Solved

Local Administrator group permission and logon question

Posted on 2010-09-21
9
412 Views
Last Modified: 2012-06-27
If a domain user is added into the local PC/Laptop Administrator group,

 1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

0
Comment
Question by:jkit001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 29

Expert Comment

by:QPR
ID: 33731548
This question is worded very much like "homework" and EE members have a policy to avoid providing answers on questions that appear this way.
If you can provide info to convince we aren't giving you homework answers you may get some responses.
0
 
LVL 3

Accepted Solution

by:
SangramGohil earned 100 total points
ID: 33731643
1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

Yes. If you have cached login configured.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/579.mspx?mfr=true

http://support.microsoft.com/kb/913485



 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

Yes if it does not require any of the network service/resource
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 33731652
It depends, if cached credentials are allowed then yes they can login...regardless if they are an admin or not

you can google/bing for more info on cached credentials  http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/01/31/Understanding-Cached-Credentials.aspx

0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 1

Assisted Solution

by:ggeorgiou7
ggeorgiou7 earned 100 total points
ID: 33733764
If the user has logged in once already while the network is up, then the network is off and they try to login again, then Yes they can sign in due to the Cached credentials.
They will be able to handle any local admin processes however if the network is out, No administrative network processes will work.
0
 

Author Comment

by:jkit001
ID: 33733867
QPR - I will do better next time to rephrase the question.

I have a mobile user in the the administrator group with their domain user account.  They can logon to the laptop.  When the user tried to edit and save the system's hosts file the user do not have permission to save the file.

Everything seems to be setup correctly.

Thanks
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734011
Thats probably been marked as Read Only, by some security apps like SpyBot..... Its a false sense of protection anyway.......

Right click it and see if the ReadOnly flag is set.... If so, uncheck it....

Or, check the Security Tab to make sure that they can modify it. Some infections remove ACLs from it, and you have to take ownership of it (regardless of admin level), and re inherit the permissions on it.....
0
 

Author Comment

by:jkit001
ID: 33734181
johnb6767 - you are correct that it is ReadOnly.

Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  

The user was able to edit the hosts file  but had to select "run as administrator" when using notepad.  

Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734479
"Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  "

No, that setting would be called "Read Maybe, only if you are an Admin"...... Sorry, not trying to be sarcastic, but was more or less trying to stress the "Only" part of the setting......

Now that you mention "run as administrator", we are identifying working with Windows 7, and UAC. Any app that modifies protected OS files, then thats normal for the app to need to be launched using the "RunAs Administrator" option.....

"Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?"

Yes, as long as User Account Control is enabled......
0
 

Author Closing Comment

by:jkit001
ID: 33775126
.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question