Ask the Expert

Problems with Active Directory and insufficient rights

We have a Windows 2000 environment that is still running in Mixed Mode. We have had our solution in place for almost a year. Last week we renamed the domain administrator account. Since then, it has caused nothing but problems. We are unable to create any new group policies. The message says "insufficient privileges" or examine the default domain controller policy again with the "Insufficient Rights." We are unable to run Backup Exec and again we get "Insufficient rights."

We tested renaming the account on our Test server without any issues.

Do you know of any way to reset the administrator account within Active Directory? I'm sure there's a conflict between the GUID and account name.

Requires Free Membership to View

Renaming an account should not (I stress the word "should") have any effect on permissions. Active Directory objects are protected by ACLs that contain user and group SIDs, not the user's name or the GUID assigned to the user's AD object. Have you tried changing the name back to "Administrator" and seeing if the problems disappear?

We could be looking at something coincidental. Did you change the administrator password at the same time you changed the name? Then your problems make more sense, especially for Backup Exec. The password associated with a service such as Backup Exec is set in the Services.msc console. Reset the password and that should solve the "Insufficient Rights" error for BE.

Did you take the Administrator account out of the Administrators group and/or the Domain Admins group at the same time that you changed the name? That would explain the problem with group policies. You must have rights for the Policies container to modify a GPO. You can see the rights assigned to the Policies container in the AD Users and Computers console by enabling the "View Advanced" option then drilling down to System | Policies. Open the Properties window for the Policies container and select the Security tab.

By default, both the Administrators group and the Domain Admins group are on the ACL for this container. That's what makes me think you might have taking the Administrator account out of these groups.

Repost a follow-up if these suggestions do not help.

This was first published in April 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: