Solved

question regarding admin rights in a domain

Posted on 2014-01-06
11
241 Views
Last Modified: 2014-01-11
I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.

It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.

I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.

Is that something that only works when you have profiles safed remotely?
0
Comment
Question by:columbiaG
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760292
Not quite sure what you're talking about.

If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.

If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.

EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760314
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
 
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
0
 

Author Comment

by:columbiaG
ID: 39760350
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760368
Did you add her to the Domain Admins after she was logged into the machine?  The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
0
 

Accepted Solution

by:
columbiaG earned 0 total points
ID: 39760372
makes sense, once she logs out and back in will check it out...thanks
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760649
For a group addition or subtraction to take effect, you MUST have the user logout.  When they logon the memberships are checked and a security token with all the current (at logon) memberships is created.  It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.

NOTE: if you've made them domain admins, I BEG YOU - DON'T.  Add them to the local admins group.  It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760659
@leew: "I BEG YOU - DON'T"  Could not have said it better myself.  :)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39760760
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.

I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760783
@McKnife:  that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
0
 

Author Closing Comment

by:columbiaG
ID: 39773127
accurate response and quick to point out issues that could have led to concerns
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39773153
You selected your own answer?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now