Solved

Making Domain User a Standard Local User (vs a Local Admin user)

Posted on 2016-10-03
12
69 Views
Last Modified: 2016-10-04
I have a server running AD DS and I've created a user (UserA).   Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.  

When I login as UserA on a random client (which is on the domain), I have local admin access.  But I only want this user to have User access (aka not install programs etc).   When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.  

My questions:

1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers.  Should I use a GPO to create a local admin account on each computer?  Should I just keep the local Administrator account active vs disabling?  What do you guys see in SMB environments?

Thanks
0
Comment
Question by:Michael
  • 5
  • 5
  • 2
12 Comments
 
LVL 11

Expert Comment

by:Maclean
ID: 41827282
Have you reviewed  instructions on managing local admins via GPO?

If you manage machines with GPO, you can specify who is a local admin, and who is not. There might already be a policy in place on the machine.

You would need to thoroughly read the instructions, not zoom through them in a rush, as you could end up removing legitimate local admin rights from other accounts & users if rushing it, which I have seen techs do a fair few times throughout the years.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827325
It is not normal when you create a new user account in AD that they get put into the administrator group.
0
 

Author Comment

by:Michael
ID: 41827329
I may have put them in the two groups I listed.  But I still have the questions in the OP..

Does a user in the Builtin/Admin group mean that they are local admins by default on all clients?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 250 total points
ID: 41827331
If they are put into the Domain Admin group then they will be in all local computers built-in\Administrators.


Not sure why you added this user to a Domain Administrators group, but if you do not want this user to have Admin rights then you should remove it from the Domain Admin group.
0
 

Author Comment

by:Michael
ID: 41827341
I don't think I said Domain Admin group.  

1. On the server I created a user.
2. It's in two groups.  See OP
3. I login as that user on a random client on the domain and somehow it has Admin access to install programs.
4. It is NOT in the Domain Admins group (see OP).
5. All local users are disabled.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827352
This is impossible to happen.
Is your server running AD DS is not or is a DC?
can you post a screenshot.  I have to see this for my own eyes.
0
 

Author Comment

by:Michael
ID: 41827359
Ok I took two pictures. One of the server and one of the PC.

NOTE:  I removed the group "Builtin/Administrator" to see if that fixed things but it didn't.  So that's why that group is not listed in the picture.
IMG_5107.JPG
IMG_5105.JPG
0
 
LVL 11

Accepted Solution

by:
Maclean earned 250 total points
ID: 41827362
You are looking at the users, not the groups (On local PC). In groups double click administrators, and view its members.
Alternatively open a CMD and run net localgroup administrators to list the users with administrator rights.
You might find that domain\domain users are member of the Administrators group.
0
 

Author Comment

by:Michael
ID: 41827365
When I go to Groups on the LOCAL pc I do see that the [domain]\UserA is listed!  So if I remove it from the group it will be a Standard User then?  Thank you!

I guess I was assuming that the [domain]\UserA would be listed under Users.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827368
It should be.  Your image does not show who is in the local groups.
All your images show is that you have Local Users Management MMC is open.

How are you confirming that UserA is a member of the Local Built-in Admin group?
0
 

Author Comment

by:Michael
ID: 41828046
I was confirming this by going to AD DS Users and Computers on the SERVER and then double-clicking on this User.  Then on the "Member Of" tab it listed those two groups.  I'm assuming "Builtin" in this sense refers to Admin rights on the server itself vs local pcs on the domain.

I did fix this, btw, by opening up the Administrators group on the LOCAL pc and then removing the UserA
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41828082
Question is how did UserA get in the Local Admin group?
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question