Local user privileges

[Angel Massa]

I've been doing some test with ActiveDirectory management and I have some
questions...

I have a user that has domain user privileges on the domain. Then I login
into the domain and I noticed that it can make any administrator tasks on
his local computer. I can even create users!

If the user has user domain privileges this should not be possible, right? I
think I'm missing something.

Please can somebody tell me how it works?

Thanks!

Regards,
Angel.

 

[Mark Heitbrink [MVP]]

Hi,

I have a user that has domain user privileges on the domain. Then I login
into the domain and I noticed that it can make any administrator tasks on
his local computer. I can even create users!

You can create Users on a local machine if the user is a
member of the power users or administrators. As a power user
you can only create users or power users, no admins ;-)

If he can create admins, then he is a member of the local admin group.

That can happen, if he is aswell a member of the domain-admins
or if you made the dom-user account a local administrator.
That can be done on the client itself via GUI or CMD
(net localgroup administratoren youruser /add) or if you manipulated
the restricted groups in the GPO.

HTH
Mark

 

[Angel Massa]

I didn't know that a power user can create other power users thanks for the
info. But I'm still confused with the local and domain users.

If users login as domain users what use has the local users configuration?

Also if a domain user has only domain user privileges what privileges has
over his local computer?

Or maybe I have to setup two users with same name for local and domain
configuration?

Regards,
Angel.

 

[cathylb]

Here's what I have figured out so far:

First of all, you have to get "local" users and "domain" users straight
in your head. You set up DOMAIN users and permissions at the server in
Active Directory. LOCAL users are set up on workstations and actually
do not need to be set up at all for a user to access a domain from a
workstation. Local accounts are only for accessing THAT computer, which
would be done by putting the computer's name in the "Log on to" box at
login instead of the domain name.

When you are at a user's workstation and you right click My Computer
and go into Manage, there you will see LOCAL accounts and permissions.
If you look in the GROUPS like Administrator and Power User, these are
only LOCAL administrator and LOCAL power user permissions. Look inside
one of these groups and see is your user's name is there. If they are a
local administrator, they can create users etc on that workstation, but
these are NOT Domain User accounts - these are simply accounts for a
user to logon LOCALLY to that machine. So a person who has local admin
permissions, does NOT have domain admin permissions as well.

FOR EXAMPLE - Mary has a computer that is a member of a domain and she
has local administrative permissions on her computer. She creates a
user account for Suzy on her local machine. Suzy is NOT a domain user
(has no user account on the server), but now she is able to logon to
Mary's machine, but ONLY if she puts in the computer name at the logon
- NOT the domain name. Nothing Mary has done affects the network, only
her local machine. Suzy can logon locally, but she does not have access
to domain resources.

The only way Mary could create DOMAIN user accounts is if she has
domain admin permissions set up on the Server, and even then she could
not do it from her workstation, she would have to access A.D. to set up
those user accounts. So, the whole point here is that the accounts Mary
sets up on her local computer have nothing to do with network logins or
domain accounts. Users that Mary sets up on her local machine can't
access the network.

The other point here is that for a domain, you do not need to set up
ANY local accounts on the workstations. All user accounts are set up on
the server. You can go into the local computer under "Administrator"
and add a domain user to that account (instead of a local user) and
again, that person will only have LOCAL admin privileges, not domain.

I'm sure others have more to add to this, and there is always more to
say, but I don't want to confuse the issue any more than I may have. I
hope this helps. This was a big confusing thing for me in the beginning.

 

[Angel Massa]

Thanks alot for your excelent, detailed and easy to understand information.
It helped me a lot to understand how it works. I only have one thing not
clear...

When I login with a domain user account to the domain controler with an
account that only has user domain privilege what privileges I have over the
local machine?

Regards,
Angel.

 

[Mark Heitbrink [MVP]]

Hi,

If users login as domain users what use has the local users configuration?
Also if a domain user has only domain user privileges what privileges has
over his local computer?

The Domain Users are mapped/integrated in the local User Accounts.
Just login as a domain user and take a look inside your groups.
Yourdomain\Youruser will appera inside the local users group.
Check out if he is inside other groups aswell.

Mark

 

[Angel Massa]

I've been experimenting with domain and local users. As you say when I look
into the user accounts on the local computer I can see local user accounts
and domain user accounts. They have different icons. One with user with
computer for local users and other with user with hearth for domain users.

When I looked at an user account both local and domain accounts where set as
administrator for the local machine. I think this is not good as a user
should not have administrator privileges ever his local machine. Then I
changed both user and domain accounts to user privileges. After this I've
loged with the user domain account and discovered that I still have full
administrator privileges over the local machine. I've don't undertood this
until I've found that the users domain group is inside the administrators
group!!!

Now even more wierd. I've deleted the domain users group from the local
administrators group so the , in theory, user can't have admin rights over
the local machine when loged into the domain... After removing this the
account not worked as espected. Windows interface has changed and user can't
acces his files.

How is this possible?

Regards,
Angel.

 

[Mark Heitbrink [MVP]]

Hi,

When I looked at an user account both local and domain accounts where set as
administrator for the local machine. I think this is not good as a user
should not have administrator privileges ever his local machine.

This is not the default behavior.

If you look at the user object in AD, which security groups
is the user member of?

Lock in as administrator and remove the dom-user from the local
administrator group. Lock in as user, if he is admin again, then
there is something that takes efect on the default behavior.
In a GPO you can manipulate this via restricted groups.
You mus configure this manually to change the default behavior,
thats why I think, taht there is no entry.

Mark-

 

[Angel Massa]

Hi Mark,

Thank for your help. I will try to describe the situation...

On AD the user is member of "domain users". This is fine.

Then I go to the local machine and look at the users from control panel. I
can see that the user login into the domain has administrator privileges. I
can change the privileges to user from the control panel but then the
account doesn't work. So my only option is to set the local account to
administrator for the account to work.

Is it possible that this problems happens becouse the user account has a
roaming profile?

Regards,
Angel.

 

[Angel Massa]

Ok, here is more info to the problem...

I've checked this on many clients and configuration is the same for all.

1.- On a local computer I login as a user of the domain.
2.- Goto control panel >> Users
3.- Open advanced options and check groups folder
4.- I loog for Administrators groups and check members.
5.- Here I have DOMAIN\Domain users on the local Administrators group.

That's becouse all members logged on the domain has administrator rights on
the local machines. If I remove the DOMAIN\Domain users from the
Administradors groups there are problems when I login again. Windows XP
interface change to Win2000 style interface and I suppose other problems
will appear.

I don't know why domain users group has to be added to local administrador
group to work.

I hope this explanation will be more clear.

Regards,
Angel.

 

[Sparda]

I've been doing some test with ActiveDirectory management and
I have some
questions...

I have a user that has domain user privileges on the domain.
Then I login
into the domain and I noticed that it can make any
administrator tasks on
his local computer. I can even create users!

If the user has user domain privileges this should not be
possible, right? I
think I'm missing something.

Please can somebody tell me how it works?

Thanks!

Regards,
Angel

That is correct, if a user is a Domain User they should not be able to
create users localy, when I was playing around with AD I found that
offten the Domain Policys would not update when changs are made (but
thats probably just me not doing it quite right).

 

[Mark Heitbrink [MVP]]

Hi,

[...]
4.- I loog for Administrators groups and check members.
5.- Here I have DOMAIN\Domain users on the local Administrators group.
[...]
I don't know why domain users group has to be added to local administrador
group to work.

I´m irritated. Thats definitly not the default behavior ... :-(
Did you worked with "Restricted Groups" in a GPO?
It´s definetly not a matter of the roaming profile.

Try this:
- create a new OU
- place one computer object in it (just to make sure that you
are only configuring this pc ...)
- create a new GPO on this OU
- Edit the restricted Groups
New Group: Administrators only add Administrators and Domain Admins
New Group: Users add DomainUSers
- make a gpupdate /force on the client and look what happens ;-)

Mark

 

[Angel Massa]

I was also surprised that the domain user group was added on the
administrators group on ALL computer of the network. I this is not the
default behaviour I can't really understang how happened on all the
computers.

Also removing the domain user group from the administrator group on the
local computers cause the profile to don't work. Interface is changed and
there are things missing. So I have to add the admin privileges againg for
the profile to work.

I didn't worked with restricted groups af far as I know. In fact I don't
know what restricted groups are. The users where added to an OG on the AD
controler and they only have a group policy for the OG the changes desktop
background and redirects Mi Documents folders.

Regards,
Angel.