Problem solve Get help with specific problems with your technologies, process and projects.

Problems with Active Directory and insufficient rights

We have a Windows 2000 environment that is still running in Mixed Mode. We have had our solution in place for almost a year. Last week we renamed the domain administrator account. Since then, it has caused nothing but problems. We are unable to create any new group policies. The message says "insufficient privileges" or examine the default domain controller policy again with the "Insufficient Rights." We are unable to run Backup Exec and again we get "Insufficient rights."

We tested renaming the account on our Test server without any issues.

Do you know of any way to reset the administrator account within Active Directory? I'm sure there's a conflict between the GUID and account name.

Renaming an account should not (I stress the word "should") have any effect on permissions. Active Directory objects are protected by ACLs that contain user and group SIDs, not the user's name or the GUID assigned to the user's AD object. Have you tried changing the name back to "Administrator" and seeing if the problems disappear?

We could be looking at something coincidental. Did you change the administrator password at the same time you changed the name? Then your problems make more sense, especially for Backup Exec. The password associated with a service such as Backup Exec is set in the Services.msc console. Reset the password and that should solve the "Insufficient Rights" error for BE.

Did you take the Administrator account out of the Administrators group and/or the Domain Admins group at the same time that you changed the name? That would explain the problem with group policies. You must have rights for the Policies container to modify a GPO. You can see the rights assigned to the Policies container in the AD Users and Computers console by enabling the "View Advanced" option then drilling down to System | Policies. Open the Properties window for the Policies container and select the Security tab.

By default, both the Administrators group and the Domain Admins group are on the ACL for this container. That's what makes me think you might have taking the Administrator account out of these groups.

Repost a follow-up if these suggestions do not help.

Dig Deeper on Windows systems and network management