Solved

question regarding admin rights in a domain

Posted on 2014-01-06
11
244 Views
Last Modified: 2014-01-11
I know this is likely a simple issue, but running a domain with a 2008 server, and using local profiles....I understood that when someone was given admin rights on their local machine, that also gave them admin rights on the network, to perform functions on other machines.

It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it.

I thought they had admin rights without loggin in to the pc, and developing a profile on the machine first.

Is that something that only works when you have profiles safed remotely?
0
Comment
Question by:columbiaG
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760292
Not quite sure what you're talking about.

If you put a user in the DOMAIN ADMINS group in Active Directory, that user should now have FULL domain admin rights and FULL administrator rights on ALL WORKSTATIONS.

If you go to the workstation and put the user in the Administrators group on the local PC, then they ONLY have admin rights to that PC.

EXCEPTIONS to the domain admin thing can be if the Domain Admins group is removed from the local Administrators group (NOT generally done and generally not recommended.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760314
"It appears that the user i have given admin rights to can only have admin rights on a machine after they first log into it."
 
If another user is logged into the machine and the "admin user" sits down and tries to do administrative level functions it will not work. The "admin user" needs to be logged in OR would have to use the Run As feature/capability. This is true even for a Domain Admin.
0
 

Author Comment

by:columbiaG
ID: 39760350
That is what i thought, the user i wanted to have domain admin rights was placed in domain admins but her credentials still would not suffice for admin requirements on a pc. Others in the domain admin worked fine, no local pc login required as well as a new one i put in to test, it is only hers that will not work
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 26

Expert Comment

by:pony10us
ID: 39760368
Did you add her to the Domain Admins after she was logged into the machine?  The login process is what checks the group membership. If she is already logged in then adding her to the group may not take effect until she logs out and back in to wherever she is currently logged into.
0
 

Accepted Solution

by:
columbiaG earned 0 total points
ID: 39760372
makes sense, once she logs out and back in will check it out...thanks
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39760649
For a group addition or subtraction to take effect, you MUST have the user logout.  When they logon the memberships are checked and a security token with all the current (at logon) memberships is created.  It's never recreated while the user is logged in, so if you didn't log her out, then she is still using the old token.

NOTE: if you've made them domain admins, I BEG YOU - DON'T.  Add them to the local admins group.  It's not great, but it's FAR better than giving a non-admin rights to change YOUR password and delete your account or otherwise destroy your network, intentionally, accidentally, or inadvertantly thanks to malicious software.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760659
@leew: "I BEG YOU - DON'T"  Could not have said it better myself.  :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39760760
You seem to have accidentally selected the wrong solution (your own). Have a moderator undo that.

I'd like to add that the process of using local admins at all is more dangerous then many might think. Imagine you logon to a computer as domain admin, add a user to the admin's group and log out. Immediately afterwards, he could grab your domain admin password using script kiddie tools. He would not need to crack it, no.
So whenever we use accounts that have power on multiple computers (which normally is true for support accounts), those are in great danger as soon as local admins are around.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39760783
@McKnife:  that is why we use a GPO so that we don't actually have to login to the local machine. This still doesn't eliminate what you have pointed out but does reduce the risk some.
0
 

Author Closing Comment

by:columbiaG
ID: 39773127
accurate response and quick to point out issues that could have led to concerns
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39773153
You selected your own answer?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question