MAC Address and Admin Rights

[Timmy77]

Excellent point, I was assuming we were talking about group policy, but that may not be the case.

What OS, specifically are we working with? Can the user be added to the administrators group on the local workstation, or is something preventing that?

[Tiger Shark]

If i might I'd like to clarify some things here that seem to be "fuzzying" this whole conversation.

Definitions:-

1. Domain Administrator: A domain admin is an administrator of a Windows AD domain. He may administer all things in the domain, (except two but we'll forget those for this discussion). While a domain administrator cannot be removed form their ability to admin the domain through AD Users & Computers etc. They most certainly can be restricted from admin privs on individual works stations etc.

2. Local Administrator: This chap is the admin of a workstation or server, (except an AD controller that have no users or admins). He has no control over any domain functions and I don't even believe that a local admin of a workstation could be added to the domain admins group in AD - though I'm sure someone has a nice little hack for that one if you have admin acess to a DC.

The user groups are similar. A user on a workstation can't be a user in a domain. A user has to be added to AD as a domain user and log into the domain to have privs there. They will, at a minimum be a user of the workstation if they successfully authenticate to the domain. A domain user can be added to the local admin group of any specific workstation or non AD server by going to the Users section in control panel or under My Computer - Manage and added to the Admin group by selecting the domain as the source of the list of users and selecting the appropriate user from that list.

In short there is a huge difference between "Local" and "Domain". They are utterly different and there is no "Local Users" or "Local Administrators" group in any AD install I ever came across.

So.... having said that....

Earthbound.. What is the problem, precisely?

You are saying that you aren't a domain admin but you seem to be saying that you are adding users to groups in AD.... You can't.... Are you _sure_ you don't mean you are doing it on a workstation and adding them to the Administrators group there?

You also say you aren't a domain admin but that you can go to any computer and do what you want.... that leaves two scenarios possible:-

1. Your domain admins have either domain users or authenticated users added to the local administrators group of each workstation - That would be considered bad....

2. You are a domain admin and don't know it since domain admins are added to the local admin group of any workstation that joins a domain by default - again, this is bad.

Another possibility:-

Are you sure that you have not been delegated authority over an OU, (Organizational Unit)? This would grant you local admin privs without you being a domain admin.....

So.... If you want to give a user admin privs on a workstation then go ahead and do it through control panel or My Computer - Manage, (if you can), and don't do it to any other workstation and you will be fine.....

But my best piece of advice to you at this point is to do two things:-

1. Learn the differences between domain and local, AD and Users and how they apply in an AD environment

2. Go and ask your domain admin what rights you have, _exactly_ and how they are derived, (through AD, therefore a domain admin, (albeit a very limited one), or through AD as a delegation or simply because they ran a script on certain computers to make you a local admin.


Hope that clarifies the terminology and the differences.

[earthbound4u]

I was never talking about servers just the work stations in general. Here they have overlapping policies which I guess one outdoes another. It is set up that if you are a local admin then you can go to any workstation and basically do your thing to a point.... the Domain admins have been set up to be the only ones (they think) that can touch the servers. I am hoping they are right. I haven't played with them yet. But I think from playing with AD this morning that I have figured out what is going on...But let me ask this....Can one GPO kind of cross out another going with the example above. I assigned a user local admin rights thru AD just on that machine. (Everyone is part of the Domain Users group.) But it was previously assigned to him that he would have power user rights on the other machines. Could it by chance propagate (that the right word?) to the other machines or get it mixed up with the other settings?

[earthbound4u]

I think I am mixing myself up.

[Timmy77]

How did you assign the user rights to only that one workstations through AD? Based on your last question, it looks like your using a set of group policies...the rest of my response will proceed on that assumption.

If you're using group policy, yes policies can override one another. Group Policy is set up so "last policy applied wins." If you have 5 policies trying to apply different members of the administrator group, that last on evaluated will be the one that wins. This is usually the policy that is "closest" to the computer object. For more information on that, go here:

http://www.microsoft.com/resources/d...c_pol_DYZR.asp

What operating system is on the workstations? Your best bet may be to use some of Microsoft's resultant set of policy tools to figure out what's going on.

[Tiger Shark]

I think I am mixing myself up.

Not only that... I think you are mixing me up too.....

Yes, a GPO can override another GPO. In fact one GPO can completely reverse another. I'm still having a hard time working out exactly what is going on there.

How were you "playing with AD"? Are you adding and changing user properties? If you are then you are either a Domain Admin or you have been delegated power over your OU.

[earthbound4u]

Originally posted here by Timmy77
How did you assign the user rights to only that one workstations through AD? Based on your last question, it looks like your using a set of group policies...the rest of my response will proceed on that assumption.

---------------------------------------------------
Right clicked on the computer name and added him in as local admin just for that machine. I also checked his account to make sure that it showed up as such and it supplied the Domain name and his permissions to that computer.


---------------------------------------------------

Originally posted here by Timmy77
What operating system is on the workstations? [/B]

XP SP1

[Tiger Shark]

Methinks you have more power there than you think.....

[earthbound4u]

Originally posted here by Tiger Shark
Not only that... I think you are mixing me up too.....

How were you "playing with AD"? Are you adding and changing user properties? If you are then you are either a Domain Admin or you have been delegated power over your OU.

I actually had him put in a test area that I have access to. I don't have other access to the entire Directory. But he has been a problem. He knows a lot and my peers want him fired. But he really has done nothing other than just be annoying to the HD staff....He wants things that aren't allowed...on his computer...and keeps trying to put them on. We have made it so that even if he DL's some of the stuff he still can't run it like AIM, Kazaa, limewire, Yahoo IM, Napster, and a few bit torrent stuff. But he gets around it. It isn't like I can't see him doing that stuff. We have alot of stuff monitoring the comings and goings of the traffic around here.

Oh and his latest exploit was something called Miranda (i think that is right) an instant messeger that can run off removable media or something like that.

http://www.miranda-im.org/

The higher ups don't think it is that much of an issue. But when a security breach comes around I am ready to say "I told you so".

But that is a different matter.

[earthbound4u]

I seriously think I have been brought on to give ideas rather then follow through with them. Everything I have asked done they won't do or "they will consider." They already had an internal breach...anyway. I am ranting I apologize.

I mean I am by no means a expert at anything but there is common sense to be used. And I am learning. Google is my friend. Kind of.