Local Administrator rights not being enforced

Good Afternoon,

We now have an issue where local admin rights are not working

Basically, i have an AD group "Local Administrator Rights" on the domain. Then in group policy, in the "Restricted Group" settings i set domainname\local administrator rights into the "Administrators" group

Now, exisitn staff, this works great. Checking the local administrators group on each PC i can see this domain group is a member, which is good!

We got a new staff member who needs these rights, popped them in the group, now they started and dont have th rights, menus are missing in XP like changin wallpaper, but for the others its OK

I checked the PC and the group flowed down ok into local admins, so i created a new user as a test, same result, tried multiple machines, same result

Any help would be appreciated
wsc-itAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
Check where those user account are placed in domain (which OU). Probably they reside in OU where other people have these restrictions. You should move them to the rest of your users. To be sure if that policy affects those account, logon to the PC on one of them then from run box run RSoP.msc and analyze results.
0
 
SteveIT ManagerCommented:
Check the security on the policies that have been applied

also logon as the user and run gpresult from a cmd window to see what policies are being applied
0
 
McKnifeCommented:
Hi.
Although you missed to give some feedback so far, here's another question. You wrote:
> Now, exisitn staff, this works great
You mean, until now, members of the domain group "Local Administrator Rights" could succesfully use admin rights on the wokstations, right? What about now? Can they still operate as admins, does your issue really only affect new members of that group?

Then, next question, you wrote:
> now they started and dont have th rights, menus are missing in XP like changin wallpaper
this is no judgement about admin rights. We all know GPOs can restrict admins, too, so to determine if an account is not only member of the local admin group but can indeed perform administrative tasks, I would start device manager for example. If nonadmin, you will get a popup at once saying that you won't be able to change anything here.

Feedback?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.