+ Post New Thread
Results 1 to 15 of 15
Windows Thread, Domain user becoming administrator even though not a member of the security group? in Technical; As title really. Domain users are becoming an admin even though they are not a member of the administratorís security ...
  1. #1

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34

    Unhappy Domain user becoming administrator even though not a member of the security group?

    As title really.
    Domain users are becoming an admin even though they are not a member of the administratorís security group. How???
    I've narrowed it down to a security group (If I add a user to this security group they become an admin, if remove they become non admin)
    This security group is a member of other security groups, however Iíve checked through all the groups and NOT one of them is a member of administrators, domain admins etc. etc.
    I've checked the local security group on the computer and they are not set as an admin there. I've checked gpo's (and this week made new gpo's for Windows7) and there is nothing in them to make this security group become an administrator.

    What else could it be?

  2. #2
    Ben-BSH's Avatar
    Join Date
    Jun 2009
    Location
    UK
    Posts
    200
    Thank Post
    88
    Thanked 29 Times in 21 Posts
    Rep Power
    20
    What happens when you add another user to this group that causes admin rights?

    If they in turn get elevated rights, you might have missed a group membership in your search.

    Just a starting point.

    Ben

  3. #3

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Quote Originally Posted by Ben-BSH View Post
    What happens when you add another user to this group that causes admin rights?

    If they in turn get elevated rights, you might have missed a group membership in your search.

    Just a starting point.

    Ben
    Thanks for the reply Ben.
    Tested what you suggested

    1) Made new account and did not add to the security group mentioned in first post.
    2) Logged on client as this new user to see if it had admin rights ( It Didn’t)
    3) Logged off and added the new user to the affected security group
    4) Logged on client as this new user to see if it had admin rights (It Didn’t)
    5) Restarted client
    6) Logged on client as this new user to see if had admin rights ( It did )

    Security groups shouldn’t require a restart to take effect? Or should they? Maybe it's something set on the computers in AD.
    I'll check through all the groups again incise I missed something and one is a member of administrators.

  4. #4
    Ben-BSH's Avatar
    Join Date
    Jun 2009
    Location
    UK
    Posts
    200
    Thank Post
    88
    Thanked 29 Times in 21 Posts
    Rep Power
    20
    Perhaps have another look at group policy? user group membership takes affect at log off / on so its not that i believe. but group policy's can often take a restart to kick in.

    Is there anything in the event logs? and do you still have the same effects on a different client machine?

  5. #5

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,135
    Thank Post
    352
    Thanked 577 Times in 474 Posts
    Rep Power
    142
    Checked the local admin group on the machines?

  6. #6

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Had a look through all the groups and the only group is power users is a member of domain users ( Which I dont beleive is needed ) all the rest are fine.
    Group policy should be fine because I created all new from scratch this week. The user and computers are only getting the policys I made so it cant be that ( This problem occured on the old gpo's as well )
    I'll check the event logs. Not really sure what else do

  7. #7

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Quote Originally Posted by matt40k View Post
    Checked the local admin group on the machines?
    What this makes no sence. Honestly I checked the local admin group before and none were a member. I just checked now and this group thats affected is !!
    Now to work out whats causing this -.-

  8. #8

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Ok..I cant find anything. Hope i'm not being dumb but this is really driving me crazy.

    I know this = The security group is somehow becoming a member of the local admin group

    1) This group isnt a member of administrators on the server
    2) No group policy is causing this
    3) No logon script is causing this

    I'm really out of ideas of what else can make this group a member of admins

  9. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    its sounds like there is a gpo which is adding this security group to the local security group - i would run gpresult and see which policys are being applied and hunt it down from there.

  10. #10

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Quote Originally Posted by glennda View Post
    its sounds like there is a gpo which is adding this security group to the local security group - i would run gpresult and see which policys are being applied and hunt it down from there.
    Nope. Already done. Plus I re-made all the group policy’s this week that are being applied to this computer/user and I’ve 100% not set it to make this group as a local admin. The only other policy that’s being applied is the default domain policy (Only one I didn’t remake and nothing is set there to do this either)

  11. #11

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    maybe the machines local policy?

  12. #12

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Quote Originally Posted by glennda View Post
    maybe the machines local policy?
    Nope cant see it set there. It happens on all computers so must be something from the network.

  13. #13

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,200
    Thank Post
    936
    Thanked 315 Times in 184 Posts
    Blog Entries
    11
    Rep Power
    163
    Quote Originally Posted by ihaveaproblem View Post
    Nope cant see it set there. It happens on all computers so must be something from the network.
    We have this on our Windows 7 Enterprise machines. Users can go for days/weeks without any issues and then all of a sudden they log into a machine and are given full access to everything - it's as if they have become full machine/network admins.

    We got around it by rebuilding the machine. The issue went.

    Could it be something in the default user profile?

    Gareth

  14. #14

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    Quote Originally Posted by ihaveaproblem View Post
    Nope cant see it set there. It happens on all computers so must be something from the network.
    not nessicarly as if they are all built from the same image it can be applied through something from there

  15. #15

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    34
    Quote Originally Posted by glennda View Post
    not nessicarly as if they are all built from the same image it can be applied through something from there
    True.
    I made these images just before the summer started though and I most certainly didn’t add this group as a local admin. Someone else could of done It I suppose (Not sure why they would do that) Where would I look in the default profile to see if it’s coming from that?
    I guess the test to see if it's coming from the image is to check the administrator’s group members before the script runs that joins the computers to the domain. Could it possibly be the sysprep file I created adding the group? I'll give that a check.
    Would like to know what's causing this, because it's a bit of a concern having members become administrators and not even know why/what’s causing it. To prevent it until I find the cause I can at least set a policy or script to remove these from the admin group.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 15
    Last Post: 19th September 2011, 09:20 AM
  2. FROG VLE Domain/user logs Tracking not working after upgrade
    By round2it in forum Virtual Learning Platforms
    Replies: 5
    Last Post: 6th October 2010, 09:11 AM
  3. Mandatory Profiles not loading some of the time
    By cookie_monster in forum Windows
    Replies: 26
    Last Post: 12th September 2010, 09:29 PM
  4. Vbscript reset a single domain user's password
    By ryan_powell in forum Scripts
    Replies: 9
    Last Post: 4th June 2009, 02:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •