Announcement

Collapse
No announcement yet.

domain account added to local admins vs domain account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • domain account added to local admins vs domain account

    I have very little AD knowledge and am after a greater understanding of how the following works:

    Users in a group require admin rights on a workstation, I have added the domain account to the local admin group on said workstation. However when the workstation is rebooted (group policay applied) the users no longer have local admin rights on the workstation.

    Whats even more particular is that the account will resume administrative functionality a day or so later, again when its rebooted or a manual gpupdate is implemented the account resume its limited permissions.

    In short although we have added the account to the local admin group on the workstation, would the account created in the active directory and has a particular set of permissions applied take precedents over the locally added domain account?

    If so what would be the best course of action?


  • #2
    Re: domain account added to local admins vs domain account

    Originally posted by Ades View Post
    Users in a group require admin rights on a workstation, I have added the domain account
    So which is it, a group of users, or a user account?

    Originally posted by Ades View Post
    I have added the domain account to the local admin group on said workstation.
    How? Manually? Via a script? Via Group Policy?

    in any case, I would argue that no user needs to be a local administrator. If a badly written piece of software doesn't work properly because the user doesn't have access to some part of the filesystem or registry, then grant them write access to that specific resource. Then go and yell at the developers.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: domain account added to local admins vs domain account

      If you have configured a 'Restricted Groups' policy to contol the members of the local administrators goup - then, are you using the 'Member' section or 'MemberOf' section?

      It is a good practice to nest an AD Global Group to the local administrators group on the client rather than adding AD users direcly.

      What is the client's OS?


      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: domain account added to local admins vs domain account

        Thank you for your timely response. Just to clarify on a few points raised by the two responses.

        I have added the domain group to the local admin account manually. The workstation OS is Vista x64 (Business).

        In reference to restricted policy i am unfamiliar with this.

        Kind regards.

        Comment


        • #5
          Re: domain account added to local admins vs domain account

          ok. You have added a user (or a domain group) to the local "adminstrators' group on your workstation.
          The user had administrative access on that computer.

          You reboot the computer. No more administrative access.

          This is normal behaviour and controlled by group policy. doesn't matter the OS of the computer, or how many times you do this..


          You can configure "restricted groups' using group policy, to ensure that user "bob" is always in the local administrators group on all computers.

          have a google search for 'restricted groups' and you'll find heaps of resources.
          have a look through them and come back wit some more questions...
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment

          Working...
          X