• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2150
  • Last Modified:

Local Computer / Domain Permissions for administrator user account

Here is the deal... All of our computers have 'administrator' as the local admin account. We also have a domain account 'administrator' that is under domain admins group. We have the same password set for both, so its universal. We need to clamp down on security and tracking, so here is what we need to do.

I would like to rename the local admin account, for sample purposes lets call it 'god'. I have already done this on some computers without any trouble. This account is for local login and for doing local machine work. I would like to have this account with domain privilidges so it can mount drives/printers, so I made an account 'god' on the domain. But...now since I have the god account on the domain, I can log in anywhere domain\god. I do not want this, I just want the permissions to access drives/printers/resources...but it cannot log in.

local\god - local computer login, **access to network resources**
domain\god - 8*CANNOT login**, ...but I may need this account for network resources, idk.

How can I do this?
  • 5
  • 2
3 Solutions
Hi atkfrg56,

 why not setup accounts from local computer user accounts, then add these to a a group of your choice, and assign this group the necessary privelages. and not administrator, but add what you need this group to do in their permissions status?

atkfrg56Author Commented:
cyberdevil67 ,

lets see if I understand this right.

[new group] "local\special admins"
[member of "local\special admins"] "local\god"

[built-in group] "domain\domain admins"
[member of "domain\domain admins"] "local\special admins"

so that the "local\god account" is part of "local\special admins" which is part of "domain\domain admins" which has all the powers. Do I have the right idea here?

atkfrg56Author Commented:
cyberdevil67 ,
err, i dont think that works with multiple computers...i think i messed up. Maybe...

"local\god" in group "domain\domain admins"

thats simple and may work
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

on the domain controller create a grou-p that does what you want, and doesn't have access to what you don't want them access too.

Then have every computer who loggs into that domain apart of that group. But for that to work each computer will need to be apart of that domain.


  domain\special group has access to the drives  & printers it needs too.

 then user\user1 becomes apart of domain\special group, then you lock it down further by slectinf dirs and devices that only that group can access..
atkfrg56Author Commented:
cyberdevil67 ,
I tried that method, but it doesnt work / not what I am trying to do (to my knowledge).

local\administrator and domain\administrator users need to have all their powers combined into local\administrator so that I can eliminate the domain\administrator account and so that the domain\administrator cannot log in. The real administrators will have their own accounts and be part of the 'domain admins' group. Then the only reason to use the local\administrator account will be for building computer images. In no way do i want users to log in locally, there is only 1 local account and its the local\administrator which is only used to build images. Troubleshooting, permissions, and whatever network functions that need busted out will be used by the admin people who are members of domain\ domain admins.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You're looking at it the wrong way... there are two types of directives in Group Policy -- COMPUTER and USER.  What you are trying to do is set a COMPUTER policy... your client computers already have names and that is how you grant them permissions (separate from the USER on the computer).  There is also a third type of object in Group Policy... GROUPS.  Either a COMPUTER or a USER can be a member of a GROUP.

There is no need to devise a new methodology for this.  PLUS, you can't make a LOCAL profile have DOMAIN priveleges (via Group Policy Objects)... it's just local... and a domain directive will always override it.

GPOs are processed in the following order:

The local GPO is applied.
GPOs linked to sites are applied.
GPOs linked to domains are applied.
GPOs linked to OUs are applied -- in order of OU heirarchy.

Here's the lowdown on Computers, Users & Groups:

And on how the policies are applied:

Jeff @
atkfrg56Author Commented:
So what I am trying to do cannot be done in my way, correct?
atkfrg56Author Commented:
I see that my method cannot be done, and because of this I do not have the power needed to complete my task. I chose the next closest way to do it, although its not going to complete my project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now