none
Users are able to install or access other user profiles, when a Domain admin uses their account to install software RRS feed

  • Question

  • We seen an issue where a domain admin goes to a users PC, enter their login information to install an software update when the user has been for it.

    After they do this, the user can install any software they wish and access local user profile information (on C:\users\).  In one case a user could save to what they thought was their document folder, but it was the Domain admin document folder on the PC.  If the user logs off and back on, their normal rights return.

    This has only recently occurred in the past 3 months, and affecting all Windows 10 PCs (all have the latest .  Has anyone seen this before?





    • Edited by Mark J Appleby Monday, January 20, 2020 8:28 AM Spelling corrections
    Friday, January 17, 2020 11:22 AM

All replies

  • Are you using the latest build for Windows 10?

    Try restart your PC.

    Does it happen for all PCs?

    Try report this issue through Feedback Hub app.

    Friday, January 17, 2020 4:07 PM
  • It happens on all PCs in the network, which are running the latest version of Windows 10.  Logging off or restarting the PCs removes the access.

    Cannot see anything in GPO that might be affecting this.

    Monday, January 20, 2020 8:21 AM
  • Hello,

    Thank you for posting in our TechNet forum.

    Before going further, I would appreciate your help in clarifying the following situations:

    1 After logging on domain admin in PC and install a software,did we log off then use local user account to log on to the PC?

    2 Which account we are using to access local user profile information (on C:\users\)?

     Are we using the local user to save to what they thought was their document folder, but it was the Domain admin document folder on the PC?

    Hope this information can be helpful, if there is anything else we can do for you, please feel free to post in the forum.

    Best Regards, 

    Xiuxiu

      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, January 20, 2020 8:22 AM
  • 1 After logging on domain admin in PC and install a software,did we log off then use local user account to log on to the PC?

    This issue when a user with standard rights is logged on, and they prompted for the domain admin credentials.  Without logging the user off, the admin enters their details.   Once the installation completed, the admin level stays with the user, until they log off or restarts the PC.

    2 Which account we are using to access local user profile information (on C:\users\)?

    They can see all users accounts, and can access the profiles in c:\users

     Are we using the local user to save to what they thought was their document folder, but it was the Domain admin document folder on the PC?

    Location they saving to is c:\users\DOMAINADMINACCOUNT\documents

    Monday, January 20, 2020 8:33 AM
  • Hi,

    Thank you for posting in our TechNet forum.

    Based on your description, I have tested it in my environment.

    When I log on my domain member server as the local user and not provide the domain admin credential, I also can open the C:\Users\Administrator.ROOT\Documents to crate or save a new file in it.


    This folder in the member server will be created automatically just when we log on the server using domain admin account. It won't sync to the domain admin account. And we can modify this folder using the local administrator.

    Hope this information can be helpful. If there is some else we can do for you, please feel free to post in the forum.

    Best Regards,

    Xiuxiu



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 22, 2020 8:21 AM
  • I might be misinterpreting your test, but the issue we asking about is on PCs and not servers, and when the user clicks save as in a document, the documents folder presented to them is the domain admin users document folder, and not the users (as it should be).

     

    On PCs, the users should not have the rights to access other users folders (folder rights does not include domain users).

     

    To be clear of our users do not have local admin rights.



    Wednesday, January 22, 2020 9:12 AM
  • Hi Mark.

    Don't use domain admins to install software on clients. Never ever. That's the worst thing you can do, even made worse because your users are local admins already.

    Nevertheless, your issue is not normal. Try to reproduce it on a cleanly installed win10 without any other software.

    Friday, January 24, 2020 1:31 PM
  • Hi Mark.

    Don't use domain admins to install software on clients. Never ever. That's the worst thing you can do, even made worse because your users are local admins already.

    Nevertheless, your issue is not normal. Try to reproduce it on a cleanly installed win10 without any other software.

    The users are not local admins.  They do not even have a local user account.

    The same issue occurs with a clean Windows 10 installation.  I first suspected this was GPO issue, but as previously mentioned, I cannot find anything that would cause this issue.
    Friday, January 24, 2020 1:49 PM
  • Ok, then I misunderstood what you wrote before: "to be clear of our users have local admin rights."

    --

    "The same issue occurs with a clean Windows 10 installation" - here, it does not, so tell me how you install windows. What ISO, has that ISO been tampered with? What GPOs are enforced when joining the domain that might have such an effect (obviously, the built-in GPOs don't do that).

    All I can imagine is that you are not aware of something, something like a script that uses runas.exe with /savecred.


    Friday, January 24, 2020 1:52 PM
  • Ok, then I misunderstood what you wrote before: "to be clear of our users have local admin rights."

    --

    "The same issue occurs with a clean Windows 10 installation" - here, it does not, so tell me how you install windows. What ISO, has that ISO been tampered with? What GPOs are enforced when joining the domain that might have such an effect (obviously, the built-in GPOs don't do that).

    All I can imagine is that you are not aware of something, something like a script that uses runas.exe with /savecred.


    We use the Windows download ISO tool for all new builds.  Apart from the standard domian GPO, we do not have any that affect security, registry or anything else that could possible do this that we can find.   We have around 30 GPOs, which is to much to publish.

    Each dept has its own GPO setup, so not all PCs will have the same applied.   The common GPOs are the defualt domain GPO (untouched), installation of Firefox, adobe reader and installation and setup of printers.

    Only thing we have not tried, is if the issue occurs with a PC that has not been joined to the domain (stand alone).

    Friday, January 24, 2020 2:46 PM
  • Create a test OU, right click it and select "block inheritance".

    Install a test VM, join it to your domain, shut it down after joining and move it to that OU, restart it and retry.

    Friday, January 24, 2020 2:50 PM
  • Hi,

    Thank you for posting in our TechNet forum.

    Just want to confirm the current situation.

    If there is anything else we can do for you, please feel free to post in the forum

    Best Regards,

    Xiuxiu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 10, 2020 1:24 AM