2 Domain Admins, 1 Gets Admin Rights, 1 Doesn't

I am set up in the Domain Admin and Administrators groups in my Windows 2000
Server active directory. There is one other person in these groups. We both
have identical setups within AD.

We both used to use Windows 2000, then XP, and both had all the same local
permissions, as expected.

However, we then both upgraded to Vista Business on identical machines, and
the other user gets full access rights (ie writing a file to c:\ or looking
at ALL files in c:\Program Files). I however, get Access Denied when trying
to write a file to c:, and have to go to
C:\Users\DJI\appdata\Local\VirtualStore\Program Files\ to get some of my
Program File data.

We have both done clean installs and still get the same problem.

I am guessing somewhere deep within AD I am not quite the same as the other
user, but I don't know where to look, either in Vista or Server 2000

ANy help would be great

Thanks

On Mar 16, 4:20 am, Chuck <C...@discussions.microsoft.com> wrote:
> I am set up in the Domain Admin and Administrators groups in my Windows 2000
> Server active directory. There is one other person in these groups. We both
> have identical setups within AD.
>
> We both used to use Windows 2000, then XP, and both had all the same local
> permissions, as expected.
>
> However, we then both upgraded to Vista Business on identical machines, and
> the other user gets full access rights (ie writing a file to c:\ or looking
> at ALL files in c:\Program Files). I however, get Access Denied when trying
> to write a file to c:, and have to go to
> C:\Users\DJI\appdata\Local\VirtualStore\Program Files\ to get some of my
> Program File data.
>
> We have both done clean installs and still get the same problem.
>
> I am guessing somewhere deep within AD I am not quite the same as the other
> user, but I don't know where to look, either in Vista or Server 2000
>
> ANy help would be great
>
> Thanks

If you're having trouble with directory permissions, try running the
GPRESULT command in your login. That will tell you exactly which
security groups you are a member of and, from there, you can see if
any of those groups have an explicit Deny on the folders you're trying
to look at. It will also tell you whether the Local Group Policy
(gpedit.msc) is being applied, which could be another potential source
of frustration.

Here is my result from the thing yuo asked me to run (with identifiers
crossed out):

RSOP data for xxxxxx\xxxxxx on SF311 : Logging Mode
-----------------------------------------------------

OS Configuration: Member Workstation
OS Version: 6.0.6000
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\xxxxx
Connected over a slow link?: No


USER SETTINGS
--------------
CN=xxx,OU=Admin,DC=xxxxx,DC=co,DC=uk
Last time Group Policy was applied: 16/03/2007 at 13:59:51
Group Policy was applied from: xxxx.xxxxx.co.uk
Group Policy slow link threshold: 500 kbps
Domain Name: xxxxxxxxx
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Admin Only
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
WinFrame
Domain Admins
High Mandatory Level

On Mar 16, 7:47 am, Chuck <C...@discussions.microsoft.com> wrote:
> Here is my result from the thing yuo asked me to run (with identifiers
> crossed out):
>
> RSOP data for xxxxxx\xxxxxx on SF311 : Logging Mode
> -----------------------------------------------------
>
> OS Configuration: Member Workstation
> OS Version: 6.0.6000
> Site Name: N/A
> Roaming Profile: N/A
> Local Profile: C:\Users\xxxxx
> Connected over a slow link?: No
>
> USER SETTINGS
> --------------
> CN=xxx,OU=Admin,DC=xxxxx,DC=co,DC=uk
> Last time Group Policy was applied: 16/03/2007 at 13:59:51
> Group Policy was applied from: xxxx.xxxxx.co.uk
> Group Policy slow link threshold: 500 kbps
> Domain Name: xxxxxxxxx
> Domain Type: Windows 2000
>
> Applied Group Policy Objects
> -----------------------------
> Admin Only
> Default Domain Policy
>
> The following GPOs were not applied because they were filtered out
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
>
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> BUILTIN\Users
> BUILTIN\Administrators
> NT AUTHORITY\INTERACTIVE
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> WinFrame
> Domain Admins
> High Mandatory Level

Well it looks very straightforward. Maybe your group membership is not
the issue, although to be thorough I would (if I were you) also run
that against the other user, and compare the two results.