Solved

Adinistrator privileges exist but are not recognized

Posted on 2009-04-01
13
536 Views
Last Modified: 2013-12-27
I normally log into my Windows laptop with a user name that belongs to the administrators group.  The login also requires the specification of a domain.  I am however never physically connected to this domain.  The only time I connect to the domain is for the purposes of changing my Windows password.

I have one specific executable that I am unable to launch with this login because a pop-up is generated indicating that I must have administrator privileges.  As stated previously the login in question belongs to the administrators group.  Furthermore I am able to carry all administrative activities on this computer including such things as installing new programs, stopping and starting services etc.

 If I login to the same local  machine as administrator, without specifying a domain, then I am able to launch the executable.  Ideally, I would like to be able to launch this executable from the account that requires the specification of the domain.  I have yet to find something that is different with this account that would explain the symptoms that I am running into.  Any assistance you are able to provide in resolving this issue is much appreciated.

Thank you
0
Comment
Question by:danhar
13 Comments
 
LVL 6

Expert Comment

by:vertsyeux
ID: 24041959
If you specify a domain when logging-in,  your problem application might be trying to get your user privileges from an active directory somewhere.. Why does your laptop ask you for a domain when you log in? I have XPSP3 and mine doesn't..  
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24042036
I have seen a similar issue , and it turned out to be stale / corrupt local group policy , try running Gpupdate /force

0
 

Author Comment

by:danhar
ID: 24042448
In response to Admin3k: running gpupdate /force did not solve the problem.  I am assuming that a reboot is not necessary.  I did however logout and log back in to test

In response to vertsyeux: I am not sure I can answer your question satisfactorily.  Even though I am not physically connected to the domain, I must specify the domain when I log into Windows.  If I do not, I am not able to login.  
0
 

Author Comment

by:danhar
ID: 24043229
I am wondering if this would further clarify the issue that I'm running into.  The enclosed attachment shows the name of the user that is used to log into Windows.  FYI, AMER is the name of the domain  in my office.  USROL-DHARARI1 is the computer name.

I seldom if ever connect to the AMER domain.  However, when I log into windows I must specify this domain in order to log in.  

I also noticed that I am unable to add a new user on my laptop.  For example, if I attempt to add a user "bob", the error shown in the second attachment appears.

Hopefully, this clarifies the problem.

Thanks
UserAccount.jpg
errormsg.jpg
0
 
LVL 1

Expert Comment

by:Evelmike
ID: 24043304
If your machine is a member of a domain, and your user credentials are domain credentials, then you will be required to use domain logon to login to the machine. The reason you can continue to login to the machine, even when your not connected to the Domain Controller, is because your login is cached on that machine.

Is your user added to the Local Administrator's group, as well as the Domain Administrator's group?
0
 
LVL 1

Expert Comment

by:Evelmike
ID: 24043337
In addition, the error message you attached indicates that you are attempting to add a non-existent user to the Administrator's group. You must first create the user, then add the user to the desired group.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:danhar
ID: 24043492
I don't know if it is.  How would I add the user dharari to the Local Administrators group?  This might be all I need to do.  I suppose that if this were done, I would simply be able to log into my local machine as opposed to having to specify a domain.

As for the error message,  I made up the username thinking that it might help explain the problem I was running into.
0
 
LVL 1

Expert Comment

by:Evelmike
ID: 24043656
You will still need to login with your domain credentials, unless you make a local user to login with who is also a member of the Administrators group. Here's what you need to do.

Open Control Panel, and then Administrative Tools. Under Administrative Tools, open Computer Management.

(See the screen shot below for a visual reference.)

Select Local Users and Groups, and under Groups, double-click Administrators. Click the Add button at the bottom, and in the field where it asks for your user, simply type in DomainName\UserName (where DomainName = the name of your domain, and UserName = your domain user name.)

Click Check Names, and it should place an underline under the DomainName\UserName you entered. Then press OK, and it will add the specified user to the Administrators group.
New-Picture--10-.bmp
New-Picture--9-.bmp
0
 

Author Comment

by:danhar
ID: 24044009
Thanks for this information.  I will not be able to verify it until later on this evening.  I will keep you posted.
0
 
LVL 1

Expert Comment

by:Evelmike
ID: 24045637
My pleasure. Please let me know if this resolves your issue. :)
0
 

Author Comment

by:danhar
ID: 24051122
Hello Evelmike:

Your suggestions got me pointed in the right direction.  I created a local account on my laptop having the same name as my domain account.  I gave this account administrator privileges and I am now able to run the executable that previously did not run.  

The issue now is that when I log into the local account, I am pointed to a different location (referrring to Documents and Settings) than if I were to log into the domain account having the same name.  This has created a different set of issues.  In other words, although I log in using the same Windows username, Windows recognizes the two login accounts as different users with different files, desktops etc.

Is this something that you can comment on or would you treat this as a follow up question unrelated to the current one?  Your comments are much appreciated.
0
 
LVL 1

Accepted Solution

by:
Evelmike earned 500 total points
ID: 24051352
I'll comment on it, as it is a direct result of the solution to the issue.

Windows tracks users by SID, independent of the actual user name. So, you might have two users of identical name, one being a Domain user and the other being a Local user, however, they have unique SIDs.

In order to obtain access to the Domain user's Documents and other files and folders, you can simply apply Ownership on the domain user's directories under Documents and Settings.

To do this, simply right-click on the domain users directory under Documents and Settings, and select Properties. Under Properties, you will want to navigate to the Security tab. Under the Security tab, click the Advanced button near the bottom of the Security window.

Under Advanced, navigate to the Owner tab. Under Owner, select the local Administrators group (it will be COMPUTERNAME\Administrators), then check the box that says "Replace owner on subcontainers and objects" and click OK.

Click YES on the warning message that pops up, and wait until it has applied the Ownership to all files and folders within the directory.

Now that you have ownership, you need to give yourself some Permissions. Head to the Permissions tab (under the Advanced section where you found the Owner tab), select your local user OR the local Administrators group, UN-check the box that says "Inherit from parent..." and CHECK the box that says "Replace permission entries...", and select OK.

Again, wait for it to apply the settings to all of the files and directories. Once completed, you now have full access to your domain user's files and folders.

Keep in mind that this does not inherently remove permissions to these files and folders for your Domain user, but should you experience any issues accessing the files when logged in as your domain user, you can simply repeat these instructions, substituting your local user/admin group for your domain user/admin group.

Please, let me know if I may be of further assistance.
0
 

Author Closing Comment

by:danhar
ID: 31565449
Evelmike, many thanks for your thorough response to my questions!!!  This turned out to be a great learning experience.  I'm very satisfied with your help.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now