already enabled on the
>>>Windows
>>>2003 Server so look in the security log to see if a logon failure has been
>>>recorded and possibly the reason why. One though is that domain/Green is
>>>using an XP Pro computer with stored credentials that match the
>>>credentials
>>>of the local administrator account on the server. You could also check
>>>Computer Management/shared folders - sessions to see as what account
>>>domain/Green is connected to the server with when the local administrator
>>>account is enabled. --- Steve
>>>
>>>
>>>
>>>"Kevin3DR" <dont.spam@me.com> wrote in message
>>>news:incba114md7t02l3dmikeguai66ge64pek@4ax.com...
>>>>I am running serveral Windows 2003 Servers, and I am having a very odd
>>>> problem.
>>>>
>>>> One one server (not a domain controller), I have the following default
>>>> accounts:
>>>>
>>>> Local Account: Administrator
>>>>
>>>> Local Group: Administrators: Members: domain\Domain Admins,
>>>> Administrator (local)
>>>>
>>>> Domain Group: Domain Admins: domain/Administrator, domain/Turner,
>>>> domain/Green
>>>>
>>>> The problem is this. When I disable the local administrator account on
>>>> the file server, domain/Green is denied access. All my other users, as
>>>> well as domain/Turner and domain/Administrator still have complete
>>>> access. If I reenable the local administrator account, access for
>>>> domain/Green comes back.
>>>>
>>>> This is a very odd problem does anyone now of a utility to check the
>>>> integrity of local security accounts, or have any idea what this could
>>>> be?
>>>>
>>>> Kevin
>>>
>>
>


Disabling local admin account prevents a Domain Admin access