Announcement

Collapse
No announcement yet.

Domain Admin rights to local machine

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admin rights to local machine

    I have created an SBS domain in VMWare and noticed that by default the domain admins are added to the local admin of each client machine added.

    So far, there is only one administrator; me - the account i used to install everything.
    Of course, this account is a member of the domain admin group yet un-able to log on to a client machine locally using the domain credentials.

    Have I mis-understood this?

    Please see attached.

    Thanks
    Attached Files

  • #2
    Re: Domain Admin rights to local machine

    You need to log on to the DOMAIN, not the local computer. See in the right-hand picture, you are using credentials which are stored in Active Directory, but you are asking the local machine to recognise them from its own database... they don't exist in there.

    The account "Administrator" which is stored in your AD Domain, has password xxxxxxx. The account "Administrator" on the XP box, is STORED on the XP box, and has password zzzzz. The group "Administrators", stored on the XP box, has a list of members; one of which is "Domain\Domain Admins". That means, if you log in with DOMAIN\Administrator, password xxxxxxxx, you will have Administrator rights on the XP box, just as if you had logged on with XPBOX\Administrator and password zzzzz.

    Never forget that ALL computers which are MEMBERS of the domain, also have LOCAL user databases AS WELL AS accepting Domain credentials. This does NOT apply to Domain Controllers, which DO NOT have a local database.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Domain Admin rights to local machine

      Thank you for a good explanation Tom.

      I guess I was confused because even when the administrator logs in to the machine they will be bound to the domain/OU and administrator restrictions (if any) and sometimes prevent a simple modification.

      What do most environments *do* to automate admins for the local box?

      Thanks

      Simon

      Comment


      • #4
        Re: Domain Admin rights to local machine

        "automate admins"? I don't understand what the question means...

        By default, the Domain's "Domain Admins" group will be a member of the local "Administrators" group on all Member computers, so that wherever they log in, Domain Admins have admin rights over everything. If a machine is a member of the domain, you can either log in with a Domain Admin account (which has admin rights on the machine AND over the domain) OR you can log in as the machine's own "Administrator" account, which has full admin rights over the box, but is not even recognised by the domain; you won't be able to so much as map a drive to a network folder without putting additional credentials in. If a machine is NOT a member of the domain, you can only log into it with user credentials which are local to the machine; for instance the local "Administrator" account. You won't be able to log in with a Domain account because the machine won't know where to look to authenticate it.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Domain Admin rights to local machine

          Thanks. Local and domain accounts are now clear.

          When I said automate admin accounts it was a poor way of describing a method for creating administrators to the local database without sitting at each one.

          If machines are being supplied "pre-built" with no password for the admin account and different people are adding them to the domain it is possible for someone to log in as a local admin with no password.

          Comment


          • #6
            Re: Domain Admin rights to local machine

            UTFW !!!!

            If you join computers to the domain the SBS way, (Create Computer Wizard in Server Management, then \\<server>\connectcomputer on the station) everything you need is automagically configured for you.
            Hard to believe, eh?
            TIA

            Steven Teiger [SBS-MVP(2003-2009)]
            http://www.wintra.co.il/
            sigpic
            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

            We donít stop playing because we grow old, we grow old because we stop playing.

            Comment


            • #7
              Re: Domain Admin rights to local machine

              er, i wouldn't say hard to believe, no.

              I was asking what i thought was a valid question.

              Thank you.

              Comment


              • #8
                Re: Domain Admin rights to local machine

                You always have (at least) three possibilities to configure workstations in your LAN

                1) Group Policies
                2) Scripts - especially at logon/logoff
                3) Manual

                Group Policies require a bit of initial learning but once you feel comfortable with them, finding the correct policy to configure becomes second nature.
                Scripts are easy to learn, but need a good test before production. Many examples on the net, especially under the Script Guys at Technet, Microsoft.
                Sometimes with only 5-10 stations, it may not be worth the effort to learn GPO or scripts for a one-off event.
                Your call!
                And a correction to my previous post - it's a "web site":
                //<server>/connectcomputer
                TIA

                Steven Teiger [SBS-MVP(2003-2009)]
                http://www.wintra.co.il/
                sigpic
                Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                We donít stop playing because we grow old, we grow old because we stop playing.

                Comment


                • #9
                  Re: Domain Admin rights to local machine

                  Hi Simon,

                  Yes, it is possible for someone to logon locally, to their computer, with a local Administrator account (with, if so set, a blank password).

                  BUT: Let's say a user logs on locally to the local computer with the local Administrator account, which may have no password. Ask yourself the question: "What rights will that user account have over the resources provided by the domain?". I suggest that you logon to the PC locally, i.e. not onto the domain, using the local Administrator account. Play around a bit - see what happens when you try to poke your nose into the domain - and decide for yourself, "In what way can this local administrator affect my domain?".

                  Of course you setup everything using a Domain Admin account, but now you need to setup domain users, and then you can learn a lot by using a workstation to logon to the domain using one of those domain user accounts. Play around with the computer a while - you'll see you can't do things like change the IP address of the PC, that sort of thing.

                  So, what you need to do is setup user accounts on the SBS server and configure each workstation to logon to the domain (not to logon locally). So now users are using domain accounts to logon to the domain, which is good.

                  When I say "Configure" I do mean use the lovely SBS wizard, yes indeed.

                  What I also like to see is the bit where you say "...without sitting at each one..." because there is so much you can do from the server, without walking around each workstation. I see too many "technicians" walking around each workstation, it's sad. So, to try and learn about what can be done from the server is a very good thing.
                  Best wishes,
                  PaulH.
                  MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                  Comment


                  • #10
                    Re: Domain Admin rights to local machine

                    Look up Group Policy - Restricted Groups.

                    This will enable you to make ONLY the people you want, members of the Local Admins group, on all the affected machines, without going near them.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Domain Admin rights to local machine

                      Thanks to everyone - your help is appreciated

                      Paul - You are right. Walking around workstations is sad! Plenty of time using VMWare and the SBS domain will help prevent that (along with all the excellent articles and advice on this site that is).

                      Comment


                      • #12
                        Re: Domain Admin rights to local machine

                        Originally posted by simonsays View Post
                        I have created an SBS domain in VMWare and noticed that by default the domain admins are added to the local admin of each client machine added.

                        So far, there is only one administrator; me - the account i used to install everything.
                        Of course, this account is a member of the domain admin group yet un-able to log on to a client machine locally using the domain credentials.

                        Have I mis-understood this?

                        Please see attached.

                        Thanks
                        Simon,

                        Domain Admin group is automatically added to local Administrators group on each computer joined to domain. You can't use your administrator's domain credentials to login to the computer locally. (That's why it called local account) You can use your domain credentials to login to domain or use local Administrator's account to login to computer/server. locally

                        Comment

                        Working...
                        X