• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

SOLVED Whats the difference between (builtin) Administrator and a created admin?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Stratus_ss

Stratus_ss

Overclockix Snake Charming Senior, Alt OS Content
Joined
Jan 24, 2006
Location
South Dakota
So I have been trying to query an Active Directory (2008) server from a unix machine. I have noted that if I use the Builtin Administrator account, the query works just fine, if I tried a user (such as stratus) that I have granted admin privileges to the query returns "Failed to contact Server" type message.

My question to the windows people is, I have looked at all of the groups that the builtin is apart of, and mirrored it with the stratus account and yet I still get the same problem. Therefore I have to wonder what the difference between the builtin administrator account is and a created one.

Can anyone shed some light?
 
Last edited:
What if you try the query from a windows PC that is on the domain? You should only need to be a domain user to run a query (by default).

By bulitin do you mean the admin account on the local AD box? or the builtin for the unix box? Generally you need to run AD tasks as a Domain user, admin or something similar.

If that doesnt really help you Im a little confused on what your trying to do :/
 
ok so the heart of the matter is that the Windows builtin Administrator account allows me to sync with active directory where as an account created in AD and then elevated to Administrator privilege does not.

I am trying to find out why essentially. Because this is reproduceable 100% of the time I have to assume there is some difference between the Windows builtin (that is actually what it is called when you examine the properties in AD) Administrator and a created AD user who is then elevated to all the same groups as the builtin
 
What is the query that you are running? Are you explicitly defining the domain in that request? As realmadrid12 mentioned, authenticated users in an AD forest have full read access. If you aren't getting that far with admin privileges, it sounds like the query isn't formed right.
 
Check there security permissions too it should have Everyone and Authenticated users in the security field. Can a Domain Admin run the script?

Remember that there is a huge difference between Local admin and Domain admin or even a domain user. A local admin or user will NOT be able to run a query. BUT the local built in admin WILL be able to on that AD server only. If you create a new AD user and try to run the query as that person it should work.
 
ok so for example consider the following:

Code: 
cn=Administrator,cn=Users,dc=stratus,dc=local

Returns my expected sync results. I am creating a sync agreement with an AD server

Not wanting to use the built-in accounts I started over and tried

Code: 
cn=stratus,cn=Users,dc=stratus,dc=local

which results in "Unable to contact Active Directory server". This confuses me as when I look at the properties of the two users "Member Of" side by side I see the following

Code: 
Administrators        stratus.local/Builtin
Domain Admins       stratus.local/Users
Domain Users         stratus.local/Users
Enterprise Admins    stratus.local/Users
Group Policy Creator stratus.local/Users
Schema Admins   stratus.local/Users

Primary group: Domain Users

As I said, I am looking at the properties side by side, its the same for both. I have added the user stratus to the user settings and granted full access just now, but that did not seem to make a difference.

I have rebooted the AD server with the same result (i.e. Administrator can be used for the sync agreement but the other user cannot)
 
Are you able to login to a Windows domain computer (such as the AD server) with the username of "stratus"? I'm wondering if it is prompting for more information (password change) or would give you an error.

EDIT: Also, I'm not sure if the unix system needs to be registered in the AD domain. It may not allow you to query the forest from a non-domain computer. Never had to try it.
 
thideras said:
Are you able to login to a Windows domain computer (such as the AD server) with the username of "stratus"? I'm wondering if it is prompting for more information (password change) or would give you an error.

EDIT: Also, I'm not sure if the unix system needs to be registered in the AD domain. It may not allow you to query the forest from a non-domain computer. Never had to try it.
Click to expand...

to answer your first question, yes I can log in/RDP but I found the error

There was a trailing space in the AD user for some reason. Other users which I tried had last names which the unix side could not handle

So for example when looking at the Users in AD you might see:

Code: 
Bob Smith      User     Bob's user

Even though the user name in the properties was bobs, either the request or interpretation was expecting "Bob Smith".

Creating a user who had no last name fixed my problem. So I deleted stratus and recreated him without the trailing whitespace and now it works

Thanks for the help... sometimes you just have to think "out loud" I suppose
 
Sorry I couldn't help, but I'm glad you figured it out. :thup:
 
You must log in or register to reply here.

Similar threads

TickleMyElmo
How do I create a non-administrator account in Win. 11?
Replies
2
Views
530
TickleMyElmo
TickleMyElmo
Stealth3si
Is there a big difference between a 2666mhz and 3600mhz?
2
Replies
31
Views
4K
EarthDog
EarthDog
R1S8K
X79 vs X99 what is the difference ? also differences in Xeon CPUs and RAM types.
Replies
0
Views
1K
R1S8K
R1S8K
SirPokemasterMD
SBS 2003 wiped password but unable to login local Administrator
Replies
2
Views
751
SirPokemasterMD
SirPokemasterMD
trents
What's the difference between "CPU Core Voltage" and "Vcore" in HWInfo64?
Replies
10
Views
12K
ShrimpBrime
ShrimpBrime
Back