Solved

question regarding admin rights in a domain

Posted on 2014-01-06
11
236 Views
Last Modified: 2014-01-11
I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.

It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.

I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.

Is that something that only works when you have profiles safed remotely?
0
Comment
Question by:columbiaG
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760292
Not quite sure what you're talking about.

If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.

If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.

EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760314
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
 
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
0
 

Author Comment

by:columbiaG
ID: 39760350
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760368
Did you add her to the Domain Admins after she was logged into the machine?  The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
0
 

Accepted Solution

by:
columbiaG earned 0 total points
ID: 39760372
makes sense, once she logs out and back in will check it out...thanks
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760649
For a group addition or subtraction to take effect, you MUST have the user logout.  When they logon the memberships are checked and a security token with all the current (at logon) memberships is created.  It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.

NOTE: if you've made them domain admins, I BEG YOU - DON'T.  Add them to the local admins group.  It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760659
@leew: "I BEG YOU - DON'T"  Could not have said it better myself.  :)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39760760
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.

I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760783
@McKnife:  that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
0
 

Author Closing Comment

by:columbiaG
ID: 39773127
accurate response and quick to point out issues that could have led to concerns
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39773153
You selected your own answer?
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now