locked
Standard Domain User Has Local PC Admin Rights - Issues with Permissions RRS feed

  • Question

  • Hi,

    I have a situation where a standard domain user who is not supposed to have admin rights has admin rights in a local PC. I have checked the account permissions and it does not have admin rights. I have also checked the Tools>Computer Management ? Groups > Administrators and confirmed that it does not have the user added to this group.

    This computer officially has 2 admin accounts, one is the domain admin and one local admin. I am cracking my head trying to figure out how this user got admin privileges even though locally and in the AD this user does not have the rights assigned to them.

    I have removed the user profile in this computer and have created a new profile but that did not seem to help.

    Please advise if I have missed something here.

    Thank you.

    Thursday, August 16, 2018 5:11 AM

Answers

  • mmm...If this account can install the application, I think that account is administrators member...

    ■ UAC
    Is UAC Enabled or Disabled?

    Other users will display the UAC dialog when installing the application, but will the problematic user display the UAC dialog?
    # Is it the same movement as the "administrator"?

    ■ This account used to be an administrators
    When logging on, the information of the group to which the user belongs is used.
    Please log off once and log on.

    ■ Indirectry member
    Does it belong indirectly to Administrator or DomainAdmins etc?

    [ThisUser] -join-> [groupA] -> [groupB] -> [one local admin/ Administrators / DomainAdmins / etc...]

    If the number of groups is small, temporarily exclude them from the group and increment the group to which they belong belong little by little to check.
    1.Unjoin all domain group.
    2.Logoff local computer.
    3.Logon local computer.
    4.Join one domain group.
    5. GOTO 2.

    • Marked as answer by zavedf Friday, August 17, 2018 6:17 AM
    Thursday, August 16, 2018 10:28 AM

All replies

  • ■ admin rights or not
    How did you check whether you have administrator privileges?

    For Example,check "whoami /groups" command, and check "MandatoryLevel".
    If the mandatory level is "High Mandatory Level",this account(or process) has admin rights.

    ■ User right assignment
    Please check "User Rights Assignment" that includes that user or group.

    Are policies that should be denied?

    Or has the policy of "refuse/deny ..." changed from the default value?

    Configure security policy settings
    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings
    Thursday, August 16, 2018 6:23 AM
  • Hi Yaki,

    Thank you for your response. I will need to look into your suggestions and get back to you on that.

    Essentially all non-admin users will not be able to install application, modify system settings etc, however this user is able to do all that, hence I assumed that they have certain admin rights / rights that they are not supposed to have.

    Thank you,
    Regards,

    Thursday, August 16, 2018 8:21 AM
  • mmm...If this account can install the application, I think that account is administrators member...

    ■ UAC
    Is UAC Enabled or Disabled?

    Other users will display the UAC dialog when installing the application, but will the problematic user display the UAC dialog?
    # Is it the same movement as the "administrator"?

    ■ This account used to be an administrators
    When logging on, the information of the group to which the user belongs is used.
    Please log off once and log on.

    ■ Indirectry member
    Does it belong indirectly to Administrator or DomainAdmins etc?

    [ThisUser] -join-> [groupA] -> [groupB] -> [one local admin/ Administrators / DomainAdmins / etc...]

    If the number of groups is small, temporarily exclude them from the group and increment the group to which they belong belong little by little to check.
    1.Unjoin all domain group.
    2.Logoff local computer.
    3.Logon local computer.
    4.Join one domain group.
    5. GOTO 2.

    • Marked as answer by zavedf Friday, August 17, 2018 6:17 AM
    Thursday, August 16, 2018 10:28 AM
  • Hi Yaki,

    Thank you for your response.

    I have looked at whoami /groups and did not find anything that would given this user admin rights.

    For User Rights Assignments everything seems to be in order. I have gone through them and the security settings and did not find any settings that give this user access to settings they should not have.

    The UAC dialog was indeed set to not show at all, once I modified this I was unable to launch certain applications like Skype that keeps prompting me to login as administrator to use it. This issue persisted even when I disabled UAC afterwards. I will play with this settings to see if I can fix this issue.

    Other than domain Administrators and local Administrators no other groups have admin rights. The domain administrators do not have any other groups under them just the single domain administrator account.

    The account in question never belonged to an administrator, In fact I had completely removed that user account from the computer and added it fresh and the admin rights still remained.

    When I choose run as administrator it always uses this local user's account and then throws an error stating that I have to run as an administrator. This forces me to select the Run As another user option and login with Administrator credentials.

    Thank you for taking your time to help me with this.

    Friday, August 17, 2018 5:58 AM
  • Hi Yaki,

    It appears to have been the UAC settings. Once I have set it to the default option everything seems to be working as it should.

    Thank you so much for your help.

    Regards.

    Friday, August 17, 2018 6:16 AM
  • OK,but I am a little confused.
    I'd like to organize the situation, so let me check.
    Please correct if my understanding is wrong.

    ● Client(LocalPC) OS
    Windows 7.

    If Window 10 and UAC are disabled, the UWP application is not working.
    It is by design.

    ● StandardUser account in question is...
    Is this a domain user, not a local user?

    "I had completely removed that user account from the computer"
    mean
    "'Use Active Directory Users and Computers' to remove that user account from your computer"

    Is it right ?

    ● Local group and user
    LocalGroup:
      Administrators
          L DomainName\Domain Admins
          L Administrator

    LocalUser:
      "Administrator" only.

    DomainUser:
    DomainName\StandardUser
        etc...

    StandardUser do not belong to a group other than "Domain Users".

    ● UAC
    ON(Default).
    You restarted after UAC setting change.

    ● Logoff
    1.Removed that user account from the computer
    2.added it fresh
    3.Logoff or restart "Local PC"
    4.test

    "3" esecuted.

    ● Expect
    1.Logon with "DomainName\NormalUser".
    2.Try to an operation that requires administrator privileges (start installer, etc.)
    3.This UAC Prompt
    uac credential prompt

    ● Actulal(Now)
    1.Logon with "DomainName\NormalUser".
    2.Try to an operation that requires administrator privileges (start installer, etc.)
    3.This UAC Prompt
    uac consent prompt

    How User Account Control works
    https://docs.microsoft.com/ja-jp/windows/security/identity-protection/user-account-control/how-user-account-control-works

      
    Friday, August 17, 2018 6:59 AM
  • ● Client(LocalPC) OS Windows 7.

    >> Yes using Win7 Pro

    ● StandardUser account in question is... Is this a domain user, not a local user?

    >> Yes the user is a domain user

    "I had completely removed that user account from the computer" mean "'Use Active Directory Users and Computers' to remove that user account from your computer" Is it right ?

    >> In the local PC I went to System Properties > User Profiles > Settings and deleted the profiles from there

     Local group and user

    LocalGroup:   Administrators      

    L DomainName\Domain Admins      

    L Administrator

    >> Correct

    LocalUser:   "Administrator" only.

    >> Correct

    DomainUser: DomainName\StandardUser     etc...

    >> Correct

    StandardUser do not belong to a group other than "Domain Users".

    >> Standard users do belong to other groups, this is to control folder access based on user roles but neither the users nor groups belong to Administrator groups including Administrator, DomainName\Domain Admins

    ● UAC ON(Default). You restarted after UAC setting change.

    >> Correct, looks like this was set to off previously therefore the user seemed to have certain admin rights but also had issues when trying to run applications as admin which threw errors. Once I set the UAC to ON and restarted the PC, the User’s access rights seemed to work as it was supposed to

    ● Logoff 1.Removed that user account from the computer 2.added it fresh 3.Logoff or restart "Local PC" 4.test "3" esecuted.

    >> Did not remove the user this time after UAC settings where updated

    ● Expect 1.Logon with "DomainName\NormalUser".

    2.Try to an operation that requires administrator privileges (start installer, etc.)

    3.This UAC Prompt

    >> This is how the UAC appears after I made the modifications to UAC settings

    Friday, August 17, 2018 7:30 AM
  • If so, it seems to work as a standard user without problems.

    If that prompt is displayed, the owner of "StandardUser" who does not know the password of the administrator user displayed in the list can not use the administrator authority.

    ■ Why can install software with StandardUser?
    I looked after the last post.
    Some software does not require administrator privileges to install

    Standard user account able to install programs without admin.
    https://answers.microsoft.com/en-us/windows/forum/all/standard-user-account-able-to-install-programs/16681a59-b271-4499-82f8-4bf131a4981e

    FYI.

    Friday, August 17, 2018 8:32 AM
  • Hi,

    Any update about your issue?

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 17, 2018 9:04 AM
  • Hi I tried responding earlier but the message did not get posted for some reason.

    This issue has been resolved. I have marked Yaki's response as an answer.

    Thank you.

    Thursday, August 23, 2018 9:18 AM