Solved

Making Domain User a Standard Local User (vs a Local Admin user)

Posted on 2016-10-03
12
62 Views
Last Modified: 2016-10-04
I have a server running AD DS and I've created a user (UserA).   Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.  

When I login as UserA on a random client (which is on the domain), I have local admin access.  But I only want this user to have User access (aka not install programs etc).   When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.  

My questions:

1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers.  Should I use a GPO to create a local admin account on each computer?  Should I just keep the local Administrator account active vs disabling?  What do you guys see in SMB environments?

Thanks
0
Comment
Question by:Michael
  • 5
  • 5
  • 2
12 Comments
 
LVL 10

Expert Comment

by:Maclean
ID: 41827282
Have you reviewed  instructions on managing local admins via GPO?

If you manage machines with GPO, you can specify who is a local admin, and who is not. There might already be a policy in place on the machine.

You would need to thoroughly read the instructions, not zoom through them in a rush, as you could end up removing legitimate local admin rights from other accounts & users if rushing it, which I have seen techs do a fair few times throughout the years.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827325
It is not normal when you create a new user account in AD that they get put into the administrator group.
0
 

Author Comment

by:Michael
ID: 41827329
I may have put them in the two groups I listed.  But I still have the questions in the OP..

Does a user in the Builtin/Admin group mean that they are local admins by default on all clients?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 250 total points
ID: 41827331
If they are put into the Domain Admin group then they will be in all local computers built-in\Administrators.


Not sure why you added this user to a Domain Administrators group, but if you do not want this user to have Admin rights then you should remove it from the Domain Admin group.
0
 

Author Comment

by:Michael
ID: 41827341
I don't think I said Domain Admin group.  

1. On the server I created a user.
2. It's in two groups.  See OP
3. I login as that user on a random client on the domain and somehow it has Admin access to install programs.
4. It is NOT in the Domain Admins group (see OP).
5. All local users are disabled.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827352
This is impossible to happen.
Is your server running AD DS is not or is a DC?
can you post a screenshot.  I have to see this for my own eyes.
0
 

Author Comment

by:Michael
ID: 41827359
Ok I took two pictures. One of the server and one of the PC.

NOTE:  I removed the group "Builtin/Administrator" to see if that fixed things but it didn't.  So that's why that group is not listed in the picture.
IMG_5107.JPG
IMG_5105.JPG
0
 
LVL 10

Accepted Solution

by:
Maclean earned 250 total points
ID: 41827362
You are looking at the users, not the groups (On local PC). In groups double click administrators, and view its members.
Alternatively open a CMD and run net localgroup administrators to list the users with administrator rights.
You might find that domain\domain users are member of the Administrators group.
0
 

Author Comment

by:Michael
ID: 41827365
When I go to Groups on the LOCAL pc I do see that the [domain]\UserA is listed!  So if I remove it from the group it will be a Standard User then?  Thank you!

I guess I was assuming that the [domain]\UserA would be listed under Users.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827368
It should be.  Your image does not show who is in the local groups.
All your images show is that you have Local Users Management MMC is open.

How are you confirming that UserA is a member of the Local Built-in Admin group?
0
 

Author Comment

by:Michael
ID: 41828046
I was confirming this by going to AD DS Users and Computers on the SERVER and then double-clicking on this User.  Then on the "Member Of" tab it listed those two groups.  I'm assuming "Builtin" in this sense refers to Admin rights on the server itself vs local pcs on the domain.

I did fix this, btw, by opening up the Administrators group on the LOCAL pc and then removing the UserA
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41828082
Question is how did UserA get in the Local Admin group?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 81
Problem to setup GUI 11 32
3rd Party Single Sign on vendor 1 11
Migrate GPO Forest to Forest 4 14
OfficeMate Freezes on login or does not load after login credentials are input.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question