Solved

Making Domain User a Standard Local User (vs a Local Admin user)

Posted on 2016-10-03
12
46 Views
Last Modified: 2016-10-04
I have a server running AD DS and I've created a user (UserA).   Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.  

When I login as UserA on a random client (which is on the domain), I have local admin access.  But I only want this user to have User access (aka not install programs etc).   When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.  

My questions:

1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers.  Should I use a GPO to create a local admin account on each computer?  Should I just keep the local Administrator account active vs disabling?  What do you guys see in SMB environments?

Thanks
0
Comment
Question by:Michael
  • 5
  • 5
  • 2
12 Comments
 
LVL 10

Expert Comment

by:Maclean
ID: 41827282
Have you reviewed  instructions on managing local admins via GPO?

If you manage machines with GPO, you can specify who is a local admin, and who is not. There might already be a policy in place on the machine.

You would need to thoroughly read the instructions, not zoom through them in a rush, as you could end up removing legitimate local admin rights from other accounts & users if rushing it, which I have seen techs do a fair few times throughout the years.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41827325
It is not normal when you create a new user account in AD that they get put into the administrator group.
0
 

Author Comment

by:Michael
ID: 41827329
I may have put them in the two groups I listed.  But I still have the questions in the OP..

Does a user in the Builtin/Admin group mean that they are local admins by default on all clients?
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 250 total points
ID: 41827331
If they are put into the Domain Admin group then they will be in all local computers built-in\Administrators.


Not sure why you added this user to a Domain Administrators group, but if you do not want this user to have Admin rights then you should remove it from the Domain Admin group.
0
 

Author Comment

by:Michael
ID: 41827341
I don't think I said Domain Admin group.  

1. On the server I created a user.
2. It's in two groups.  See OP
3. I login as that user on a random client on the domain and somehow it has Admin access to install programs.
4. It is NOT in the Domain Admins group (see OP).
5. All local users are disabled.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41827352
This is impossible to happen.
Is your server running AD DS is not or is a DC?
can you post a screenshot.  I have to see this for my own eyes.
0
 

Author Comment

by:Michael
ID: 41827359
Ok I took two pictures. One of the server and one of the PC.

NOTE:  I removed the group "Builtin/Administrator" to see if that fixed things but it didn't.  So that's why that group is not listed in the picture.
IMG_5107.JPG
IMG_5105.JPG
0
 
LVL 10

Accepted Solution

by:
Maclean earned 250 total points
ID: 41827362
You are looking at the users, not the groups (On local PC). In groups double click administrators, and view its members.
Alternatively open a CMD and run net localgroup administrators to list the users with administrator rights.
You might find that domain\domain users are member of the Administrators group.
0
 

Author Comment

by:Michael
ID: 41827365
When I go to Groups on the LOCAL pc I do see that the [domain]\UserA is listed!  So if I remove it from the group it will be a Standard User then?  Thank you!

I guess I was assuming that the [domain]\UserA would be listed under Users.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41827368
It should be.  Your image does not show who is in the local groups.
All your images show is that you have Local Users Management MMC is open.

How are you confirming that UserA is a member of the Local Built-in Admin group?
0
 

Author Comment

by:Michael
ID: 41828046
I was confirming this by going to AD DS Users and Computers on the SERVER and then double-clicking on this User.  Then on the "Member Of" tab it listed those two groups.  I'm assuming "Builtin" in this sense refers to Admin rights on the server itself vs local pcs on the domain.

I did fix this, btw, by opening up the Administrators group on the LOCAL pc and then removing the UserA
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41828082
Question is how did UserA get in the Local Admin group?
0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now