Solved

Local Administrator group permission and logon question

Posted on 2010-09-21
9
410 Views
Last Modified: 2012-06-27
If a domain user is added into the local PC/Laptop Administrator group,

 1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

0
Comment
Question by:jkit001
9 Comments
 
LVL 29

Expert Comment

by:QPR
ID: 33731548
This question is worded very much like "homework" and EE members have a policy to avoid providing answers on questions that appear this way.
If you can provide info to convince we aren't giving you homework answers you may get some responses.
0
 
LVL 3

Accepted Solution

by:
SangramGohil earned 100 total points
ID: 33731643
1. Can this user logon to the PC/Laptop when the network is DOWN?  If so, why?

Yes. If you have cached login configured.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/579.mspx?mfr=true

http://support.microsoft.com/kb/913485



 2. If this domain user can logon without network access, can this user do what a local adminstrator can on this PC/Laptop?

Yes if it does not require any of the network service/resource
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 33731652
It depends, if cached credentials are allowed then yes they can login...regardless if they are an admin or not

you can google/bing for more info on cached credentials  http://thelazyadmin.com/blogs/thelazyadmin/archive/2006/01/31/Understanding-Cached-Credentials.aspx

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Assisted Solution

by:ggeorgiou7
ggeorgiou7 earned 100 total points
ID: 33733764
If the user has logged in once already while the network is up, then the network is off and they try to login again, then Yes they can sign in due to the Cached credentials.
They will be able to handle any local admin processes however if the network is out, No administrative network processes will work.
0
 

Author Comment

by:jkit001
ID: 33733867
QPR - I will do better next time to rephrase the question.

I have a mobile user in the the administrator group with their domain user account.  They can logon to the laptop.  When the user tried to edit and save the system's hosts file the user do not have permission to save the file.

Everything seems to be setup correctly.

Thanks
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734011
Thats probably been marked as Read Only, by some security apps like SpyBot..... Its a false sense of protection anyway.......

Right click it and see if the ReadOnly flag is set.... If so, uncheck it....

Or, check the Security Tab to make sure that they can modify it. Some infections remove ACLs from it, and you have to take ownership of it (regardless of admin level), and re inherit the permissions on it.....
0
 

Author Comment

by:jkit001
ID: 33734181
johnb6767 - you are correct that it is ReadOnly.

Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  

The user was able to edit the hosts file  but had to select "run as administrator" when using notepad.  

Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 200 total points
ID: 33734479
"Even though, the concept of this user in the Administrators group should give the user permission to edit this file?  "

No, that setting would be called "Read Maybe, only if you are an Admin"...... Sorry, not trying to be sarcastic, but was more or less trying to stress the "Only" part of the setting......

Now that you mention "run as administrator", we are identifying working with Windows 7, and UAC. Any app that modifies protected OS files, then thats normal for the app to need to be launched using the "RunAs Administrator" option.....

"Is this the norm, having to select "run as administrator" to protect the system even though the user is in the Adminitrators group?"

Yes, as long as User Account Control is enabled......
0
 

Author Closing Comment

by:jkit001
ID: 33775126
.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a better way to communicate time sensitive or critical info.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question