Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2007-08-01) Access Denied Does Not Seem To Be What It Really Means

Posted by Jorge on 2007-08-01

As you may remember Windows Vista and Windows Server 2008 have something that is called "User Account Control (UAC)". Its main purpose is to prevent misusage of powerful privileges. So therefore admin accounts need to elevate their privileges/permissions first before being able to do what they want to do.

The default administrator in Windows Vista and Windows Server 2008 by default does not need to elevate its privileges. All other custom made admin accounts do need to elevate their privileges. To give you an example, create a new admin account and make it a member of Domain Admins! Lets live dangerously! 😉 Of course make sure to create/install your W2K8 server with AD.

Now perform the following actions by first logging on as the default administrator account and then log off and log on as the custom made admin.

  • DSADD user "CN=jorge,CN=Users,DC=adlh,DC=demo" -samid "jorge" -display "jorge" -pwd P@ssw0rd1 -pwdneverexpires yes -canchpwd no

What’s the difference? Probably you will say that DSADD throws in an "Access Denied" while you are a member of the Domain Admins group. What happens here is that DSADD apparently is not UAC aware and does not invoke the UAC Window to ask for consent to elevate the privileges to perform the action. You receive an access denied because the privileges are not elevated. To be honest I say this is a bug because the DSADD utility should behave like the NTDSUTIL utility. I reported this to Microsoft. So how can you still execute the DSADD command until this has been repaired? A few options are available: (1) Open an elevated command prompt window with the "Run as administrator" option (2) Open a normal command prompt window and use the elevation script as described here.

So be aware of this issue in the future when using tools or scripts in Windows Vista or Windows Server 2008 (or later) and you receive an "access denied" while you do have the correct memberships!


* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: