Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 98
  • Last Modified:

Making Domain User a Standard Local User (vs a Local Admin user)

I have a server running AD DS and I've created a user (UserA).   Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.  

When I login as UserA on a random client (which is on the domain), I have local admin access.  But I only want this user to have User access (aka not install programs etc).   When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.  

My questions:

1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers.  Should I use a GPO to create a local admin account on each computer?  Should I just keep the local Administrator account active vs disabling?  What do you guys see in SMB environments?

Thanks
0
Michael
Asked:
Michael
  • 5
  • 5
  • 2
2 Solutions
 
MacleanSystem EngineerCommented:
Have you reviewed  instructions on managing local admins via GPO?

If you manage machines with GPO, you can specify who is a local admin, and who is not. There might already be a policy in place on the machine.

You would need to thoroughly read the instructions, not zoom through them in a rush, as you could end up removing legitimate local admin rights from other accounts & users if rushing it, which I have seen techs do a fair few times throughout the years.
0
 
yo_beeDirector of ITCommented:
It is not normal when you create a new user account in AD that they get put into the administrator group.
0
 
MichaelChief Financial OfficerAuthor Commented:
I may have put them in the two groups I listed.  But I still have the questions in the OP..

Does a user in the Builtin/Admin group mean that they are local admins by default on all clients?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
yo_beeDirector of ITCommented:
If they are put into the Domain Admin group then they will be in all local computers built-in\Administrators.


Not sure why you added this user to a Domain Administrators group, but if you do not want this user to have Admin rights then you should remove it from the Domain Admin group.
0
 
MichaelChief Financial OfficerAuthor Commented:
I don't think I said Domain Admin group.  

1. On the server I created a user.
2. It's in two groups.  See OP
3. I login as that user on a random client on the domain and somehow it has Admin access to install programs.
4. It is NOT in the Domain Admins group (see OP).
5. All local users are disabled.
0
 
yo_beeDirector of ITCommented:
This is impossible to happen.
Is your server running AD DS is not or is a DC?
can you post a screenshot.  I have to see this for my own eyes.
0
 
MichaelChief Financial OfficerAuthor Commented:
Ok I took two pictures. One of the server and one of the PC.

NOTE:  I removed the group "Builtin/Administrator" to see if that fixed things but it didn't.  So that's why that group is not listed in the picture.
IMG_5107.JPG
IMG_5105.JPG
0
 
MacleanSystem EngineerCommented:
You are looking at the users, not the groups (On local PC). In groups double click administrators, and view its members.
Alternatively open a CMD and run net localgroup administrators to list the users with administrator rights.
You might find that domain\domain users are member of the Administrators group.
0
 
MichaelChief Financial OfficerAuthor Commented:
When I go to Groups on the LOCAL pc I do see that the [domain]\UserA is listed!  So if I remove it from the group it will be a Standard User then?  Thank you!

I guess I was assuming that the [domain]\UserA would be listed under Users.
0
 
yo_beeDirector of ITCommented:
It should be.  Your image does not show who is in the local groups.
All your images show is that you have Local Users Management MMC is open.

How are you confirming that UserA is a member of the Local Built-in Admin group?
0
 
MichaelChief Financial OfficerAuthor Commented:
I was confirming this by going to AD DS Users and Computers on the SERVER and then double-clicking on this User.  Then on the "Member Of" tab it listed those two groups.  I'm assuming "Builtin" in this sense refers to Admin rights on the server itself vs local pcs on the domain.

I did fix this, btw, by opening up the Administrators group on the LOCAL pc and then removing the UserA
0
 
yo_beeDirector of ITCommented:
Question is how did UserA get in the Local Admin group?
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now