[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 105
  • Last Modified:

Security Permissions Issues

I'm having some permissions issues and don't know what I'm doing wrong.

I had a Win7 PC (MAE-PC) which had one user: Michael.  This user is in the local Administrators group (see snapshot)

I added a local server and started up AD DS, DNS and DHCP and created a Domain Admin called Michael (Michael@ESCARRAF.COM).

I added the Win7 PC (MAE-PC) to the Domain.  Then went into the Local Users and Groups for the PC and added the Domain Admin (Michael@ESCARRAF.COM) to the Local Administrators group (see snapshot).  

When I login to MAE-PC\Michael (local Admin) I can install programs fine.  But, when I login as ESCARRAF\Michael, it says permission denied on the C:\Program Files and C:\Program FIles (x86) folders.

So, when I check the Security tab on C:\Program Files I see that LOCAL Administrators have no access and Users have Read/Execute.  How is that even possible?  Anyway, my main issue is that I can't install anything when logged in with a Domain user.  See snapshot for security settings on C:\Program Files.  I have NEVER touched these permissions.

I did notice that for C:\Program Files, C:\Program Files (x86), C:\Users and C:\Windows, the permissions are NOT inherited from C:\

Michael
2016-10-21_10-36-49.jpg
2016-10-21_10-58-26.jpg
2016-10-21_10-58-48.jpg
2016-10-21_10-59-13.jpg
0
Michael
Asked:
Michael
  • 4
  • 3
  • 3
2 Solutions
 
McKnifeCommented:
Simply scroll down on https://filedb.experts-exchange.com/incoming/2016/10_w43/1123503/2016-10-21_10-58-48.jpg
You'll see that there is a checkbox "special permissions" checked for administrators. They have all access.
0
 
MichaelChief Financial OfficerAuthor Commented:
My main questions is why doesn't ESCARRAF.COM/Michael have access?
0
 
McKnifeCommented:
UAC filters the domain admin's token. It will only take effect when Michael elevates.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
arnoldCommented:
To McKnife's point, when you install as local user, do you get promted for UAC elevation, if so, when you login with the donain account, do you get prompted with UAC as well?
Your AD GPO might set uac not to prompt (notify, never) which will explain the difference in handling.
Do you get the same error if you right click on the setup, installer and run it as administrator.
0
 
MichaelChief Financial OfficerAuthor Commented:
Let me try to right click. I do know that I have UAC disabled so that shouldn't be the issue. I don't get prompted ever.
0
 
McKnifeCommented:
With uac off, it has to work. So it's defective behavior. Try a repair installation aka in place upgrade.
0
 
arnoldCommented:
With UAC off, the domain account even as part of the local administrators group falls under more scrutiny compared to the local account that is a member of the local administrators group.

Do you have any anti-virus application on the system/internet security application that might be enforcing/denying the domain user install attempt?
0
 
McKnifeCommented:
I disagree. No difference between different admins when uac is off.
0
 
arnoldCommented:
is the domain account also a member of the domain users group?
0
 
MichaelChief Financial OfficerAuthor Commented:
Fixed!  After rebooting all is fine!  Perhaps the domain didn't authenticate thus the NT Authority wasn't a a valid user?

Thanks for the responses!
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now