Hi, I added a new server 2008R2 to our domain to be used as fileserver. But i noticed something strange. Working as 'the' domain administrator I can do everything (settings, access to folders etc) but normally I work as a domain user that is member of the domain admin group but for some reason this user has not the same rights. I even added the domain user to the local admin group but this makes no difference With this 'second' domain admin I cannot access files, I cannot change settings etc Can somebody point me in the right direction where to look for? Policies??? I have this problem only on this server, not on other Win2008R2-servers allready in the domain. Thanks Daniel

Hi, Please logon the problematic user, open CMD and run the following command to verify the group memberships. net user username /domain If this user belongs to local administrators and domain admins, check if you can view the Effective Permissions: View effective permissions on files and folders http://technet.microsoft.com/en-us/library/cc758822(WS.10).aspx Meanwhile, I suggest you create a new user, add to the domain admins group and logon the file server for a test. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Bruce the net user command reveals that although the mentioned user belongs to the domain admin group, he belongs to not even one local group This is strange because he is directly member of the local admin group and again via domain admin. Doing the same exercise with 'the' domain administrator gives memberschip to local administrators group as result I created a new user, added him to domain admins, added him to the local admin group...but same result! The net user command tells me that this new user does not belong to any local group I also checked policies (removed as much domain policies as allowed) but none are related to this strange behaviour Regards Daniel

Go to Local Users and Groups -> Groups and make sure the group membership is okay.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Yes, it is Both the first as the second domain user with domain admin rights are in the local administrator group (twice as they are also in this group via domain admins) But still net user tells me they are not I removed and re-added them again but no change

Is it some UAC issue? Make sure UAC is turned off and check again.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Switched of the UAC...no change I cannot get a user with domain admin rights into the local administrator group...atleast according to 'net user' and the lack of rights

Did you make sure to log off and then back on again (perhaps even a reboot is required) after turning off UAC? In 2008 R2 even administrators log on in the user context, and are for all intents and purposes a regular user, until they chose to elevate their privileges when launching an application.

Hi Daniel, Have you tested if the new user has the expected rights? What error message did you receive when trying to change settings or access to folder? Please also check the Effective Permissions: View effective permissions on files and folders http://technet.microsoft.com/en-us/library/cc758822(WS.10).aspx If the problem continues, I suggest try the following steps: 1. On this problematic member server, open TCP/IP Properties and very the DNS server is pointed to your DNS server. 2. Re-join this server into domain. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I had the same issue in a VMWare lab environment. I was following this thread but the suggested solutions did not resolve my issue. It turns out I had duplicated SIDs and when I sorted them out the problem went away. Good luck with yours!

re-joined the server to the domain and rebooted, log-in with both users DNS is set correctly Two users (admindc and adminLuc) , both domain admins (removed and added again, checked on other servers!) Both users added explicitly to local administrator group! (although not needed as domnain admins are member of this group) net user admindc /domain -> shows membership of local administrator group net user adminluc /domain -> shows NO memberschip of local administrator group effective permissions checked on (as example) root user-folders : for both users FULL-access (as local admin group has full access on that folder) Still....neither admindc nor adminluc is able to open that folder ...access denied I made some screenshots but it seems I cannot upload it here The only strange error I can find in the eventlogs is (40961) : The Security System could not establish a secured connection with the server ldap/etro.vub.ac.be/etro.vub.ac.be@ETRO.VUB.AC.BE. No authentication protocol was available.

Hi, According to the following thread, the issue can be caused by duplicated SIDs: Domain Admins group does not automatically add to local Administrators group http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/dcff7b65-f813-4b91-8f88-6f8d19b9f924/ If the problem still continues, I suggest you logon with domain administrator and create a new folder. Then, log it off and logon admindc or adminluc for a test. If there’s any error message, please capture a screenshot and upload to this space (Please choose "Send Files to Microsoft"): Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=3f16286c-1b1d-4e19-abb4-af78342387ef Password: K*#pr+G3At$Ve Please also help to capture a screenshot to show the Effective Permissions. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, According to the following thread, the issue can be caused by duplicated SIDs or Restricted Groups: Domain Admins group does not automatically add to local Administrators group http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/dcff7b65-f813-4b91-8f88-6f8d19b9f924/ If the problem still continues, I suggest you logon with domain administrator and create a new folder. Then, log it off and logon admindc or adminluc for a test. If there’s any error message, please capture a screenshot and upload to this space (Please choose "Send Files to Microsoft"): Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=3f16286c-1b1d-4e19-abb4-af78342387ef Password: K*#pr+G3At$Ve Please also help to capture a screenshot to show the Effective Permissions. Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Bruce-Liu I followed the link you mentioned but the proposed answer is to re-create the VM....and in my case it's a fysical server, installed from scratch (so no cloning but I did use WDS to auto-install via the network) I will upload a screenshot asap Regards Daniel Daniel

The above upload link does not work (anymore?). Could you please allow the upload again? Thanks DanielDaniel

Hello everybody, I have a problem with my fileserver, too. I'm running Server 2008 R2 Enterprise [german] in my domain and I don't understand the problem. I had no problems with the same security folder settings on Server 2003 Standard. The local Administrator and the Domain-Admins Group are members of the local Administrators Group. But I don't have access to some volumes (external arrays) where the security is set to Administrators (full access) [local Administrators Group]. If I also add the Domain Admins Group to the volume everthing works fine, but I should have access before that, because the Domain-Admins Group is member of the local Admins Group?! The really weird thing is: On the local volume C:\, E:\ and F:\ I have all rights and possibilities, BUT there are only the SYSTEM Group, Administrators Group (local) and Users Group (local) set, like on my external volume, where I get a "access denied" message?! What is the essential difference? Owner of C:\ is "TrustedInstaller"; E:\ is "SYSTEM" and for F:\ and my external volumes it is the local Administrators Group. I don't get it... PS: If I try NET USER DOMAIN-ADMIN /DOMAIN I get an error with "the option /domain is unknown". ??? If I try NET USER DOMAIN-ADMIN \DOMAIN I get the message "the user could not be found". I tried two users of my Domain-Admins Group. If I try NET USER Administrator \DOMAIN, who is also in the Domain-Admins Group I get the message "systemfailure 5 - access denied".

Did you happen to use sysprep with your image? Did you check the "generalize" checkbox?

No image involved (so also no sysprep), clean install Daniel