Domain Admins can't manage computers

[Angus Chen]

For some reason I am having some bizard security problem
in my domain:

When I had to modify the member of local security group
(Administrators / Power Users) on workstations, what I
always do is to open "Computer Management" from my own
computer and connect to the destination workstation, then
make the change. There was never a problem doing this in
the last 2 years since out Win2K forest was created.
However recently I am getting error about access denied,
the message looks like this:

"The following error occured while attempting to save
properties of group Administrators on computer XXX: Access
is Denied"

Of course my account is a member of Domain Admins, I also
checked the member of local "Administrators" group on
workstation to make sure that "Domain Admins" is still
there, and it is. I also did this from the domain
controller (logging on as Domain Administrator account,
and connect to the workstation) and I'm getting the same
failure when trying to save my change.

The only way for me to update the member list of local
groups on workstations is to visit the workstation and log
on to it locally, then I have no problem whether I log on
using my own account or the domain administrator.

This is happening to *ALL* workstations (Win2K/ XP) under
the domain and there is no exception, therefore I would
like to eliminate the possibility to be about security
patch / service pack or something specific like that from
thye workstation side.

There is only one D.C under this doamin, all services
running on it are working fine, there is no event log
about this from the server, although each failure was
logged on the workstations, that does not help me to
troubleshoot at all.

I appreicate any hint to solve this problem.

 

[Guest]

Check that the Remote Registry NT Service is enabled. The Server service as
well, if you are going to run mbsacli.exe to manage any of the clients.

Assuming you are in an Active Directory network, move a problematic machine
(one Win2k, one WinXP) into an OU without any Group Policies to eliminate
this possibility.
Naturally you can also use GPMC to check the RSOP for any affected machines.

Do let us know if this helps. Thanks.

 

[Angus Chen]

1. The "Remote Registry" service is running on all
workstations for no problem.

2. Under this domain, we have never configure the "Default
Group Policy", since this problem is happening to *all*
computers, instead of moving all of them to another
location, do you recommand me just disable the default
policy and see how it works out?

 

[Steven L Umbach]

If you enabled an ipsec filtering policy or Windows Firewall on XP Pro
computers you could be blocking access to necessary ports to manage those
computers. File and print sharing port access is needed. See if you can
connect to the administrative share such as C$ on any of those client
computers. If you can not then there is a problem with file and print
sharing. If you can there is another problem. --- Steve