Forum Discussion

Jordan Paris's avatar
Jordan Paris
Brass Contributor
Jan 15, 2019

Windows Server 2019 DC/Std odd permission issues with UI options

We are in the process of getting some test servers up to replace some basic 2008 R2s, etc.    Both of these scenarios are ran using domain admin accounts:   We have noticed that after it is domai...
windows server
Jordan Paris's avatar
Jordan Paris
Brass Contributor
Jan 24, 2019

I've edited my original post with an update, but in case it gets missed, here is what I updated:

 

In an attempt to try and nail down exactly what is going on, I've narrowed down the replication steps, at least for us. In a fresh VM with the ISO provided from the VLSC, these tasks (changing timezone, and restarting via that restart button with the Settings app) work just fine using local admin. I created a second local admin account (still not domain joined) and assigned it to the Administrators group. This second admin account fails to get the proper permissions to be able to change the time zone and gets the error when trying to restart. 

 

In the local security policy, under the User Rights Assignment section, I added this second admin account to "Change the time zone" and "Shutdown the system" explicity (Administrators is already included in the scope). Relogging on to this second admin account, I am able to successfully change the timezone and restart from the Settings app after an update. Removed the account from both and tested again, back to not having permission.

 

In our domain environment, we have domain admins included in local administrators group, so this would explain why we those domain admin accounts are experiencing this behavior. 

sys-adm's avatar
sys-adm
Copper Contributor
Jan 28, 2019

Hi Jordan,

 

Thank you for your feedback and your great troubleshooting steps.

We have now added to the servers the domain admin group and another admin group from the active directory that we have for all admins in our environment.

For us it is working now.

 

Regards sys-adm

  • n3ologic's avatar
    n3ologic
    Copper Contributor
    Jun 19, 2020
    We are also having this issue with all 8 of our Server 2019 installs, some upgraded and some fresh installs with all updates installed. another issue is that Server Manager throws an error and will not open using an account with "Domain Admins" or "Group Policy Creator Owners" group permissions but will work just fine with local Administrator or "Administrators" group added to the domain user's account without the above mentioned groups that have issues.

    in summary, if a user account has "Domain Admins" or "Group Policy Creator Owners" group attached to it, it has problems (regardless of what other groups the user belongs to.)
    • n3ologic's avatar
      n3ologic
      Copper Contributor
      Jun 22, 2020

      n3ologic update: the "Domain Admins" and the "Group Policy Creator Owners" groups were created on 9/14/2002 so they were a part of the upgrade on the DC. would there be any problem deleting these groups and re-adding them to the DC?

Resources