Domain Admin doesn't have local Administrator privileges
This was all done using Azure VMs.
machine: server-dc
Setup Windows 2012 R2 as a domain control with user 'testadmin'
Domain: DEV
Added a user 'domainadmin' and made a Member of all the same groups as testadmin (including Domain Admins)
machine: server-a
Setup Windows 2012 R2 with user 'localadmin'
Joined server-a to the domain
"DEV\Domain Admins" was automatically added to the local Administrators group
Login to server-a as "DEV\testadmin"
- full local admin rights (because is member of "DEV\Domain Admins" - correct?)
Login to server-a as "DEV\domainadmin"
- does NOT have local admin rights yet is a member of "DEV\Domain Admins"
Why does "DEV\domainadmin" not have the exact same local admin rights on server-a that "DEV\testadmin" does?
Thanks,
Mike
I'm still having problems.
This account is in the local Administrators group so they should have permission to do these things. I've tried your work around but still no luck.
User Account Control: Run all administrators in Admin Approval Mode
- Enabled (Default) is set
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- Elevate without prompting is set
Machine rebooted
UAC in Control Panel set to Never notify
To clarify:
User 'domainadmin' is a user created on the DC.
Group 'Domain Admins' is a group created on the DC.
'domainadmin' is a member of 'Domain Admins'
'Domain Admins' is a member of the local Administrators group on SERVER-A
So 'domainadmin' is in essence a member of the local Administrators group on SERVER-A.
YET:
When logged in to SERVER-A as 'domainadmin', from a command prompt:
c:\del test.txt (a file created by 'localadmin')
Access is denied.
c:\iisreset
Access denied,
This user is a member of the local Administrators group - why can he not function as an Administrator?
Similar Messages
-
Local user provisioning requires local administrator privileges?
Hello,
Scenario: User-A needs to provision User-B as a local administrator on a Windows 2008R2 server.
Is there a way for User-A to do this without User-A being a member of the local Administrators or Domain Admin group on the said server?
ThanksIs it not possible to make user A part of the administrators group?
If you are trying to work around the fact that user A does not have administrative rights over the box then your first course of action is to give user A administrative rights. There are several ways to do this.
Perhaps a more in depth explanation of why user B has to have administrative rights given to him by user A we may be able to come up with a solution or workaround.
fr0stsp1re -
Domain Admin locked out of local logon
I have a customer we just took over for. They have an existing issue where the domain administrator cannot log in locally to the DC. I've looked through all their GPOs and cannot find any instance of the domain admin groups being specially being denied this
right. In fact, it says right in the DC GPO that domain admins have the rights for local log in yet I can't seem to log in. Remote desktop works fine and that is how I've been accessing their DC but I cannot find an answer to this problem. Any ideas?Policy Computer Setting
Source GPO
Access Credential Manager as a trusted caller
Not Defined
Access this computer from the network kcengr\IWAM_DELL-OFV7446Y6N,Everyone,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,Authenticated Users,ENTERPRISE DOMAIN CONTROLLERS,Pre-Windows 2000 Compatible
Access,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
Default Domain Controllers Policy
Act as part of the operating system kcengr\bkupexec
Default Domain Controllers Policy
Add workstations to domain Authenticated Users
Default Domain Controllers Policy
Adjust memory quotas for a process NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,IIS APPPOOL\DefaultAppPool,NT
SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
Allow log on locally kcengr\IUSR_DELL-OFV7446Y6N,Administrators,Backup Operators,Account Operators,Server Operators,Print Operators,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG
Default Domain Controllers Policy
Allow log on through Remote Desktop Services
Not Defined
Back up files and directories Administrators,Backup Operators,Server Operators
Default Domain Controllers Policy
Bypass traverse checking NT SERVICE\MSSQL$SCANMAIL,Everyone,Administrators,Authenticated Users,Pre-Windows 2000 Compatible Access,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Change the system time Administrators,Server Operators,LOCAL SERVICE
Default Domain Controllers Policy
Change the time zone Not Defined
Create a pagefile Administrators
Default Domain Controllers Policy
Create a token object kcengr\bkupexec
Default Domain Controllers Policy
Create global objects Not Defined
Create permanent shared objects Default Domain Controllers Policy
Create symbolic links Not Defined
Debug programs Administrators
Default Domain Controllers Policy
Deny access to this computer from the network
kcengr\SUPPORT_388945a0 Default Domain Controllers Policy
Deny log on as a batch job Default Domain Controllers Policy
Deny log on as a service Default Domain Controllers Policy
Deny log on locally kcengr\SBS Remote Operators,kcengr\SUPPORT_388945a0,kcengr\SBS STS Worker
Default Domain Controllers Policy
Deny log on through Remote Desktop Services
Not Defined
Enable computer and user accounts to be trusted for delegation
Administrators Default Domain Controllers Policy
Force shutdown from a remote system Administrators,Server Operators
Default Domain Controllers Policy
Generate security audits LOCAL SERVICE,NETWORK SERVICE,IIS APPPOOL\Classic .NET AppPool,IIS APPPOOL\DefaultAppPool
Default Domain Controllers Policy
Impersonate a client after authentication Not Defined
Increase a process working set Not Defined
Increase scheduling priority Administrators
Default Domain Controllers Policy
Load and unload device drivers Administrators,Print Operators
Default Domain Controllers Policy
Lock pages in memory Default Domain Controllers Policy
Log on as a batch job kcengr\bkupexec,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,kcengr\IIS_WPG,kcengr\SUPPORT_388945a0,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG,IIS_IUSRS
Default Domain Controllers Policy
Log on as a service kcengr\Administrator,NT SERVICE\MSSQL$SCANMAIL,kcengr\SQLServer2005SQLBrowserUser$KC01,IIS APPPOOL\Classic .NET AppPool,kcengr\bkupexec,NETWORK SERVICE,IIS APPPOOL\DefaultAppPool,SYSTEM,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Manage auditing and security log kcengr\Exchange Servers,kcengr\Exchange Enterprise Servers,Administrators
Default Domain Controllers Policy
Modify an object label Not Defined
Modify firmware environment values Administrators
Default Domain Controllers Policy
Perform volume maintenance tasks Not Defined
Profile single process Administrators
Default Domain Controllers Policy
Profile system performance Administrators
Default Domain Controllers Policy
Remove computer from docking station Administrators
Default Domain Controllers Policy
Replace a process level token NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,IIS APPPOOL\DefaultAppPool,NT SERVICE\SQLAgent$SCANMAIL
Default Domain Controllers Policy
Restore files and directories Administrators,Backup Operators,Server Operators
Default Domain Controllers Policy
Shut down the system Administrators,Backup Operators,Server Operators,Print Operators,SYSTEM
Default Domain Controllers Policy
Synchronize directory service data Default Domain Controllers Policy
Take ownership of files or other objects Administrators
Default Domain Controllers Policy
I am using the domain administrator account to try and log on locally and I cannot see a reason within the DC's GP why it would be prevented. -
So, I'm having some problems getting a logon script to work. I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled. I've tried to convert the .exe
to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe. We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to. Can anyone think of a way around this?
I've been searching for days and I'm just lost. If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect. Basically what it does is check to see if the process for the
agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location). Here's what
I've got written that works for me in my test environment:
Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
Const strFolder = "C:\Temp\"
Const Overwrite = True
dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
dim
'Checks for Kaseya agent process, AgentMon.exe, exits if running
Set objWMIService = GetObject ("winmgmts:")
Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
If proc.count > 0 Then
WScript.Quit
End If
'Instantiate a NIC configuration object
Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
'Instantiate a shell object
Set objShell = CreateObject("wscript.shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Create Temp Dir if it doesn't exist
If Not objFSO.FolderExists(strFolder) Then
objFSO.CreateFolder strFolder
End If
For Each arrNIC in objNIC1
if arrNIC.IPEnabled then
StrIP = arrNIC.IPAddress(i)
strMask = arrNIC.IPSubnet(i)
Set WshNetwork = WScript.CreateObject("WScript.Network")
end if
next
Function NetworkID(Address, Mask)
Dim AddressOctets, MaskOctets, Result, N
AddressOctets = Split(Address, ".")
MaskOctets = Split(Mask, ".")
ReDim Result(UBound(AddressOctets))
For N = 0 To UBound(AddressOctets)
Result(N) = AddressOctets(N) And MaskOctets(N)
Next
NetworkID = Join(Result, ".")
End Function
Select Case NetworkID(strIP,strMask)
Case "192.168.0.0"
' Kaseya install commands for 192.168.0.0 subnet
objFSO.CopyFile strAgent1, strFolder, Overwrite
Wscript.Sleep 1*60*1000
objShell.run "C:\Temp\Test-KcsSetup1.exe"
Case "192.168.1.0"
' Kaseya install commands for 192.168.1.0 subnet
objFSO.CopyFile strAgent2, strFolder, Overwrite
Wscript.Sleep 1*60*1000
objShell.run "C:\Temp\Test-KcsSetup2.exe"
Case "192.168.2.0"
' Kaseya install commands for 192.168.2.0 subnet
objFSO.CopyFile strAgent3, strFolder, Overwrite
Wscript.Sleep 1*60*1000
objShell.run "C:\Temp\Test-KcsSetup3.exe"
Case Else
' Some sort of error checking. Maybe a BLAT SMTP command to send an email
End Select
Set objWMIService = Nothing
Set objNIC1 = Nothing
Set objShell = Nothing
Set WshNetwork = Nothing
Wscript.quitYou need to read the documentation carefully:
The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
Including Credentials in Agent Install Packages
If necessary, an agent install package can be created that includes an administrator
credentialto access a customer network. Credentials are only necessary if users are installing
packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
¯\_(ツ)_/¯ -
Dont have enough administrator privileges
Hi,
Im trying to install a program and when I try to run the installer, a window says "You dont have enough priveleges to run this applicattion log on as a member of the Administrator group, and start the installer again"
But Iam the administrator and only user of the computer, how do I solve this problem?
ThanksWhat program?
-
When I try to install the latest version of iTunes, an error message comes up saying the installer has insufficient administrator capability.
What's the precise text of that error message, please? (There's a few different ones I can think of that you might be getting.)
-
User Accounts in Domain Admins group do not have full administrative rights to the server
Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
Any ideas?Hi Rick,
May be UAC is blocking installtion. Have it disabled and see if it helps. Ensure you have domain admin groups added into local administrators group.
Alos Check these links please.
https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
Thanks,
Umesh.S.K -
I bought a mac game from www.gamehouse.com. Downloaded it and now trying to install to play. But everytime I go to install, a message keeps popping up telling me "Your account doesn't have sufficient access privileges. You will need to run this game once from an administrator account. Afterwards you will be able to run it from this account." I am already on the administrator account. Can someone please help?!
Only the developer can fix his apparently defective product.
-
Unable to start vmms service as an domain admin user
I am not able to bring up the Hyper-V manager service on 2012 ssytem as a domain admin user Failure encountered is "Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration".
Secondly,
If we bring up Hyper-V manager service as local system user then connection from SCVMM2012R2 is failing with "Contact the virtual machine manager administrator to verify that your account is a member of a valid user role and then try the oepration
again ID:1604"Hi,
"If we bring up Hyper-V manager service as local system user then "
You set the VMM service logon as "local system account " then the service can run but scvmm can not connect to it ?
Please check :
1 . if domain admins group exists in local administrators group
2. this service should be set to start automatically and logon as "local system account"
Then please refe to following link :
http://www.itguy.gr/2011/12/anoying-you-cannot-access-vmm.html
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Windows Server 2012 R2 non-default domain admin limitations
Enivronment: Windows Server 2012 R2Problem: members of Domain Admins group are restricted in ways the default domain admin account is not. This is with or without UAC disabled; there are even more prompts with UAC enabled. Here are two examples:Attempt to copy to Public Desktop. Built-in domain admin or local admin account can do so without restriction; any other member of Domain Admins group is prompted for administrator permission (although clicking Continue proceeds without actually requiring further authentication/permission)Right-click -> Properties of hard drive in Explorer is missing Shadow Copies tab for non-default Domain Admin. Yes, I can simply right-click the drive and go to Configure Shadow Copies, so this one is not so important. But it is an inconsistency that means I have to access things just a bit differently...
This topic first appeared in the Spiceworks CommunityI have already replied to that here: https://social.technet.microsoft.com/forums/windowsserver/en-US/b57abf72-90e6-44d7-93a5-0e57cb5404c9/nic-teaming-with-ws2012-ad
I still do not see an MS statement saying that it is supported for DCs.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Domain Admin access to workstations
A relatively simple question yet I haven't found any firm answers.
We have a 2008 R2 domain with all 2008 R2 servers/DC's running Windows 7 workstations. I want to know if a user that is a member of the domain admin security group has LOCAL admin access to any workstation that is joined to the domain
BY DEFAULT (no GPOs applying, no scripts running at logon, etc)?Hi,
to my knowledge and observation the domain admins group is always added to the local administrators group as part of the domain join process. So yes, domain admins are local admins unless do something against it.
Regards,
Lutz -
Why are administrator privileges required to log out of Creative Cloud?
Hi,
we are using Creative Cloud for Teams on managed Mac OS X-Clients, which means our users are working on standard user accounts and have no administrator privileges. They are able to sign-in to Creative Cloud with their Adobe ID without problem, but logging off is a different story: its impossible to log out of CC without administrator privileges.
Any informations regarding this issue?
Thanks!Hi Abhijit,
CC was distributed to the client computers with CC Packager, where it's recommended NOT to distribute the CC Desktop app if the user has no admin privileges.
I gave it a try anyway and installed a package including CC Desktop, but it didn't help. When trying to sign out of CC, the user gets an error message, see following screenshot (it's in german, sorry).
Thanks for your help,
Tobi -
Why can't I, a Domain Admin, see certain attributes of certain users.
I'm trying to run a powershell command that lets me figure out the last time users have set their password (on a Server 2008 R2 domain)
PS C:\Users\me> get-aduser -credential MDX\me -filter * -properties * | sort | Foreach-Object { echo "$($_.Name + "," + $_.passwordlastset)" }
My User 1,07/01/2013 08:31:17
My User 2,
Some users, this works well... I get their passwordlastset data. Other users, the pwdLastSet is not returned to get-aduser and it doesn't format it into the passwordLastSet field. I'm in the domain admin and enterprise admin groups. The other admin here
sees the field for the users I can't see but is missing some users. In the AD Users and Group console the attribute for all the users is properly formatted.
I think its permissions related, but I'm not sure why it would block me from seeing that attribute. The one thing I think may be common to all the users I can see were created by me through the GUI. The users that i can't see properly were created using
the new-aduser powershell command by a service account that has rights to create users in only one OU.
Question, any reason that a domain admin shouldn't have access to all the attributes in the directory?Thanks Isaac. What am I looking for in particular?
The user was created in the AD users and computers GUI. I then ran the delegate control wizard to grant the user create user and delete user access to the OU my users sit in.
The new-aduser command we run looks like this. I build the string below then connect to the domain controller to run it. There are no other commands run after this.
my $cmd = "new-aduser -Name \'$args{firstname} $args{lastname}\' " .
"-AccountPassword (ConvertTo-SecureString " .
"-AsPlainText \'$args{password}\' -Force ) -Enabled 1 " .
"-ChangePasswordAtLogon 1 " .
"-DisplayName \'$args{firstname} $args{lastname}\' " .
"-EmailAddress \'$args{email}\' " .
"-GivenName \'$args{firstname}\' " .
"-SamAccountName \'$args{login}\' " .
"-UserPrincipalName \'$args{login}\@$args{domain}\' " .
"-Surname \'$args{lastname}\' " .
"-Path \'$args{location}\'";
Thanks for the help. -
Local administrator doesn't seem to have all rights
Hello everyone,
We're offering hosted servers to our customers. We always deploy Windows Server 2008 R2 for them. Since last Monday, we began looking into offering Hosted 2012 R2. Everything works as expected except one thing. We use a script to create users, and in that
script we run a command within the "Run As" command (to open regedit.exe). On Server 2008 R2 this goes without problems but on 2012 R2 I get the warning that the user that executes the run as command doesn't have enough privileges to do so. I've
tried to create a new user, assign it to the local administrators group and then run the same command and that goes without problems. It looks like our local administrator doesn't have all the administrator rights. UAC is turned off and the server has been
rebooted a couple of times. There's now domain active, everything is being done locally.
Help would be appreciated since we're not sure what's going on.
Kind regards and thanks in advance.I'm very sorry for my late reply, I have been sick for some weeks so I didn't had the time to continue on this.
But I'm very pleased to say that it's fixed! I've changed our script to create users from:
@ECHO OFF
set username=%1
set password=%2
set fullname=%3
ECHO [x] Creating user...
net user %username% %password% /add /fullname:%fullname% /passwordchg:no /scriptpath:script.bat
ECHO [x] Running reg. Please provide password...
net localgroup Administrators %username% /add
runas /user:%computername%\%username% "regedit /s \\%computername%\share\regedit\reg.reg"
net localgroup Administrators %username% /delete
to:
@ECHO OFF
set username=%1
set password=%2
set fullname=%3
ECHO [x] Creating user...
net user %username% %password% /add /fullname:%fullname% /passwordchg:no /scriptpath:script.bat
ECHO [x] Running reg. Please provide password...
runas /user:%computername%\%username% "regedit /s \\%computername%\share\regedit\reg.reg"
and that did the trick! The net localgroup Administrators %username% /add
is necessary in 2008 R2 but not in 2012 R2 and that caused the error
I would like to thank everyone for their time! -
Administrator privileges to domain users
Raj Kulkarni wrote:...The applications which they use require administrative privileges.Any ideas.Get a better software vendor.Seriously though, all jokes a side, get a better software vendor. If your software vendor is too lazy or incompetent to build software which cannot run with standard user privileges, then it isnot worth using. Inb4, we cannot... blah blah blah. Of cause you can. It is all about making a business case to management why having users running around with local admin rights is not a question of if something goes wrong, but when.Oh look Jonny wants me toplay"Hack my PC" withhim on facebook, oh what is this? I need to install this "update". Sure, why not? Nothing can go wrong right?
Not the answer you were looking for I know, however it is the RIGHT answer.For the past few months, on some PC's, I am unable to give a domain users administrative privileges on their own PC. The applications which they use require administrative privileges.
What I have done in the past, with no problems, was to add the domain user to the Administrators group on the local PC. Now, I get an error message, stating that the user name or password is incorrect.
I suspect that there may be some corruption in the active directory on our Windows 2008 server. I have also had password synchronization problems where the password doesn't get changed on the server, but only on the local PC.
Any ideas.
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
How to publish a web page displaying a JFX app ?
Hello (again '-_-) ! I'd like to create a web page displaying a JavaFX application. When I launch the html file generated by NetBeans in the dist folder, It works perfectly, but when I put the same files (.html and .jar) on a webserver, the app never
-
Hi! I use kde 3.5.5. When Kde is going to play the sound with arts, the whole system just hangs for 1,5 seconds. Then sound plays, and everything backs to normal. And it happens every time, the sound is going to be played. When in kcontrol I turn off
-
Internet Connects, but Safari won't load
"the server unexpectedly dropped the connection, which sometimes occurs when the server is busy. You might be able to open the page later." I get this message for every page except gmail.com there is nothing wrong with my server and all the other com
-
Person responsible / attended in Notification
hi, where do one maintain person responsible and person attended during PM notification maintenance ? regards
-
Using my iPod on a Mac and a PC in parallel - is it possible?
Is it possible to use the same iPod nano on two computers, one a Mac, the other a PC (Vista)? I was using my iPod till now on my Mac but got recently a PC. I've downloaded iTunes on the PC and it does recognize my iPod when connected, but tells me th