Microsoft KB Archive/173752

From BetaArchive Wiki
Knowledge Base

Windows NT Error: Account Operators Get Access Denied Error Messages with User Manager for Domains

Article ID: 173752

Article Last Modified on 10/31/2006


  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition

This article was previously published under Q173752


When an account operator tries to use User Manager for Domains from a computer other than the primary domain controller (PDC), they receive Access Denied error messages. Regular users will also receive this error when they try to start User Manager for Domains to view the list of accounts.


This problem occurs when the following subkey is missing from the registry on the PDC:
HKLM\System\CurrentControlSet\Control\SecurePipeServer \Winreg\AllowedPaths

NOTE: The above registry key is one path; it has been wrapped for readability.


If the AllowedPaths key is missing, you will experience the above error and be unable to administer the user accounts from any computer other than the PDC.

The specific information required to restore this key is located in the MACHINE:Reg_Multi_SZ value in the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \ProductOptions\AllowedPaths

NOTE: The above registry key is one path; it has been wrapped for readability.

Also, even though you will receive an Access Denied error message, this will not generate a failure if you have enabled Security Auditing, unless you are specifically auditing the registry. This is because the Account Operator has not been granted access to the OBJECT that you have chosen to audit.

This value and the key are generated by default when Windows NT is installed.

Additional query words: access denied winreg

Keywords: kbprb KB173752