?
Solved

Local Administrator group permission and logon question

Posted on 2010-09-21
9
Medium Priority
?
414 Views
Last Modified: 2012-06-27
If a domain user is added into the local PC/Laptop Administrator group,

 1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

0
Comment
Question by:jkit001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 29

Expert Comment

by:QPR
ID: 33731548
This question is worded very much like "homework" and EE members have a policy to avoid providing answers on questions that appear this way.
If you can provide info to convince we aren't giving you homework answers you may get some responses.
0
 
LVL 3

Accepted Solution

by:
SangramGohil earned 400 total points
ID: 33731643
1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

Yes. If you have cached login configured.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/579.mspx?mfr=true

http://support.microsoft.com/kb/913485



 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

Yes if it does not require any of the network service/resource
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 33731652
It depends, if cached credentials are allowed then yes they can login...regardless if they are an admin or not

you can google/bing for more info on cached credentials  http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/01/31/Understanding-Cached-Credentials.aspx

0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Assisted Solution

by:ggeorgiou7
ggeorgiou7 earned 400 total points
ID: 33733764
If the user has logged in once already while the network is up, then the network is off and they try to login again, then Yes they can sign in due to the Cached credentials.
They will be able to handle any local admin processes however if the network is out, No administrative network processes will work.
0
 

Author Comment

by:jkit001
ID: 33733867
QPR - I will do better next time to rephrase the question.

I have a mobile user in the the administrator group with their domain user account.  They can logon to the laptop.  When the user tried to edit and save the system's hosts file the user do not have permission to save the file.

Everything seems to be setup correctly.

Thanks
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 800 total points
ID: 33734011
Thats probably been marked as Read Only, by some security apps like SpyBot..... Its a false sense of protection anyway.......

Right click it and see if the ReadOnly flag is set.... If so, uncheck it....

Or, check the Security Tab to make sure that they can modify it. Some infections remove ACLs from it, and you have to take ownership of it (regardless of admin level), and re inherit the permissions on it.....
0
 

Author Comment

by:jkit001
ID: 33734181
johnb6767 - you are correct that it is ReadOnly.

Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  

The user was able to edit the hosts file  but had to select "run as administrator" when using notepad.  

Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 800 total points
ID: 33734479
"Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  "

No, that setting would be called "Read Maybe, only if you are an Admin"...... Sorry, not trying to be sarcastic, but was more or less trying to stress the "Only" part of the setting......

Now that you mention "run as administrator", we are identifying working with Windows 7, and UAC. Any app that modifies protected OS files, then thats normal for the app to need to be launched using the "RunAs Administrator" option.....

"Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?"

Yes, as long as User Account Control is enabled......
0
 

Author Closing Comment

by:jkit001
ID: 33775126
.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question