[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Software requires users account to be a member of the local Administrators group

Posted on 2011-04-28
18
Medium Priority
?
655 Views
Last Modified: 2012-05-11
I am assisting a vendor in installing software on one of our servers. The software requires that the user be a member of the local Administrators group to install. This is fairly standard.

As a policy, we do not add users directly to the local Admins group. They need to be added to a domain users group and then that group can be added to the servers local admin group.

We created a domain users group for the vendors from this company. Added the users accounts to this group and then added the group to the local administrators group on the server.

The software would not install and the vendor stated that the reason was that the users needed to be added directly to the Administrators group. I tried that an it worked.

I am not looking for a solution on how to install the software, rather I am looking for an explanation as to why there would be a difference in adding a domain user account to a local group, vs adding a group they are a member of.
0
Comment
Question by:wiscombep
  • 4
  • 4
  • 3
  • +4
18 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35485546
If you install the software as an admin and then execute it as a standard user, will it work?
0
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35485548
you could schedule it and use an admin account
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35485549
You like that schedule trick don't you. :)
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 43

Expert Comment

by:Adam Brown
ID: 35485553
There shouldn't be a difference between these methods at all. It should be noted, though, that if the user was logged in when you added the group to the Local Admins, they would have had to log out and back in before the security token would reflect the change. Same with adding the user directly to the local admins group.
0
 

Author Comment

by:wiscombep
ID: 35485572
Again, I am not trying to find a solution to installing the software.
I put the users account DIRECTLY into the local administrators group and was able to install the software. The issue is that we have a corporate policcy that we don't have individual users added to local administrator groups. Rather we create domain groups, add the users to the groups, and then add the domain group to the local group.

The question is: Why would there be a difference in adding a user directly vs. adding a group that they are a member of.
0
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35485613
yeah Jmoody10 schedule is a pretty good work around.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35485618
What software requires users to be a member of the domain administrator's group. I want to make sure to avoid that software like the plague.

Running software as a local administrator should be sufficient. Some file folders containg data edits within the file folders in program files of the local machine. That's the reason some older software requires LOCAL administrator priveleges on that file folder, (not the entire computer).

If you practice LEAST USER AUTHORIZATION, you will want to grant those users least priveleges on a computer network. This would NOT include adding every one of them to the domain administrator's group. This sounds to me like a lazy vendor of software that doesn't want to tell you what files and folders to grant local administrator priveleges to.

A MUCH better means to grant priveleges is to grant these users power user priveleges. OR you can use a program called Beyond Trust that allows you to creat priveleges for specific files.

If you ask me, Grab a test machine, and grant priveleges in program files and needed files (that could include registry edits) of these users locally.
0
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35485650
0
 

Author Comment

by:wiscombep
ID: 35485653
ChiefIT, I didn't say that they needed to be a member of the Domain Administrators group. The question being asked is: Why would there be a difference between adding a users account directly to the local administrators group, and adding a group of which that person was a member.

0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35485680
Wiscombep, there isn't a technical difference between the two methods. The difference would more likely be whether the user was logged in when you made the changes or not. If the user was logged in to the system when you added the user to the domain group, then added the group to the local admins group, the changes don't take effect until the user logs out, as I said earlier. I think my earlier post may have gotten lost in the mix :D
0
 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 375 total points
ID: 35485699
Permissions are cumulative and aquired during logon.

It shouldn't matter (group vs. account), unless the installation routine was designed to specifically check if the current user is in the local admin group and fail if it isn't.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35487874
We add local groups to global groups all the time. Local groups will imply that you are setting permissions (per group) on the file folders locally. Then, global groups would be active directory user groups that would have permissions to those files.. That works. I never tried adding global groups to global groups, (meaning AD accounts to AD accounts). So, you will have to create two groups:
-one local for local permissions to files and folders or the entire computer locally
-one global for global AD users.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35487897
OOPs>>got the first sentence backwards.

We add global groups to local groups:

An example would be a group local that has full control over the file shares. Then, we have a global group of, let's say, finance personel that belong to that local group that has full control. It would look like this:

Global group of G_Finance_Personell belongs to local group L_finance_files_full control. L_finance_full_control has to have full control permissions on the finance files.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 375 total points
ID: 35489898
> Why would there be a difference

There may be a difference if the application uses a poor method of determining whether or not the user has administrative rights. That is, if it checks the local admin group members for a direct match and refuses to install if it fails it could explain it.

What behaviour do you see when it attempts to install and the user is not a direct member of the group?

Chris
0
 

Author Comment

by:wiscombep
ID: 35490668
Got updated information from the vendor. It turns out the installation is successful but it wil not run properly if the user isn't directly a member of the admins group. No error message, but the software doesn't show any available elements.

Basically what I have received here is a confirmation that there really isn't any difference betweeen having the user in a global group vs. directly in the local group, but that it is probably an issue issue  with the software in how it is checking permissions.

Thanks to those who replied
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35490767
No problem!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35491102
Yes, there is no difference. But, it can get confusing when administering permission sets. It's best to use Local on the file permissions and Global for AD users. Then, marry the Global groups to the local groups.

Example:
File share>>Local group of the file share<<Global group<<users of the global group

How this lays out is:
File share>>L_fileshare_full control<<G_fileshare_full<<AD administrators of the file share
or
File share>>L_fileshare_read only<<G_Fileshare_readonly<<AD users of the file share with read only permissions

We also have an application called CARIS that requires power user or full permissions on the program files>>CARIS folder for users on the domain. CARIS is a proprietary program that is used for manually editing multibeam data. In staying within Federal ITSEC policies, I have to prevent users from being local administrators. So, I have to go to each machine's local program files folder and add a local full permissions on the CARIS program files folder, then add our department as a group that uses the program.  

0
 

Author Closing Comment

by:wiscombep
ID: 35506964
good possible reasons. Not known if they were accurate.

Original post was not lokin for a "solution" so much as for a reason why the solution would work.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question