Thanks for clarifying.
Looks like I need to work with this more before I go production with it. Neil From: Carl Houseman [mailto:[email protected]] Sent: Monday, January 25, 2010 9:33 AM To: NT System Admin Issues Subject: RE: 2008 R2 in a 2003 R2 domain Being logged in as a domain admin is not enough to get full administrator access. You only have full admin access if: a) UAC prompts you or b) you start something "as an administrator". Running scripts or doing NTFS things that require administrator access do not cause UAC prompts. This is all the same as Windows Vista/7. Carl From: Neil Standley [mailto:[email protected]] Sent: Monday, January 25, 2010 12:28 PM To: NT System Admin Issues Subject: RE: 2008 R2 in a 2003 R2 domain When I run a command prompt as administrator I can run it successfully, as I expect it would. Is it normal to encounter UAC when logged in as a domain admin in 2008? (I know, not best practice.) It seems strange to me that I get an error stating I must be a member of the admins/dom admins group to run the command when I already am. I can understand not having permission to write to the root of a drive, for NON-admin accounts, but again I’m logged in as a domain admin so shouldn’t I have full control? What further confuses me is, if I create a folder at the root I should be the Owner of that folder and have full control over it and its contents. Is that not true? What I’m seeing here is that my admin user acct doesn’t have the rights to create new objects within this subfolder either even though effective permissions state I have full control. It seems as if permissions are not being inherited properly. Thanks Neil From: Ken Schaefer [mailto:[email protected]] Sent: Friday, January 22, 2010 8:15 PM To: NT System Admin Issues Subject: RE: 2008 R2 in a 2003 R2 domain Did you run your command window “as Administrator”? UAC doesn’t apply to the built-in Administrator account. It does to every other account. You seem to be running into that issue. Regular users haven’t had modify permissions to the root of drives in Win2k3 days (at least to the C: drive). Perhaps they have just extended that in Win2k8 R2 Cheers Ken From: Neil Standley [mailto:[email protected]] Sent: Saturday, 23 January 2010 8:08 AM To: NT System Admin Issues Subject: 2008 R2 in a 2003 R2 domain Please forgive me if this has been answered already, I searched through my list emails and couldn’t find anything related. Is there anything I need to do to prep my 2003 R2 domain before introducing a 2008 R2 member server? I ask because, well I was stupid and forgot to ask before adding it to my domain and now have a few oddities. After joining this server to the domain, the Domain admins group is automatically added to the local admin group on the 2008 server. When I log in as my domain admin account I find I can’t do some things an admin should have rights to do. Such as execute IISReset, see error below. (yes, IIS IS installed and running) This is the exact message I get when trying to run IISReset using my domain admin account. If I login as the local admin I can run this without errors. Access denied, you must be an administrator of the remote computer to use this command. Either have your account added to the administrator local group of the remote computer or to the domain administrator global group. I also could not create a new file on the root of D until I added authenticated users and gave them modify permissions. But again, if I’m logged in as local admin then I have no problem doing this. Thank <insert your holy deity of choice here> it’s Friday! Thanks, Neil ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
