Re: Local user privileges

From: "Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Sep 2005 16:27:20 +0200

Hi,

Angel Massa schrieb:
> I have a user that has domain user privileges on the domain. Then I login
> into the domain and I noticed that it can make any administrator tasks on
> his local computer. I can even create users!

You can create Users on a local machine if the user is a
member of the power users or administrators. As a power user
you can only create users or power users, no admins ;-)

If he can create admins, then he is a member of the local admin group.

That can happen, if he is aswell a member of the domain-admins
or if you made the dom-user account a local administrator.
That can be done on the client itself via GUI or CMD
(net localgroup administratoren youruser /add) or if you manipulated
the restricted groups in the GPO.

HTH
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
.

References:
- Local user privileges
  - From: Angel Massa

Prev by Date: Re: Group Policies fails on one computer
Next by Date: Desktop redirection questions
Previous by thread: Local user privileges
Next by thread: Re: Local user privileges
Index(es):
- Date
- Thread

Relevant Pages

Re: Login as local admin
... So if i basically ensure that my domain administrator account is a member of ... the schema admins, and enterprise admins, and login using these credentials, ... The article does not reference "local" administrator (as far as I ... If you choose to use an account other than the built-in administrator ...
(microsoft.public.windows.server.sbs)
Re: I shot my foot off almost and the Admin cant log into the server locally
... server. ... Keep a backup administrator id around. ... > By default the Administrator should be a member of these groups: ... > Administrators, Domain Admins, Domain Users, Enterprise Admins, Group ...
(microsoft.public.windows.server.sbs)
Re: Interactive Logon problem on Server
... If you checked Gp Policy and you are correct that you have ... have member groups that aren't supposed to be there. ... > Enterprise Admins ... >> Logon Remotely and open the User account for Administrator and be sure ...
(microsoft.public.windows.server.sbs)
Re: ADMINISTRATOR vs Administrator USer
... these be designated as administrator or how do I define one ... If a user is a member of the "administrators" group - no matter their other ... Power Users is supposed to be a group that can install certain things, ...
(microsoft.public.windowsxp.general)
RE: Exchange 2003 reinstallation issue
... the problem still exists even if the Administrator ... account is a member of the appropriate groups. ... >Enterprise Admins ...
(microsoft.public.windows.server.sbs)