Re: How to start cmd.exe BOTH as administrator locally AND domain admin?

From: HAL07 <yahoohal@xxxxxxxxxxxxxxxx>
Date: Tue, 17 Mar 2009 12:55:41 +0100

Alun Jones wrote:

User contexts are not additive - you cannot log on as user A, and run a program as user B, expecting the result to be a combination of A+B's rights.

RunAs will _discard_ the current user's context in favour of a different user's context.

What _is_ additive is the concept of group memberships - a user can be a member of several groups. What you need to do, in order to get domain and local administrator access is to create a domain account that is a member of the Domain Administrators group, and then make that account also a member of the local Administrators group on the machine you're working on. Or maybe you want all Domain Admins to be local admins, which you can do by adding the Domain Administrators group as a member of the local Administrators group.

Alun.
~~~~

I know that. however the user _is_ a member of domain admins, and domain admins _are_ member of local administrators.
Still no go.

--
-- HAL07, Engineering Services, Norway
-- Info: social.technet.microsoft.com/Forums/ replaces a lot of the newsgroups
.

Prev by Date: Re: Delete *.dll on 64bit
Next by Date: Re: Kaspersky, McAfee and Trend Micro regarded as malware ?
Previous by thread: Windows Parental Control
Next by thread: Does Vista Home Basic not have GPEdit?
Index(es):
- Date
- Thread

Relevant Pages

Re: Group Policy
... You have to keep attention of "Members of this group" and "This group is a member of". ... administrators group of all computers in the domain. ... restricted groups, however this GP setting will remove all the users ... The Domain User of the PC to be only added to his local administrators ...
(microsoft.public.windows.server.active_directory)
Re: restricted groups for local admin rights
... I'm referring to local administrators and not domain administrators?) ... > describe you want to use the "member of" option for restricted groups. ... > way you can add a global group to the administrators group without affecting ...
(microsoft.public.windows.group_policy)
Re: Automatically assign user as administrator
... You can add a users domain account to the local administrators group on any member ... users currently in the local administrators group on those computers will be removed. ...
(microsoft.public.win2000.security)
Re: How to start cmd.exe BOTH as administrator locally AND domain admin?
... What you need to do, in order to get domain and local administrator access is to create a domain account that is a member of the Domain Administrators group, and then make that account also a member of the local Administrators group on the machine you're working on. ... e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you get Access denied on the local Vista system. ...
(microsoft.public.windows.vista.security)
Re: List users in local administrators group on remote machine
... list all users in local administrators group on ... remove user from local administrators group on remote computer ... ' Check first if they are already a direct member. ...
(microsoft.public.windows.server.scripting)