+ Post New Thread
Results 1 to 7 of 7
Windows 7 Thread, Accessing C drive as a domain admin - no permissions. in Technical; Following an earlier thread, I have a machine that is connected to the domain with Domain Admin account part of ...
  1. #1

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,258
    Thank Post
    962
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164

    Accessing C drive as a domain admin - no permissions.

    Following an earlier thread, I have a machine that is connected to the domain with Domain Admin account part of the local administrators group. I assumed everything was working fine.

    We have turned UAC off for administrators for now until I read some more. This also works (except for drive mapping via gpo).

    My problem is that the Domain Admin account cannot access the c drive nor edit the Hkey local machine part of the registry as well. I wonder whether they are related?

    Can anyone advise as to why the domain admin would not be able to access the c drive and if so can it be set via gpo?

    Many thanks

    Gareth

  2. #2
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,263
    Thank Post
    8
    Thanked 296 Times in 205 Posts
    Rep Power
    98
    Is the Doman admin a member of another group that is restricted? ie STAFF

  3. #3

    Join Date
    Aug 2007
    Posts
    811
    Thank Post
    98
    Thanked 64 Times in 46 Posts
    Rep Power
    25
    Sounds like you have "Loopback Processing" applied in one of your group policies

    As this will apply to any user...

    Do a Result of Group Policy and check:
    Administrative Templates, System, Group Policy, Loopback Policy

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Assuming you mean writing to the C: root directory then both of these things are tasks that require privilage elevation, although you have disables UAC thses lockouts may remain you just won't get the UAC dialogue to elevate your request and make it work.

  5. #5

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,258
    Thank Post
    962
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    Quote Originally Posted by burgemaster View Post
    Sounds like you have "Loopback Processing" applied in one of your group policies

    As this will apply to any user...

    Do a Result of Group Policy and check:
    Administrative Templates, System, Group Policy, Loopback Policy
    Hi,

    We might have - I have been told by the LEA that we have to have 'Merge Mode' so I have set this in:

    Computer Configuration > Adminitrative Templates > Policies > System Group Policy > User Group Policy Loopback Processing Mode

    This is set to enabled.

    But how would this stop the DomainAdmin accessing the C drive? Can anyone advice how to get around it as apparently this setting has to be done in our AD (which is provided by the LEA).

    [Edit: OKay - I lie. I can access the C drive, but cannot access or write to certain areas - I assume these are the protected areas. Program Files is one of them]

    Many thanks

    Gareth
    Last edited by garethedmondson; 29th June 2010 at 09:53 AM.

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Not absolutely sure but I think this is "working as designed" - you really need to have UAC turned on.

    When you go to write a file to (eg) c:\program files UAC should pop up saying "are you sure", you say yes and you're allowed to write (simplifying a bit!)

    As @synack; says, if you turn off UAC then you don't get the prompt and you're not allowed to write.

    What are you trying to do?

    If you want something to be automated (and thererfore the UAC prompt gets in the way) then you can enable the administrator account and use that - this account can make changes to the file system without prompting.

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Yeap, running as a domain admin does not automaticly get past those restrictions but running as the local administrator on the machine does. If you want to test this a quick way would be to use the runas program from the command prompt to run things as the local administrator manually, this will emulate what UAC does for you automaticly. Long term I would be looking at using UAC though although it does sound like your county AD has been setup in every way possible to be an impediment to use of anything other than their preffered OS.

SHARE:
+ Post New Thread

Similar Threads

  1. Machine not accessing a domain
    By garethedmondson in forum Internet Related/Filtering/Firewall
    Replies: 15
    Last Post: 22nd May 2010, 02:03 PM
  2. Accessing SIMS from another domain
    By laserblazer in forum MIS Systems
    Replies: 7
    Last Post: 11th March 2010, 11:13 PM
  3. Domain Admin cannot perform functions as local admin
    By KWestos in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 30th September 2009, 09:58 PM
  4. pupils accessing c: drive
    By jonbones in forum Windows
    Replies: 7
    Last Post: 29th August 2009, 06:17 PM
  5. Permissions on your simsroot/sims drive/s: drive
    By Oops_my_bad in forum MIS Systems
    Replies: 1
    Last Post: 27th November 2007, 11:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •