1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

domain user, in local admin group being restricted why ?

Discussion in 'Windows XP' started by oly-450, Apr 27, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. oly-450

    oly-450 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    4
    hi,

    I work in a school with a CC3 (RM) network basically modified windows xp and 2000, i have joined a standard windows xp machine to the domain and added a user on the domain local admins group, however when this user logs in they can see the c drive and access other usually restricted parts of windows what they can not do is change the screen resolutions or right click on the task bar.

    what would cause this to happen? my understanding is that once the user is in the local admin group they should have full access to everything on that laptop and rm will not supplt support because they do not support standard windows.

    there is no way to block this kind of use from active directory is there ??
     
  2. matt_aj

    matt_aj

    Joined:
    Jan 23, 2006
    Messages:
    658
    Check in the administrators group on that machine. It should have "domain admins" in there. Also, C: drive is not normally denied as a standard user unless the policy states it. Do you have any policies in place? If so, you might want to check those to make sure domain admins didn't get put into it as well. It sounds like the domain admins are getting the same rights as a standard user. Also, make ssure you are logging into the domain and not the local machine.

    I guess maybe this CC3 might be different... I'm not sure what that is...
     
  3. oly-450

    oly-450 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    4
    it is the local admin that is restricted, so for example i add a user to the local admin groups so they have full control over that machine, they should not be a domain admin.

    domain admins do have full control, and if i login off the domain obviously i have full local admin abilities.

    as for policies i do not know which are set they where setup long before i worked here.

    thks for the suggestions
     
  4. matt_aj

    matt_aj

    Joined:
    Jan 23, 2006
    Messages:
    658
    Ok, sorry, I had just skimmed through and misread what you had said. Have you tried adding that user to another machine on the domain? Have you tried adding a different domain user as admin on that machine?
     
  5. matt_aj

    matt_aj

    Joined:
    Jan 23, 2006
    Messages:
    658
    Do you have any issues with local accounts on that machine? Say the built in administrator account?

    If you don't have any problems with local accounts and the problems are limited to domain accounts, I would definately check the policies, both domain and local security.
     
  6. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,331
    First Name:
    James
    I think saying domain local admin group has probably confused the situation.

    So you have a user... for now call him AdminBob. AdminBob is a member of the Domain Admin group, which by default has Full Control, however AdminBob is restricted in certain things.

    Is this correct so far?

    If so then there are two possible symptoms. Group Policy Objects and Permissions. Since you mentioned that he cant change resolutions, it looks like it's the GPOs.

    One check if AdminBob cant read files or folders is go into the Properties of said file/folder and then Security. Click on Advanced then Effective Permissons. Click on Select and type AdminBob and then OK to see his effective permissions. If he does not have Full Control then there is a permission that he's been denied at.

    Same with GPOs. Make sure that all of the Groups / OUs that AdminBob is part of does not have any GPOs that would deny him these functions. If I remember correctly, GPOs start from the Local Computer first so double check the policy on the problematic computer. If AdminBob's problem is on all machines, it's on the domain.

    Remember, Deny overrides everything.
     
  7. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    Don't forget to also look under the computer GPO's applied where the computer account is located. Bob sure could have access but if the GPO does not allow the computer this access then Bob can't unless he has the rights to circumvent this particular GPO. I am not sure if these gpo's being set are user related or computer related but I am with Tidus on thinking this has to be gpo related.
     
  8. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,331
    First Name:
    James
    Thank you ST for pointing out the computer account too. I had that in mind but didn't typed it.
     
  9. oly-450

    oly-450 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    4
    okay, i will re clarify the user is NOT a domain admin,
    the setup here is domain admin, teachers group, students group

    the user is in the teachers group on the domain, and i want to give them unrestricted access to a laptop / there own laptop but still be part of the domain.

    Domain admin have full access to all machines and is NOT the user i am trying to add.

    the teachers group does not full access to all machines, so i thought by adding them to the local admin group on the laptop this would rectify the problem and give unrestricted access to that computer.

    i have checked the GPOs on the laptop and there are none set, so it would seem it is a domain account problem.

    also it does the same for any one in the teachers group, on any laptop i try, what would i use to change this restriction on the windows 2000 server ??

    thxs for the suggestions has helped me get a clearer idea :)
     
  10. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    Yes if you have no GPO and you have a Domain group called "teachers" and you take this domain group and place it into the Local Admins group this should give them full access.

    If it doesn't I would check for any other type of school "limiting" software I know some use 3rd party tools to lock down other parts maybe one is acting like a GPO type of solution.

    Also check this persons user account and verify they are in fact in this teachers group. If you add the teachers group but don't have him in there he will still be limited.
     
  11. oly-450

    oly-450 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    4
    thanks for that, never thought of adding the teachers group to the local admin group.

    great idea yes we do use third party software but it is just a front end to active directory, but because we use it here never dealt with AD directly.

    but i like the idea of adding the teachers group better means all teachers have full access to the laptops, as they are teacher laptops.
     
  12. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,331
    First Name:
    James
    Agreed. If there is no GPO on the laptop but there is on the domain, it may still cause problems. But if your school hasn't done any GPOs anywhere, this should work.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/462855

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice