question regarding admin rights in a domain
I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.
It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.
I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.
Is that something that only works when you have profiles safed remotely?
It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.
I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.
Is that something that only works when you have profiles safed remotely?
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
ASKER
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
Did you add her to the Domain Admins after she was logged into the machine? The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For a group addition or subtraction to take effect, you MUST have the user logout. When they logon the memberships are checked and a security token with all the current (at logon) memberships is created. It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.
NOTE: if you've made them domain admins, I BEG YOU - DON'T. Add them to the local admins group. It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
NOTE: if you've made them domain admins, I BEG YOU - DON'T. Add them to the local admins group. It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
@leew: "I BEG YOU - DON'T" Could not have said it better myself. :)
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.
I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
@McKnife: that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
ASKER
accurate response and quick to point out issues that could have led to concerns
You selected your own answer?
If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.
If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.
EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.