Re: Local Admin vs Domain Admin problems

From: Oli Restorick (youcanguess_at_willowhayes.co.uk)
Date: 05/31/03 

Date: Sat, 31 May 2003 02:08:11 +0100

I would guess that what you've actually ended up doing is to create a new
user account on the local machine with the same name as the one on the
domain and added this to the local administrators group.

I am also guessing that you did this by using the Users and Passwords applet
in control panel.

The best way to get things straight is as follows:

My Computer (right click)| Manage | Computer Management (Local) | System
Tools | Local Users and Groups | Users

Unless you really want users to have local accounts, you should only see
Administrator and Guest in here.

If you believe you've mistakenly created a local account, disable it (but
don't delete it).

Next, go into Local Users and Groups | Groups | Administrators

In here, you should see "Administrators" and also "MyDomain\Domain Admins".

You may also see a user account here. If it's prefixed by the name of your
domain, then you've correctly set it up. If it just lists a user name,
you've given a local account administrator privileges rather than the domain
account. If so, add the domain account to this group.

One other tip is that it's possible to add "INTERACTIVE" to the local
administrators group, which results in anyone who logs in at the machine
itself is an administrator of that machine, but user accessing it remotely
get no additional rights.

Hope this helps

Oli

"Andrew" <andrew@fredlewis.com> wrote in message
news:ObZay7tJDHA.2148@TK2MSFTNGP12.phx.gbl...
> This company I do work for has a client who needs to be able to install
> programs on his local machine and change things. I give him administrative
> rights on his local machine but when I go into his network properties it
> says the property sheet is disabled. The only way I can get it to work is
to
> give him Domain Admin rights and set that as his primary group.
>
> I also have a similiar issue with quickbooks 2001. It only works if the
user
> is a member of the domain admins group and set to primary.
>
> How do I go about these things that need higher level rights without
making
> someone a domain admin?
>
>

Relevant Pages

  • Re: User rights.
    ... An account has for permissions and rights the sum of ... all permissions and rights granted to any and all groups ... An account that is in the Administrators ... Keep in mind that modify includes delete. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IIS 5 Authentication problem- solved
    ... >In Local Security Policies/User Rights Assignment I had ... >to this computer from the network". ... >would grant only administrators the right to "deny ... >>account name for newsgroup participation only. ...
    (microsoft.public.inetserver.iis.security)
  • Re: User Privileges
    ... click on Groups and double click on Administrators. ... domain users account. ... > Yser user01 has administrative privilages on the local machine. ... > privileges on local machines. ...
    (microsoft.public.windows.server.general)
  • Re: Domain user login
    ... Hi, The account is member of users and administrators on local, but i havent ... > logged in locally on your client. ... Then you should have full rights on the ... your account is not a local administrator. ...
    (microsoft.public.win2000.active_directory)
  • Re: denying access to the Administrator
    ... You must include your account to Administrators group. ... then replace rights. ... >> other users' private files and I would like to put a stop to this. ...
    (comp.os.ms-windows.nt.admin.security)