Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

question regarding admin rights in a domain

Posted on 2014-01-06
11
Medium Priority
?
258 Views
Last Modified: 2014-01-11
I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.

It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.

I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.

Is that something that only works when you have profiles safed remotely?
0
Comment
Question by:columbiaG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39760292
Not quite sure what you're talking about.

If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.

If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.

EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760314
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
 
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
0
 

Author Comment

by:columbiaG
ID: 39760350
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 26

Expert Comment

by:pony10us
ID: 39760368
Did you add her to the Domain Admins after she was logged into the machine?  The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
0
 

Accepted Solution

by:
columbiaG earned 0 total points
ID: 39760372
makes sense, once she logs out and back in will check it out...thanks
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39760649
For a group addition or subtraction to take effect, you MUST have the user logout.  When they logon the memberships are checked and a security token with all the current (at logon) memberships is created.  It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.

NOTE: if you've made them domain admins, I BEG YOU - DON'T.  Add them to the local admins group.  It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760659
@leew: "I BEG YOU - DON'T"  Could not have said it better myself.  :)
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39760760
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.

I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760783
@McKnife:  that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
0
 

Author Closing Comment

by:columbiaG
ID: 39773127
accurate response and quick to point out issues that could have led to concerns
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39773153
You selected your own answer?
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question