Here is the situation: I set up a Windows Server 2008 R2 domain controller, and created a new Windows Server 2008 R2 server in Hyper-V, and joined it to my domain. I am able to log in and administratively control the Domain Controller without issue. However, my Domain Admin user account is not able to perform any administrative duties on the member server. Every time I try, the following error appears,The text of the error says: ”Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.” This is a classic ‘access-denied’ type of error. But I double-checked everything that I know what could have been the issue:
- The member server’s Computer object has been moved from the general “Computers” Organization Unit in Active Directory to a container that has been assigned Group Policies.
- Running GPRESULT on the member server while logged in with my Domain Admin account does show that both the computer has applied Group Policies from the Domain Controller.
- Running GPRESULT on the member server while logged in with my Domain Admin account shows that it is a member of the Domain Admins security group.
- I can log into the member server with the local administrator account and perform administrative duties without an issue.
So why is this happening and why can’t I use my Domain Admin account on my member servers? The domain admin user account, when it was created, didn’t inherit permissions from the root folders in AD Users and Computers. Apparrently, this is a very common issue with Domain and Enterprise Admin accounts. Here is how to fix this problem:
- Log into your Domain Controller.
- Open Active Directory Users and Computers.
- Click View > Advanced Features.
- Open the properties of your Domain Admin account.
- Click the Security Tab.
- Click the Advanced Button.
- Check the box next to “Include Inheritable Permissions”. Click Apply (you will immediately notice more rights appear in the list.)
- Click OK to close.
- Reboot your member server, log back in with your Domain Admin account.
Thank you Mark A King