Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Administrator rights vary in different profiles

Posted on 2003-03-11
12
Medium Priority
?
167 Views
Last Modified: 2010-04-13
On some of our Win2000 Pro PCs, profiles are set with administrator rights, yet do not have all administrator privleges.

Why is this? How can we give a profile FULL administrator rights?

So that, for example, it can access Users and Passwords from the Control Panel without providing another logon and password, install all software, etc.

On other PCs set up the same (as far as checking privleges shows) full administrator rights are available.
0
Comment
Question by:esc_toe_account
12 Comments
 

Expert Comment

by:kawboy20
ID: 8111617
esc toe account,

Is the user profile your trying to give admin privaleges to a local account or domain account. I you give the priveleges to say "computername\BobsAccount" and they logon as "domain\BobsAccount" they will not have admin privilages because these are to seperate accounts with different SIDS, thanks...
0
 

Author Comment

by:esc_toe_account
ID: 8112386
Local Account .. have removed from the Administrator Group, rebooted, and added back without success. Now trying different ways of removing and readding.
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8112611
once the account change is made, the account needs to be logged out of and then back in for the change to take effect..  Perhaps that is the problem

HTH
-Steven Yarnot
http://yarnosg.home.insightbb.com
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 

Author Comment

by:esc_toe_account
ID: 8112665
Rebooting encompasses logging .. we DO log back in without success.
0
 

Author Comment

by:esc_toe_account
ID: 8113024
Clarification: We reboot twice, before and after change.
0
 

Expert Comment

by:AndrewBienhaus
ID: 8113526
I'll tell you the way we do it, and you can try it out. :-)

Assuming the machine is part of a domain, always use the domain logins for the users.

On the domain, we have a group called "local admins" and we join anyone that we want to have rights on their PC, into that group.

Then, on the PC itself, in the local groups, we add the domain group called "local admins".

Login as domain user, and bingo, off you go...

Worked just fine for me. :)

Andrew
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8114673
esc_to_account... What You must do, is to add the Global Domain Admins Group to the Local Admins Group!


IMPORTANT!!!!!

:o) esc_to_account...AndrewBienhaus...,  and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group membership of the Local Admin Group on each workstation.

And You must NEVER add the same Domain User membership of the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership of the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:

http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/e

valuate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734


IF YOU WANT TO TEST IT:
You have to add the Domain Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

0
 

Expert Comment

by:modulo
ID: 8224927
Dear expert(s),

A request has been made to close this Q in CS:
http://www.experts-exchange.com/Community_Support/CleanUp/Q_20564414.html

Without a response in 72 hrs, a moderator will finalize this question by:

 - Saving this Q as a PAQ and refunding the points to the questionner

When you agree or disagree, please add a comment here.

Thank you.

modulo

Community Support Moderator
Experts Exchange
0
 

Author Comment

by:esc_toe_account
ID: 8225440
Good information for new setups, but no understanding of why or how to change existing setups - which is the goal of my question. Hence I'm not sure how to award points. Any suggestions? Otherwise will just close question.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 900 total points
ID: 8227841
2 ways to do it:

net localgroup administrators /add DomainName\UserName

or

1. RightClick MyComputer
2. Choose Manage
3. Choose Local Users and Groups
4. Choose Groups
5. Choose Administrators
6. Choose Add
7. Add the Domain User you want.

But as I answered above, please be carefull when adding Domain Users to Local Admin Group.

They get unlimited REMOTE to all other workstations:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)

Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8228173
The above 2 solutions has to be done on each workstation logged on as member of the local admin group:

To find out who's member of the local admin group, do this on each workstation:

1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The number of companies understanding the potential of IoT on B2B market is growing with each day. And yet only a small share of IoT developers have managed to equalize incomes and stay competitive in the international market.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question