0

I have a domain with a couple of DCs (Win 2k8 R2) and about 15 workstations (Win7, x64) or so.

When trying to (remote-) access a specific Win 7 workstation (which shouldn't really be any different from the others) most remote adminstration tasks yield 'Access Denied' for example when trying to use the MMC to open the scheduled tasks, services (this one requires some special registry key which I distribute through a GPO), events or using the explorer to browse default SMB shares (dollar shares) etc.

The respective command line tools also fail, for example:

C:\development\ecd-vr>schtasks /run /tn EveNightly /s dionysus
ERROR: Access denied

(Well, actually the last line is translated from german :-)

Obviously I'm trying to do this as a logged on domain admin - the same things (using the same admin user) works fine with any other machine.

What does work:

  • Remote desktop (therefore it's just annoying - not critical)... I guess this might be related to the fact that in this case my local Kerberos ticket isn't used for anything...
  • Non-default (i.e. user-created, "non-dollar") SMB shares - this is interesting, there must be something special about those dollar shares...

Just in case someone wonders - the shares themselves are there:

C:\development\ecd-vr>net share

Name         Ressource                       Description

-------------------------------------------------------------------------------
IPC$                                         Remote IPC
C$           C:\                             Default share
D$           D:\                             Default share
ADMIN$       C:\Windows                      Remote Admin
C            C:\

(Again, translated from German)

The ACLs look good too:

C:\Users\fnawothnig>icacls c:\
c:\ BUILTIN\Administrators:(F)
    BUILTIN\Administrators:(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
    NT AUTHORITY\Authenticated Users:(AD)
    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

(Again, translated)

Output from 'whoami /groups' yields nothing out of the ordinary which is not suprising since locally everything works anyway.

Default SMB shares (i.e. \machine\c$) yield a password dialog, upon entering my credentials the dialog comes up again (normal behaviour for "Access Denied"). The security log shows successful authentification though.

Not sure how to proceed from here - I'd be grateful for any ideas...

Felix Nawothnig
  • 1
  • 1
  • 1

1 Answers1

1

You don't say, but I'm assuming you're using a domain admin account to perform these tasks.

It sounds like a rouge user (with local admin rights) removed the domain admins group from the local Administrators group. There are a few registry hacks that can also achieve the same results you describe. Is the primary user of this workstation a "Power User"? Do they have local admin rights? Do they seem like the type of user who would hack their own workstation?

John Homer
  • 1,293
  • 10
  • 10
  • Yes, I am a domain admin. Actually it's my own workstation (a development box) - so yea, the primary user is a "Power User" who has local admin rights, and I am someone who hacks his own workstation ;-) ... I didn't knowingly do such things but I hacked around a lot. What would these registry hacks be? Now, about the domain admins issue - agreed, it somewhat looks that way... Doesn't quite explain why eveything works when I login locally though? – Felix Nawothnig Jan 26 '13 at 19:24