question regarding admin rights in a domain

I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.

It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.

I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.

Is that something that only works when you have profiles safed remotely?
columbiaGAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Not quite sure what you're talking about.

If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.

If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.

EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.
Steven CarnahanAssistant Vice President\Network ManagerCommented:
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
 
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
columbiaGAuthor Commented:
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Steven CarnahanAssistant Vice President\Network ManagerCommented:
Did you add her to the Domain Admins after she was logged into the machine?  The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
columbiaGAuthor Commented:
makes sense, once she logs out and back in will check it out...thanks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
For a group addition or subtraction to take effect, you MUST have the user logout.  When they logon the memberships are checked and a security token with all the current (at logon) memberships is created.  It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.

NOTE: if you've made them domain admins, I BEG YOU - DON'T.  Add them to the local admins group.  It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
Steven CarnahanAssistant Vice President\Network ManagerCommented:
@leew: "I BEG YOU - DON'T"  Could not have said it better myself.  :)
McKnifeCommented:
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.

I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
Steven CarnahanAssistant Vice President\Network ManagerCommented:
@McKnife:  that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
columbiaGAuthor Commented:
accurate response and quick to point out issues that could have led to concerns
McKnifeCommented:
You selected your own answer?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.