I have a recently upgraded domain that's now running all 2008R2 DCs. The domain functional level is 2008R2 and the forest functional level is 2003. I've also created a brand new lab domain with virtual machines and experienced the exact
same problem. When I logon to a DC and open the AD module for Windows Powershell I can run AD related commands like get-adcomputer, get-aduser, etc. When I try to run any command that modifies attributes though I get an error (listed below). I'm
a member of the domain admins, enterprise admins, schema admins, etc. The only way I can get it to work is to explicitly add myself to the ACL of an object. That doesn't make any sense though because by virtue of being a domain admin
I should have full control of the object anyway. In fact if I check effective permissions it even shows me that I do have full control. Considering I'm experiencing this exact same issue is two totally different 2008R2 domains I can't believe
no one else is. Any ideas?
Set-ADComputer: Insufficient access rights to perform the operation at line:1 char:15
+ Set-ADComputer <<<< testPC -Description Test3
+ CategoryInfo : NotSpecified: (testPC:ADComputer) [Set-ADComputer], ADException
+ FullyQualifiedErrorId : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.SetADComputer
Set-ADComputer: Insufficient access rights to perform the operation at line:1 char:15
+ Set-ADComputer <<<< testPC -Description Test3
+ CategoryInfo : NotSpecified: (testPC:ADComputer) [Set-ADComputer], ADException
+ FullyQualifiedErrorId : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.SetADComputer