none
Explanation for privilege difference between two user accounts RRS feed

  • Question

  • I'm configuring a small domain in Windows Server 2012 R2 (fully patched).

    We have three workstations, one of them brand new, and four accounts, one of which is the administrator and three users, USER1, USER2 and USER3. All three users were configured by my predecessor with administrative privileges. I'd like to demote them to normal/limited/standard users.

    When I joined the new workstation to the domain, the user normally assigned to that workstation, USER1, saw their account "demoted" to a normal user, requiring administrative credentials to perform program installation, for example.

    I compared the profiles of an administrative-level user, USER2, with that of the "demoted" user, USER1. I looked at all 13 tabs in the Properties of the profiles and found nothing that would explain the difference in the privileges. The most important tab, "Member of", has an additional security group, "Administrators", for the demoted user, USER1. The administrative-level user, USER2, does not include membership in this security group.

    I don't understand why USER1 is a normal user and USER2 has admin privileges. This must be something simple – where else do I need to look?

    TIA and regards, AndyA
    Monday, June 24, 2019 6:58 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Are the three users (user1, user2 and user3) domain users or local users?

    If they are local users, we can check if they are the members of the Administrators group or other groups manually. If so, we can remove them from the specific Administrators group or other groups.

    If they are domain users, we can check if they are the members of the Administrators group or other groups with command.

    net user /domain UserName


    Get-ADUser -Identity DomainUser -Properties memberof | select memberof

    If so, we can remove them from the specific Administrators group or other groups.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 25, 2019 6:35 AM
    Moderator


  • FOA, thanks for your reply.

    The three users, USER1/2/3 are all domain users.

    As I stated, USER1 is a member of the same security groups as USER2, but USER1 has "normal user" rights and USER2 has administrative rights. USER1, the normal user, is also a member of the (domain) Administrators group, but USER2 is not a member of that group. (I have screenshots of every tab of the properties of the user profiles.) Please keep in mind that USER1 has fewer privileges than USER2!

    Again, there must be a simple reason why USER1 is a "normal user", but I can't find it. I'd like to apply the configuration of USER1 to USER2 and USER3 so that all three accounts are "normal users".

    FWIW, USER1 was demoted from an administrator to a normal user when I replaced the PC normally used by USER1 with a new desktop. This may be related to the answer, but I don't know how.

    regards, AndyA (who's stumped!)

    • Edited by AAronoff Tuesday, June 25, 2019 2:09 PM
    Tuesday, June 25, 2019 2:03 PM
  • Hi,
    According to our description, maybe it is related to computer policy.

    We can try to compare the computer policy between the new desktop and the PC that USER1 logged on.

    For computer configuration:
    1. Logon the two machine with Administrator.
    2. Open CMD, run as administrator.
    3. Type gpresult /h C:\report.html and click Enter.
    4. Open report file to check the policies under Computer Configuration.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 7:55 AM
    Moderator
  • Hello,

    Thanks for the suggestion. I'll post again when I have the results.

    regards, AndyA

    Wednesday, June 26, 2019 9:31 AM
  • Hi,
    You are welcome! If anything is unclear, please feel free to let us know.

    Have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 27, 2019 10:07 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 1, 2019 9:20 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 3, 2019 8:38 AM
    Moderator
  • Sorry for my delay in replying, but I was waiting for an opportunity to obtain data from the customer.

    On the PC that was recently replaced (which I'll call PC1) and is normally used by USER1, I logged into the domain admin account and ran gpresult /h C:\path\filename1.html at an elevated command prompt. On PC1, USER1 runs as a normal/standard/limited user.

    On the PC that is next to PC1 which is normally used by USER2 (which I'll call PC2), I did the same thing. I logged into the domain admin account and ran gpresult /h C:\path\filename2.html at an elevated command prompt. On PC2, USER1 has administrative privileges.

    I compared filename1.html and filename2.html. There are no differences between the two files with respect to machine or user GP settings.

    Again, I'm trying to determine why USER1 has different privileges on the two PCs. Once I've determined why USER1 is a limited user on PC1, I'd like to do the same thing to every other user in the domain.

    regards, AndyA

    Wednesday, July 17, 2019 7:37 AM