none
Permissions - Remote Server Administration Tool Windows 8.1

    Question

  • Hi All,

    I am not sure what kind of permissions required to work on RSAT.

    Today just for testing purpose installed RSAT tool on one of the windows 8.1 laptop and logged in with normal domain user and accessed the RSAT and tried adding users to Group , creating new user in AD and it allowed me to do the changes and create new user.

    I am shocked on seeing this behavior.

    can some one help me understanding on what kind of permissions required to work with RSAT.

    I was under impression that only Domain Administrator can make the changes in AD. 

    Regards

    -Atul 


    TheAtulA

    Wednesday, November 23, 2016 1:12 PM

All replies

  • Hi

    with normal domain user and accessed the RSAT and tried adding users to Group , creating new user in AD and it allowed me to do the changes and create new user. >>> Standard users does not have permissions to perform administrative proccesses on domain.So first check this user account member of administrative group.(enterprise,domain admins,etc..)and also check maybe account have related delegate permission to perform user administration.

    can some one help me understanding on what kind of permissions required to work with RSAT.>>> You can install RSAT on a client computer but for manage service or roles,you need to configure permissions,like if you add user dhcp admins user manage dhcp,etc..

    Also standart users have view rights on AD by default.(view AD objects.)but does not have change rights.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, November 23, 2016 4:34 PM
  • Thanks ,

    I'll check for delegation and permissions for users and get backed to you


    TheAtulA

    Thursday, November 24, 2016 5:45 AM
  • Hi  ,

    Sharing the screen shot for users security settings , I can see that it is part of domain admins , Entp Admins.

    similarly I check the same properties for other users and found that they are also part of \Domain Admin and Entp Admins.

    But while creating users I know I have not added them to any group by default

    please suggest

    Thursday, November 24, 2016 11:25 AM
  • Hi,
    So if I understand correctly, you have user accounts which are unknowingly added in the domain admins, Entp Admins groups.
    If that is the case, please create a new user for test and see if the new account is part of the two groups.
    And you could check if there are other administrators who added the users in the two groups.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 25, 2016 7:16 AM
    Moderator
  • Wendy,

    I just checked, created test user and still no change - I can see that this test is part of Domain and Enterprise Admin Group.

    can you please suggest what other things I should check and confirm.

    attaching the screenshot for your reference

    -Atul


    TheAtulA

    Friday, November 25, 2016 9:58 AM
  • by-default what all permissions are granted to Newly created user in Domain

    TheAtulA

    Monday, November 28, 2016 11:11 AM
  • Hi,
    By default, in a domain environment, the Administrator account and all new user accounts are automatically included as members of this group. This group is also a member of the Users local group for the domain and for every Windows computer in the domain.
    By default, Domain Admins group has the local Administrator account on the Domain Controller as its member.
    By default, the Domain Controller's Administrator account is a member of Enterprise Admins group.
    If a new user account is added into the two admin group, please check if any group policies are configured to add the user account by running gpresult /h with a problematic account.
    In addition, process monitor tool might be helpful to capture more details about what adding the user accounts.
    Process Monitor v3.31 https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 29, 2016 2:10 AM
    Moderator
  • Wendy,

    can you please share the default group names ? in above post guess it is not mentioned


    TheAtulA

    Tuesday, November 29, 2016 10:25 AM
  • Hi,
    Please check this:
    Active Directory Security Groups
    https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx#BKMK_DomainUsers
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, November 30, 2016 1:36 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 6, 2016 9:31 AM
    Moderator
  • Sure will do the needful here,

    but yet my issue has not resolved .. I am still working on how to fix this


    TheAtulA

    Thursday, December 8, 2016 5:21 AM
  • Hi,
    You could check if any GPO is configured to add all user accounts into the two groups. If not, we could also use process monitor tool to try capturing something about what adding the user accounts as I replied, have you tried that?.
    Process Monitor v3.31 https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 9, 2016 1:43 AM
    Moderator