IT Creature
asked on
Local admin has domain rights
Dear all,
Is it possible to give local user and admin rights on a fileserver which is also a domain controller.
I now have the problem that a local admin user has admin rights on this fileserver.
Please advice.
Kind regards
Is it possible to give local user and admin rights on a fileserver which is also a domain controller.
I now have the problem that a local admin user has admin rights on this fileserver.
Please advice.
Kind regards
I don't believe that is possible. It might look that way if the local users has the same name as the domain user but you can't add a local users to the domain user accounts. Can you see this users in ADUC?
To simplify it, why not create a security for the users that need elevated permissions on the file share portion on the server, and give the proper rights at that level vs possibly compromising the server
Local users on a domain controller are not really a thing.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b095b851-d2e7-4dd3-9678-f50088debe59/how-to-access-local-administrator-account-on-domain-controller?forum=windowsserver2008r2general
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b095b851-d2e7-4dd3-9678-f50088debe59/how-to-access-local-administrator-account-on-domain-controller?forum=windowsserver2008r2general
ASKER
Ok, now this.
There is one pc in the network with a local admin account called "operator"
There is also a domain user in AD called "operator" which has domain admin rights.
The security on the disk on fileserver/dc has permissions for domain admins and users.
Strangely enough, when logged on to the pc with the local operator account, I have access to alles the shares on this disk and when I use a local administrator account I get a username/password prompt like I should.
When I disable the domain operator account in AD the local operator account has no access (not even a username/password prompt)
There is one pc in the network with a local admin account called "operator"
There is also a domain user in AD called "operator" which has domain admin rights.
The security on the disk on fileserver/dc has permissions for domain admins and users.
Strangely enough, when logged on to the pc with the local operator account, I have access to alles the shares on this disk and when I use a local administrator account I get a username/password prompt like I should.
When I disable the domain operator account in AD the local operator account has no access (not even a username/password prompt)
Those are two distinctly different accounts. One local and one domain.
"Strangely enough, when logged on to the pc with the local operator account, I have access to alles the shares on this disk " is a typo. Please correct ans specify which disk
"and when I use a local administrator account I get a username/password prompt like I should" are you saying this shouldn't happen?
"When I disable the domain operator account in AD the local operator account has no access (not even a username/password prompt)" whatch what you are logging in to. Specify. If you want to login in to the Local Computer the username is LocalComputerName\Operator . If you want to login in to the domain the username is Domain\Operator. Specify so there is no mistake.
It might not be a bad idea to rename one of them. As you can see a local and domain account with the same name seems to be confusing.
"Strangely enough, when logged on to the pc with the local operator account, I have access to alles the shares on this disk " is a typo. Please correct ans specify which disk
"and when I use a local administrator account I get a username/password prompt like I should" are you saying this shouldn't happen?
"When I disable the domain operator account in AD the local operator account has no access (not even a username/password prompt)" whatch what you are logging in to. Specify. If you want to login in to the Local Computer the username is LocalComputerName\Operator
It might not be a bad idea to rename one of them. As you can see a local and domain account with the same name seems to be confusing.
ASKER
It is confusing allright, but is it not also a security breach?
How can it be that an account with the same name gets admin rights within a domain?
What is the best way to make sure that the local operaretor account is actually a local account?
How can it be that an account with the same name gets admin rights within a domain?
What is the best way to make sure that the local operaretor account is actually a local account?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.