domain user, in local admin group being restricted why ?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

oly-450

Thread Starter
Joined
Apr 27, 2006
Messages
4
hi,

I work in a school with a CC3 (RM) network basically modified windows xp and 2000, i have joined a standard windows xp machine to the domain and added a user on the domain local admins group, however when this user logs in they can see the c drive and access other usually restricted parts of windows what they can not do is change the screen resolutions or right click on the task bar.

what would cause this to happen? my understanding is that once the user is in the local admin group they should have full access to everything on that laptop and rm will not supplt support because they do not support standard windows.

there is no way to block this kind of use from active directory is there ??
 
Joined
Jan 23, 2006
Messages
658
Check in the administrators group on that machine. It should have "domain admins" in there. Also, C: drive is not normally denied as a standard user unless the policy states it. Do you have any policies in place? If so, you might want to check those to make sure domain admins didn't get put into it as well. It sounds like the domain admins are getting the same rights as a standard user. Also, make ssure you are logging into the domain and not the local machine.

I guess maybe this CC3 might be different... I'm not sure what that is...
 

oly-450

Thread Starter
Joined
Apr 27, 2006
Messages
4
it is the local admin that is restricted, so for example i add a user to the local admin groups so they have full control over that machine, they should not be a domain admin.

domain admins do have full control, and if i login off the domain obviously i have full local admin abilities.

as for policies i do not know which are set they where setup long before i worked here.

thks for the suggestions
 
Joined
Jan 23, 2006
Messages
658
Ok, sorry, I had just skimmed through and misread what you had said. Have you tried adding that user to another machine on the domain? Have you tried adding a different domain user as admin on that machine?
 
Joined
Jan 23, 2006
Messages
658
Do you have any issues with local accounts on that machine? Say the built in administrator account?

If you don't have any problems with local accounts and the problems are limited to domain accounts, I would definately check the policies, both domain and local security.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,176
I think saying domain local admin group has probably confused the situation.

So you have a user... for now call him AdminBob. AdminBob is a member of the Domain Admin group, which by default has Full Control, however AdminBob is restricted in certain things.

Is this correct so far?

If so then there are two possible symptoms. Group Policy Objects and Permissions. Since you mentioned that he cant change resolutions, it looks like it's the GPOs.

One check if AdminBob cant read files or folders is go into the Properties of said file/folder and then Security. Click on Advanced then Effective Permissons. Click on Select and type AdminBob and then OK to see his effective permissions. If he does not have Full Control then there is a permission that he's been denied at.

Same with GPOs. Make sure that all of the Groups / OUs that AdminBob is part of does not have any GPOs that would deny him these functions. If I remember correctly, GPOs start from the Local Computer first so double check the policy on the problematic computer. If AdminBob's problem is on all machines, it's on the domain.

Remember, Deny overrides everything.
 
Joined
Jul 7, 2004
Messages
7,235
Don't forget to also look under the computer GPO's applied where the computer account is located. Bob sure could have access but if the GPO does not allow the computer this access then Bob can't unless he has the rights to circumvent this particular GPO. I am not sure if these gpo's being set are user related or computer related but I am with Tidus on thinking this has to be gpo related.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,176
Thank you ST for pointing out the computer account too. I had that in mind but didn't typed it.
 

oly-450

Thread Starter
Joined
Apr 27, 2006
Messages
4
okay, i will re clarify the user is NOT a domain admin,
the setup here is domain admin, teachers group, students group

the user is in the teachers group on the domain, and i want to give them unrestricted access to a laptop / there own laptop but still be part of the domain.

Domain admin have full access to all machines and is NOT the user i am trying to add.

the teachers group does not full access to all machines, so i thought by adding them to the local admin group on the laptop this would rectify the problem and give unrestricted access to that computer.

i have checked the GPOs on the laptop and there are none set, so it would seem it is a domain account problem.

also it does the same for any one in the teachers group, on any laptop i try, what would i use to change this restriction on the windows 2000 server ??

thxs for the suggestions has helped me get a clearer idea :)
 
Joined
Jul 7, 2004
Messages
7,235
the teachers group does not full access to all machines, so i thought by adding them to the local admin group on the laptop this would rectify the problem and give unrestricted access to that computer.
Yes if you have no GPO and you have a Domain group called "teachers" and you take this domain group and place it into the Local Admins group this should give them full access.

If it doesn't I would check for any other type of school "limiting" software I know some use 3rd party tools to lock down other parts maybe one is acting like a GPO type of solution.

Also check this persons user account and verify they are in fact in this teachers group. If you add the teachers group but don't have him in there he will still be limited.
 

oly-450

Thread Starter
Joined
Apr 27, 2006
Messages
4
thanks for that, never thought of adding the teachers group to the local admin group.

great idea yes we do use third party software but it is just a front end to active directory, but because we use it here never dealt with AD directly.

but i like the idea of adding the teachers group better means all teachers have full access to the laptops, as they are teacher laptops.
 

Couriant

James
Trusted Advisor
Spam Fighter
Joined
Mar 26, 2002
Messages
36,176
StumpedTechy said:
Yes if you have no GPO and you have a Domain group called "teachers" and you take this domain group and place it into the Local Admins group this should give them full access.
Agreed. If there is no GPO on the laptop but there is on the domain, it may still cause problems. But if your school hasn't done any GPOs anywhere, this should work.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top