+ Post New Thread
Results 1 to 9 of 9
Windows 7 Thread, User account elevation: disable? in Technical; Hi, If a student runs an exe installation file it will say that it wants to make changes to the ...
  1. #1

    Join Date
    Oct 2009
    Posts
    46
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    User account elevation: disable?

    Hi,

    If a student runs an exe installation file it will say that it wants to make changes to the computer, they can select yes and it installs. This is very strange, as it does not ask for admin credentials and they are only a member of "domain users".

    Is that normal? Can we disable this access either before or after they click yes? I've played around with GP settings to deny elevation requests but they do not seem to do anything.

    Thanks

  2. #2

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    It sounds like they definitely have more than just regular domain user privileges. Check the local Administrators group on the workstation to see what AD groups are given membership.

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    If it is doing that then they have admin rights from somewhere, are you sure that they are not in the local admins group?

    If they were limited users then it would prompt for user credentials to run under in order to perform the operation.

  4. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,771
    Thank Post
    354
    Thanked 533 Times in 498 Posts
    Rep Power
    182
    Quote Originally Posted by ramsay View Post
    Hi,

    If a student runs an exe installation file it will say that it wants to make changes to the computer, they can select yes and it installs. This is very strange, as it does not ask for admin credentials and they are only a member of "domain users".

    Is that normal? Can we disable this access either before or after they click yes? I've played around with GP settings to deny elevation requests but they do not seem to do anything.

    Thanks
    There's a seperate GP for that.

    Installs are run under a "special account" not admin.

    Try here:

    Computer Configuration –> Administrative Templates –>Windows Components –> Windows Installer

    Always install with elevated privileges (Think it's there anyway, but there is one)

    Steve

  5. #5
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,361
    Thank Post
    66
    Thanked 178 Times in 150 Posts
    Rep Power
    61
    Quote Originally Posted by Steve21 View Post
    There's a seperate GP for that.

    Installs are run under a "special account" not admin.

    Try here:

    Computer Configuration –> Administrative Templates –>Windows Components –> Windows Installer

    Always install with elevated privileges (Think it's there anyway, but there is one)

    Steve
    Check the user version of the policy above, it should be set to not configured (or disabled if its configured elsewhere for some reason)

  6. #6

    Join Date
    Oct 2009
    Posts
    46
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the replies. I will investigate...

  7. #7

    Join Date
    Oct 2009
    Posts
    46
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    It turns out that the computers had "\LOCAL" listed as a local administrator. That seemed to be giving everyone local admin rights! No idea how that got there or if it's a Windows default. I put a GP setting to remove this from the local administrator group and all looks OK now.

    Thanks

  8. #8

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    Quote Originally Posted by ramsay View Post
    It turns out that the computers had "\LOCAL" listed as a local administrator.
    I have never seen that before. Just "\LOCAL"? Not "NT AUTHORITY\LOCAL" or something?

  9. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by AngryTechnician View Post
    I have never seen that before. Just "\LOCAL"? Not "NT AUTHORITY\LOCAL" or something?
    .\Local should target the local machine



SHARE:
+ Post New Thread

Similar Threads

  1. User account disabled - who did it?
    By kennysarmy in forum Windows
    Replies: 10
    Last Post: 3rd March 2008, 06:25 PM
  2. Editing multiple user accounts
    By Andie in forum Windows
    Replies: 5
    Last Post: 27th April 2007, 03:30 PM
  3. Mandatory profile gets deleted along with the user account
    By mark_sharman in forum Network and Classroom Management
    Replies: 2
    Last Post: 23rd February 2007, 10:38 PM
  4. Replies: 13
    Last Post: 22nd January 2007, 10:54 AM
  5. Setting Up A Users Account ... Help Wanted Please...
    By tickmike in forum How do you do....it?
    Replies: 18
    Last Post: 8th September 2006, 09:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •