?
Solved

Administrator rights vary in different profiles

Posted on 2003-03-11
12
Medium Priority
?
166 Views
Last Modified: 2010-04-13
On some of our Win2000 Pro PCs, profiles are set with administrator rights, yet do not have all administrator privleges.

Why is this? How can we give a profile FULL administrator rights?

So that, for example, it can access Users and Passwords from the Control Panel without providing another logon and password, install all software, etc.

On other PCs set up the same (as far as checking privleges shows) full administrator rights are available.
0
Comment
Question by:esc_toe_account
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 

Expert Comment

by:kawboy20
ID: 8111617
esc toe account,

Is the user profile your trying to give admin privaleges to a local account or domain account. I you give the priveleges to say "computername\BobsAccount" and they logon as "domain\BobsAccount" they will not have admin privilages because these are to seperate accounts with different SIDS, thanks...
0
 

Author Comment

by:esc_toe_account
ID: 8112386
Local Account .. have removed from the Administrator Group, rebooted, and added back without success. Now trying different ways of removing and readding.
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8112611
once the account change is made, the account needs to be logged out of and then back in for the change to take effect..  Perhaps that is the problem

HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 

Author Comment

by:esc_toe_account
ID: 8112665
Rebooting encompasses logging .. we DO log back in without success.
0
 

Author Comment

by:esc_toe_account
ID: 8113024
Clarification: We reboot twice, before and after change.
0
 

Expert Comment

by:AndrewBienhaus
ID: 8113526
I'll tell you the way we do it, and you can try it out. :-)

Assuming the machine is part of a domain, always use the domain logins for the users.

On the domain, we have a group called "local admins" and we join anyone that we want to have rights on their PC, into that group.

Then, on the PC itself, in the local groups, we add the domain group called "local admins".

Login as domain user, and bingo, off you go...

Worked just fine for me. :)

Andrew
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8114673
esc_to_account... What You must do, is to add the Global Domain Admins Group to the Local Admins Group!


IMPORTANT!!!!!

:o) esc_to_account...AndrewBienhaus...,  and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.

And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:

http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/e

valuate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

0
 

Expert Comment

by:modulo
ID: 8224927
Dear expert(s),

A request has been made to close this Q in CS:
http://www.experts-exchange.com/Community_Support/CleanUp/Q_20564414.html

Without a response in 72 hrs, a moderator will finalize this question by:

 - Saving this Q as a PAQ and refunding the points to the questionner

When you agree or disagree, please add a comment here.

Thank you.

modulo

Community Support Moderator
Experts Exchange
0
 

Author Comment

by:esc_toe_account
ID: 8225440
Good information for new setups, but no understanding of why or how to change existing setups - which is the goal of my question. Hence I'm not sure how to award points. Any suggestions? Otherwise will just close question.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 900 total points
ID: 8227841
2 ways to do it:

net localgroup administrators /add DomainName\UserName

or

1. RightClick MyComputer
2. Choose Manage
3. Choose Local Users and Groups
4. Choose Groups
5. Choose Administrators
6. Choose Add
7. Add the Domain User you want.

But as I answered above, please be carefull when adding Domain Users to Local Admin Group.

They get unlimited REMOTE to all other workstations:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)

Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8228173
The above 2 solutions has to be done on each workstation logged on as member of the local admin group:

To find out who's member of the local admin group, do this on each workstation:

1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question