To resolve this issue, make sure that the Winreg subkey in the following registry key on the domain controller is configured with the correct permissions:
HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\SecurePipeServers
The following table lists the minimum permissions that must be set on the Winreg subkey on the domain controller if you want to connect to that domain controller from another computer by using the Active Directory Users and Computers snap-in:
Group or User Account Permissions
------------------------------------------------
Administrators group Full Control, Read
Backup Operators group Read
Enterprise Admins group Read
Local Service account Read
To assign or to verify permissions that are set on the Winreg subkey on the domain controller, follow these steps.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Right-click the following registry subkey, and then click Permissions:
HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\SecurePipeServers\Winreg
- Click each account that is displayed in the Group or user names list, and then verify that the appropriate permissions are configured for that account in the Permissions for AccountName list.
If you have to add a group or a user account and assign permissions to that account, follow these steps:- Click Add.
- In the Enter the object names to select box, type the group or the user account that you want to add, click Check Names, and then click OK.
- In the Permissions for AccountName list, click to select the Allow check box that is next to the permission setting that you want to assign.
- Click OK.