Local Administrator group permission and logon question

If a domain user is added into the local PC/Laptop Administrator group,

 1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

jkit001Asked:
Who is Participating?
 
SangramGohilConnect With a Mentor Commented:
1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

Yes. If you have cached login configured.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/579.mspx?mfr=true

http://support.microsoft.com/kb/913485



 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

Yes if it does not require any of the network service/resource
0
 
QPRCommented:
This question is worded very much like "homework" and EE members have a policy to avoid providing answers on questions that appear this way.
If you can provide info to convince we aren't giving you homework answers you may get some responses.
0
 
Mike KlineConnect With a Mentor Commented:
It depends, if cached credentials are allowed then yes they can login...regardless if they are an admin or not

you can google/bing for more info on cached credentials  http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/01/31/Understanding-Cached-Credentials.aspx

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
ggeorgiou7Connect With a Mentor Commented:
If the user has logged in once already while the network is up, then the network is off and they try to login again, then Yes they can sign in due to the Cached credentials.
They will be able to handle any local admin processes however if the network is out, No administrative network processes will work.
0
 
jkit001Author Commented:
QPR - I will do better next time to rephrase the question.

I have a mobile user in the the administrator group with their domain user account.  They can logon to the laptop.  When the user tried to edit and save the system's hosts file the user do not have permission to save the file.

Everything seems to be setup correctly.

Thanks
0
 
johnb6767Connect With a Mentor Commented:
Thats probably been marked as Read Only, by some security apps like SpyBot..... Its a false sense of protection anyway.......

Right click it and see if the ReadOnly flag is set.... If so, uncheck it....

Or, check the Security Tab to make sure that they can modify it. Some infections remove ACLs from it, and you have to take ownership of it (regardless of admin level), and re inherit the permissions on it.....
0
 
jkit001Author Commented:
johnb6767 - you are correct that it is ReadOnly.

Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  

The user was able to edit the hosts file  but had to select "run as administrator" when using notepad.  

Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?
0
 
johnb6767Connect With a Mentor Commented:
"Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  "

No, that setting would be called "Read Maybe, only if you are an Admin"...... Sorry, not trying to be sarcastic, but was more or less trying to stress the "Only" part of the setting......

Now that you mention "run as administrator", we are identifying working with Windows 7, and UAC. Any app that modifies protected OS files, then thats normal for the app to need to be launched using the "RunAs Administrator" option.....

"Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?"

Yes, as long as User Account Control is enabled......
0
 
jkit001Author Commented:
.
0
All Courses

From novice to tech pro — start learning today.