Domain admin account cannot install any software windows server 2012 R2

Brass Contributor

Hello everyone,

Good day hope you're doing well, I use windows server 2012, Domain Administrator cannot install any software in other member computers in the domain, when I try to install any software in any member computer this message appeared "Administrator Login required", if I want to activate local administrator in any computer using domain administrator account this message appeared "The following error occurred while attempting to save properties for user administrator. Access is denied", when I want to access Local Group Policy using domain administrator account in any member computer this message appeared " You do not have permission to perform this operation, Access is denied",

could you please help me in this issue.

Thanks.

10 Replies
Did you setup the domain? Since the default has Domain Admin is in the Administrators group of servers and Workstations in the domain, it was most likely changed. What GPOs are applied to the OU where the workstation is located?

Here some info on how the domain admins group should be secured which might help figure out why your domain admin account doesn't have access.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix...

Dear Sir,

 

Thanks for your reply, I did setup the domain, below image describes the user that was lost his administrator permissions, the User called "IT Admin", previously I can install any software in any member computer, before 2 weeks ago I cannot and this message appeared "Administrator Privileges are required to install", please find attached links for photos from Active Directory Users and Computers, Group Policy Management to advice me what should I have to do.

 

https://social.technet.microsoft.com/Forums/getfile/1246143

 

https://social.technet.microsoft.com/Forums/getfile/1246144

 

https://social.technet.microsoft.com/Forums/getfile/1246146

 

https://social.technet.microsoft.com/Forums/getfile/1246147

 

https://social.technet.microsoft.com/Forums/getfile/1246148

 

https://social.technet.microsoft.com/Forums/getfile/1246149

do you change the policy

see the history

Dear Mr. AbedEl-Hamid,

 

Good day, could you please let me know how to get more details to know if the policy changed or not.

 

Thanks for your support and assistance.

Have any of the following policies been applied to the GPO for that OU:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\User Rights Assignments:

Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services user rights

Also, can you confirm that the computer is located in that OU.

As to your question, you should be able to see the last modified of the GPO by going to it's properties.
Just so I don't assume. You have confirmed that Domain Admins is still a member of the local admins group of that computer?

Dear Mr. Adam,

 

Thanks for your reply, all of mentioned policies are not applied, kindly find attached photo,

 

Please note I disable the local group policy in the IT OU then the problem not happened on computers which using windows 10 but still occurred in Windows 7 machines, please let me know what should I have to do to fix this issue,

 

Many thanks,

The Problem was solved

 

Many thanks for all for support

 

@Amr Khattab hi, can you share how did you solve the problem? thanks

@ronicdao: just add a blank group policy, and the problem will be resoved. It did in my case.