Solved

Domain admin problem

Posted on 2010-11-22
15
607 Views
Last Modified: 2013-12-02
We've already a couple of WIndows 7 machines, but i noticed something strange. Apparantly havind domain admin rights doesn't mean you have all full admin rights. Which is strange I think. How come and is there a way to change this?

Jvuz
0
Comment
Question by:jvuz
  • 5
  • 5
  • 2
  • +1
15 Comments
 
LVL 10

Expert Comment

by:David_Ingledew
ID: 34186872
What version is the AD?
0
 
LVL 21

Author Comment

by:jvuz
ID: 34186906
We're using Linux servers (Samba 3.4.3).
0
 
LVL 10

Expert Comment

by:David_Ingledew
ID: 34186962
Sorry I can't help - not experienced in that...my thoughts were that the policies didn't extend to some of the newer Win7 calls...
0
 
LVL 1

Assisted Solution

by:clintonbrigham
clintonbrigham earned 200 total points
ID: 34187897
Windows Vista, 7, 2008 all use a "new" security feature called User Account Control. Basically regardless of what role you have assigned an account it is still only a basic user account until those privledges are elevated.  Here is the TechNet article that explains User Account Control:

http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 34188582
When you joined this Samba domain, did the Domain Admin group get added to the local Administrators group?  I'm not certain it would do it automatically since it's not a Windows-based domain.  You may need to add this group manually.

Also, as was mentioned, you might need to turn off UAC for the Administrators if adding the group doesn't automatically take care of this.

0
 
LVL 21

Author Comment

by:jvuz
ID: 34189113
I'll have to check for the domain admins in the group administrators. I'll let you know tomorrow.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 21

Author Comment

by:jvuz
ID: 34202967
The domain admin is in the administrators group.
If I disable the UAC, everyting works like it should be, but when I reenable it, I'm back to 0.
i'm afraid I'll have to turn of UAC. i don't want to, but if it doesn't work, I'll need to unless someone else has an idea.

Jvuz
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34204649
You can selectively turn it off for only Administrators - this gives you peace of mind knowing that normal users still end up with UAC enabled.

How To is here:  http://www.howtogeek.com/howto/windows-vista/disable-user-account-controluac-for-administrators-only/

This policy setting is likely available from a server-side GPO (I don't have the ability to test it here), so that you don't have to go around to each machine.

Create a new GPO and attach it to the domain and make this single setting in that policy.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 34205377
@jvuz - what did you ultimately end up doing?  If UAC was part of (or the entire) solution, then it's only fair to split points with clintonbrigham.

Please let us know and I can have this Q re-opened so that points can be fairly distributed.

0
 
LVL 21

Author Comment

by:jvuz
ID: 34207774
I turned UAC off, like you suggested. That's why I didn't split points. If you think I should split the points, no problem. Then you can reopen the question and I'll split the points.

Jvuz
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34215094
In the interest of the spirit of this site, and because clintonbrigham mentioned UAC first before I specified how to turn it off, I would like to see a point split of 200 to him and 300 to me (only for providing more detail).

If you like, I can have a Mod reopen so you can redistribute the points - or you can do it yourself - let me know either way and I'll be happy to assist.

NM
0
 
LVL 21

Author Comment

by:jvuz
ID: 34215548
You may reopen the question and I'll divide the points regardingly.

jvuz
0
 
LVL 51

Expert Comment

by:Netman66
ID: 34220398
There you go!  Ready for you to distribute now.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now