Solved

Making Domain User a Standard Local User (vs a Local Admin user)

Posted on 2016-10-03
12
57 Views
Last Modified: 2016-10-04
I have a server running AD DS and I've created a user (UserA).   Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.  

When I login as UserA on a random client (which is on the domain), I have local admin access.  But I only want this user to have User access (aka not install programs etc).   When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.  

My questions:

1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers.  Should I use a GPO to create a local admin account on each computer?  Should I just keep the local Administrator account active vs disabling?  What do you guys see in SMB environments?

Thanks
0
Comment
Question by:Michael
  • 5
  • 5
  • 2
12 Comments
 
LVL 10

Expert Comment

by:Maclean
ID: 41827282
Have you reviewed  instructions on managing local admins via GPO?

If you manage machines with GPO, you can specify who is a local admin, and who is not. There might already be a policy in place on the machine.

You would need to thoroughly read the instructions, not zoom through them in a rush, as you could end up removing legitimate local admin rights from other accounts & users if rushing it, which I have seen techs do a fair few times throughout the years.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827325
It is not normal when you create a new user account in AD that they get put into the administrator group.
0
 

Author Comment

by:Michael
ID: 41827329
I may have put them in the two groups I listed.  But I still have the questions in the OP..

Does a user in the Builtin/Admin group mean that they are local admins by default on all clients?
0
 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 250 total points
ID: 41827331
If they are put into the Domain Admin group then they will be in all local computers built-in\Administrators.


Not sure why you added this user to a Domain Administrators group, but if you do not want this user to have Admin rights then you should remove it from the Domain Admin group.
0
 

Author Comment

by:Michael
ID: 41827341
I don't think I said Domain Admin group.  

1. On the server I created a user.
2. It's in two groups.  See OP
3. I login as that user on a random client on the domain and somehow it has Admin access to install programs.
4. It is NOT in the Domain Admins group (see OP).
5. All local users are disabled.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827352
This is impossible to happen.
Is your server running AD DS is not or is a DC?
can you post a screenshot.  I have to see this for my own eyes.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Michael
ID: 41827359
Ok I took two pictures. One of the server and one of the PC.

NOTE:  I removed the group "Builtin/Administrator" to see if that fixed things but it didn't.  So that's why that group is not listed in the picture.
IMG_5107.JPG
IMG_5105.JPG
0
 
LVL 10

Accepted Solution

by:
Maclean earned 250 total points
ID: 41827362
You are looking at the users, not the groups (On local PC). In groups double click administrators, and view its members.
Alternatively open a CMD and run net localgroup administrators to list the users with administrator rights.
You might find that domain\domain users are member of the Administrators group.
0
 

Author Comment

by:Michael
ID: 41827365
When I go to Groups on the LOCAL pc I do see that the [domain]\UserA is listed!  So if I remove it from the group it will be a Standard User then?  Thank you!

I guess I was assuming that the [domain]\UserA would be listed under Users.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827368
It should be.  Your image does not show who is in the local groups.
All your images show is that you have Local Users Management MMC is open.

How are you confirming that UserA is a member of the Local Built-in Admin group?
0
 

Author Comment

by:Michael
ID: 41828046
I was confirming this by going to AD DS Users and Computers on the SERVER and then double-clicking on this User.  Then on the "Member Of" tab it listed those two groups.  I'm assuming "Builtin" in this sense refers to Admin rights on the server itself vs local pcs on the domain.

I did fix this, btw, by opening up the Administrators group on the LOCAL pc and then removing the UserA
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41828082
Question is how did UserA get in the Local Admin group?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now