Local admin rights not flowing through

[Guest]

I've got a weird issue that I hope someone knows what's going on...

I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
workstations all with the same issue. I had to re-create the user accounts
in 2003 since I couldn't find a direct upgrade path which was no big deal.

Anyway, all of my workstations are XP SP2.

The workstations did not have local administrator rights so the users could
not install their own applications. I added into each user's workstation
their domain login name and added them as local administrator. I can log in
as them to the local workstation and gain local admin, but if I login into
the domain I do not get local administrator rights.

Here's what I tried:

Deleting the profiles, deleting references in the registry to that user,
re-creating the profile by logging in again.

I noticed when I logged in with the new user that it took a while to create
the profile. When I logged in with the original user, even though the
profile directories were deleted it just said loading profile and entered
winxp quickly. So it looks like it was grabbing a profile from somewhere. I
examined the PC and their home directory but could not find another profile
directory.

Created a new user on the domain, created a new user on the local
workstation and this new user did get local admin.

Re-formatted a PC and re-patched. Added the original user in the local
workstation as local administrator and the problem was still there. No local
administrator rights.

It seems to be a profile/policy issue but no policies or roaming profiles
are defined in the new domain.

Does anyone have any idea on what is going on with this?

 

[Bruce Chambers]

The workstations did not have local administrator rights so the users could
not install their own applications.

.... Which is generally a good thing.

I added into each user's workstation
their domain login name and added them as local administrator.

Does this mean that you created a local account on the computer with
the same username as the domain account? If so, why?

I can log in
as them to the local workstation and gain local admin, but if I login into
the domain I do not get local administrator rights.

Yes, that's the way it should work, if you created local accounts for
each user, and then added only those local accounts to the local
administrators group.

Here's what I tried:

Deleting the profiles, deleting references in the registry to that user,
re-creating the profile by logging in again.

I noticed when I logged in with the new user that it took a while to create
the profile. When I logged in with the original user, even though the
profile directories were deleted it just said loading profile and entered
winxp quickly. So it looks like it was grabbing a profile from somewhere. I
examined the PC and their home directory but could not find another profile
directory.

Created a new user on the domain, created a new user on the local
workstation and this new user did get local admin.

Re-formatted a PC and re-patched. Added the original user in the local
workstation as local administrator and the problem was still there. No local
administrator rights.

It seems to be a profile/policy issue but no policies or roaming profiles
are defined in the new domain.

Does anyone have any idea on what is going on with this?

The systems are acting perfectly normally, and there's nothing wrong.
If you want your users to have local administrative privileges (which I
think is a mistake, but it's your LAN) while logged in to the domain,
simply add each user's domain account to the computer's local
administrator group.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Guest]

I am trying to add them to the local administrators group.

This is a small company who's employees are technical in nature. We do a
lot with engineering and designing/programming. The people need local admin
access to perform their job.

From my past experience, if you create a local user and add them into the
local administrators group and that login ID has the same login ID as the
domain account then when the user logs into the domain they will get the
local administrator privs. This is not happening in my current setup and is
needed.

 

[Steven L Umbach]

It should work [if that is what you REALLY want to do] if you add their
domain user account to the local administrators group on their workstation.
You may have other issues going on here also though. First make absolutely
sure that you have DNS configured correctly for your domain as per the KB
article in the link below [NEVER ever have an ISP DNS server is the
preferred DNS server list of ANY domain computer] and run the support tool
netdiag on your domain controllers and a couple domain workstations having
this problem and run the support tool dcdiag and gpotool on your domain
controllers looking for any problems. Also look in the logs of the domain
controllers and domain workstations via Event Viewer to see if any related
problems are found. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

 

[Guest]

I do have DNS configured correctly, including the reverse lookup zone. I use
a .local extension for internal DNS. I also looked at the event logs on both
the domain controller and the local workstations and all were squeaky clean.

I haven't tried a netdiag yet though. I'll give that a shot tomorrown. Any
other ideas anyone?

Thanks

It should work [if that is what you REALLY want to do] if you add their
domain user account to the local administrators group on their workstation.
You may have other issues going on here also though. First make absolutely
sure that you have DNS configured correctly for your domain as per the KB
article in the link below [NEVER ever have an ISP DNS server is the
preferred DNS server list of ANY domain computer] and run the support tool
netdiag on your domain controllers and a couple domain workstations having
this problem and run the support tool dcdiag and gpotool on your domain
controllers looking for any problems. Also look in the logs of the domain
controllers and domain workstations via Event Viewer to see if any related
problems are found. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

I've got a weird issue that I hope someone knows what's going on...

I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
workstations all with the same issue. I had to re-create the user
accounts
in 2003 since I couldn't find a direct upgrade path which was no big deal.

Anyway, all of my workstations are XP SP2.

The workstations did not have local administrator rights so the users
could
not install their own applications. I added into each user's workstation
their domain login name and added them as local administrator. I can log
in
as them to the local workstation and gain local admin, but if I login into
the domain I do not get local administrator rights.

Here's what I tried:

Deleting the profiles, deleting references in the registry to that user,
re-creating the profile by logging in again.

I noticed when I logged in with the new user that it took a while to
create
the profile. When I logged in with the original user, even though the
profile directories were deleted it just said loading profile and entered
winxp quickly. So it looks like it was grabbing a profile from somewhere.
I
examined the PC and their home directory but could not find another
profile
directory.

Created a new user on the domain, created a new user on the local
workstation and this new user did get local admin.

Re-formatted a PC and re-patched. Added the original user in the local
workstation as local administrator and the problem was still there. No
local
administrator rights.

It seems to be a profile/policy issue but no policies or roaming profiles
are defined in the new domain.

Does anyone have any idea on what is going on with this?

 

[Steven L Umbach]

It sounds like it could be a problem with contacting the domain controller
at logon. It could be the user is logging on via cached credentials even
just briefly as is often the case where clients have wireless network
connections. You can check the security log on the client workstation,
assuming auditing of logon events is enabled as shown in Local Security
Policy, to see if cached logons are happening as evidenced by type 11
logons. Try using the support tool whoami /groups to compare the security
token of the domain user compared to the domain user to see if
builtin\administrators is shown for the domain user. Also run rsop.msc on
the domain computer in question to see if there are any differences in user
configuration group policy settings for the domain user that could be
restricting the user such as Software Restriction Policies. Another
possibility is that the domain user is a member of a group that has deny
permissions in some access control list that may be restricting them. ---
Steve

I do have DNS configured correctly, including the reverse lookup zone. I
use
a .local extension for internal DNS. I also looked at the event logs on
both
the domain controller and the local workstations and all were squeaky
clean.

I haven't tried a netdiag yet though. I'll give that a shot tomorrown.
Any
other ideas anyone?

Thanks

It should work [if that is what you REALLY want to do] if you add their
domain user account to the local administrators group on their
workstation.
You may have other issues going on here also though. First make
absolutely
sure that you have DNS configured correctly for your domain as per the KB
article in the link below [NEVER ever have an ISP DNS server is the
preferred DNS server list of ANY domain computer] and run the support
tool
netdiag on your domain controllers and a couple domain workstations
having
this problem and run the support tool dcdiag and gpotool on your domain
controllers looking for any problems. Also look in the logs of the domain
controllers and domain workstations via Event Viewer to see if any
related
problems are found. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

I've got a weird issue that I hope someone knows what's going on...

I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
workstations all with the same issue. I had to re-create the user
accounts
in 2003 since I couldn't find a direct upgrade path which was no big
deal.

Anyway, all of my workstations are XP SP2.

The workstations did not have local administrator rights so the users
could
not install their own applications. I added into each user's
workstation
their domain login name and added them as local administrator. I can
log
in
as them to the local workstation and gain local admin, but if I login
into
the domain I do not get local administrator rights.

Here's what I tried:

Deleting the profiles, deleting references in the registry to that
user,
re-creating the profile by logging in again.

I noticed when I logged in with the new user that it took a while to
create
the profile. When I logged in with the original user, even though the
profile directories were deleted it just said loading profile and
entered
winxp quickly. So it looks like it was grabbing a profile from
somewhere.
I
examined the PC and their home directory but could not find another
profile
directory.

Created a new user on the domain, created a new user on the local
workstation and this new user did get local admin.

Re-formatted a PC and re-patched. Added the original user in the local
workstation as local administrator and the problem was still there. No
local
administrator rights.

It seems to be a profile/policy issue but no policies or roaming
profiles
are defined in the new domain.

Does anyone have any idea on what is going on with this?