Renamed local admin not enough rights

  • Thread starter Thread starter LordFox
  • Start date Start date
L

LordFox

Hi,

Years ago, we decided to automatically have the local admin account
renamed. Recently we are having problems with this nice GP feature: the
renamed admin account no longer has local admin rights on the system
the account has been renamed on. This means that we can no longer
install certain drivers and software, such as a VPN client.

Does anyone have a clue as to what is going on?

Cheers,

Rick
 
LordFox said:
Hi,

Years ago, we decided to automatically have the local admin account
renamed. Recently we are having problems with this nice GP feature: the
renamed admin account no longer has local admin rights on the system
the account has been renamed on. This means that we can no longer
install certain drivers and software, such as a VPN client.

Does anyone have a clue as to what is going on?
Click to expand...

We cannot be sure but we may offer some clues:

The "renamed" Administrator account is STILL
PRECISELY the same account (it has the same SID.)

When a computer joins a domain the Domain Administrators
group is (automatically) placed into the local Administators
group.

Anyone in the Domain Admins should be a local Admin, BUT
recognize that the membership of the Domain Admins (on the
domain) can be changed, as can the membership of the local
Admin group.

Check each of these -- some discrepancy in the above should
account for the problems.

Also, double check that the computer is STILL a member of
the domain AND able to AUTHENTICATE (usually problems
with Authentication are really DNS issues.)
 
The issue occurs right after adding the machine to the domain. I am
aware of the fact that the SID for the admin account does not change.

The Domain Admins are member of the local administrators group. No
issues occur in communicating with the domain. We have experienced no
trouble with this on any other machine before.

Indeed, if one logs on as a domain admin, no issues occur. The local
machine (renamed) admin-account is also still a member of the
administrators group.

The only thing that happened to the machine after adding it to the
domain is that we moved the machine to an OU on which we have policy
settings for WSUS.

Cheers

Rick
 
LordFox said:
The issue occurs right after adding the machine to the domain. I am
aware of the fact that the SID for the admin account does not change.

The Domain Admins are member of the local administrators group. No
issues occur in communicating with the domain. We have experienced no
trouble with this on any other machine before.

Indeed, if one logs on as a domain admin, no issues occur. The local
machine (renamed) admin-account is also still a member of the
administrators group.
Click to expand...

Which account has the problem? Local or the domain Administrator?

Above you indicate the domain admins have no trouble (which would
include THE domain Administrator).

The LOCAL Administrator account follows similar rules but isn't
really related to Active Directory (this newsgroup).

Unless someone has removed this group from Administrators OR
has otherwise altered permissions on files then this is still going
to work normally since it too has a well-known SID that doesn't
change through rename.
The only thing that happened to the machine after adding it to the
domain is that we moved the machine to an OU on which we have policy
settings for WSUS.
Click to expand...

Possibly a difference but unlikely to affect local admin privileges.

More likely is some (weird) change to file permissions.
 
The problem occurs with the account that is the Local Administrator
account, the account that gets installed 'native' on the system.

Accounts that are in the Domain Admins group have no issues.

No-one has removed anything nor altered permissions as this was a fresh
install right from the CD.
 
LordFox said:
The problem occurs with the account that is the Local Administrator
account, the account that gets installed 'native' on the system.

Accounts that are in the Domain Admins group have no issues.

No-one has removed anything nor altered permissions as this was a fresh
install right from the CD.
Click to expand...


In general, other people don't have such problems
so please describe the EXACT scenario with the
full error messages etc...
 
Keep in mind that the local admin is local account - it doesn't have
authority on the domain. If you're trying to use the local admin
account for authentication\privileges to add/remove software etc, you
need to either 1) log in locally to the box - i.e. change the domain
drop down at the login screen to computername (this computer), or 2)
use runas or some other mechanism to pass credentials, which should be
in the format of computername\localadmin instead of
domain\localadmin... Specifically, how are you attempting to use the
local admin account??
 
The error occurred on the machine when I was logged on to the machine
with the local administrator account. I noticed something was wrong
when

1. I tried to install VPN software. The installation failed when
creating a virtual network adapter
2. I checked the Windows devide manager. It told me I did not have
enough rights to install drivers (or something similar, I don't have
that machine close at hand at the moment so I cannot replay the error).

Cheers.

Rick
 
Back
Top