Solved

Local Administrator group permission and logon question

Posted on 2010-09-21
9
411 Views
Last Modified: 2012-06-27
If a domain user is added into the local PC/Laptop Administrator group,

 1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

0
Comment
Question by:jkit001
9 Comments
 
LVL 29

Expert Comment

by:QPR
ID: 33731548
This question is worded very much like "homework" and EE members have a policy to avoid providing answers on questions that appear this way.
If you can provide info to convince we aren't giving you homework answers you may get some responses.
0
 
LVL 3

Accepted Solution

by:
SangramGohil earned 100 total points
ID: 33731643
1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

Yes. If you have cached login configured.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/579.mspx?mfr=true

http://support.microsoft.com/kb/913485



 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

Yes if it does not require any of the network service/resource
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 33731652
It depends, if cached credentials are allowed then yes they can login...regardless if they are an admin or not

you can google/bing for more info on cached credentials  http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/01/31/Understanding-Cached-Credentials.aspx

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Assisted Solution

by:ggeorgiou7
ggeorgiou7 earned 100 total points
ID: 33733764
If the user has logged in once already while the network is up, then the network is off and they try to login again, then Yes they can sign in due to the Cached credentials.
They will be able to handle any local admin processes however if the network is out, No administrative network processes will work.
0
 

Author Comment

by:jkit001
ID: 33733867
QPR - I will do better next time to rephrase the question.

I have a mobile user in the the administrator group with their domain user account.  They can logon to the laptop.  When the user tried to edit and save the system's hosts file the user do not have permission to save the file.

Everything seems to be setup correctly.

Thanks
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734011
Thats probably been marked as Read Only, by some security apps like SpyBot..... Its a false sense of protection anyway.......

Right click it and see if the ReadOnly flag is set.... If so, uncheck it....

Or, check the Security Tab to make sure that they can modify it. Some infections remove ACLs from it, and you have to take ownership of it (regardless of admin level), and re inherit the permissions on it.....
0
 

Author Comment

by:jkit001
ID: 33734181
johnb6767 - you are correct that it is ReadOnly.

Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  

The user was able to edit the hosts file  but had to select "run as administrator" when using notepad.  

Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734479
"Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  "

No, that setting would be called "Read Maybe, only if you are an Admin"...... Sorry, not trying to be sarcastic, but was more or less trying to stress the "Only" part of the setting......

Now that you mention "run as administrator", we are identifying working with Windows 7, and UAC. Any app that modifies protected OS files, then thats normal for the app to need to be launched using the "RunAs Administrator" option.....

"Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?"

Yes, as long as User Account Control is enabled......
0
 

Author Closing Comment

by:jkit001
ID: 33775126
.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot take ownership of a folder 8 45
Forest and doamin tree 3 26
Cannot access RDP (AD 2012) 6 21
active directory 6 11
Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question