lost Administrator privileges RRS feed

  • Question

  • I have Windows 7 SP1 64-bit. At install I created an local account "admin" (5 letters) with Administrtator privileges. OK. I can install software etc..

    But from time to time, after the PC has been shut down, I experience that this user "admin" has lost its administrators privileges! I can still login with that account and its pasword. So the account has not disappeared.

    To solve the issue, I activated the Windows built-in account Administrator account. I can login with username Administrator and with its password and from here I see that the account admin is no longer member of the Adminstrators group. I put it back into that group, and I can use  admin  again with full priveleges.  But a few days later, it has lost its privileges again. That's annoying ...

    Can't think what causes that !

    (I often also log with a Windows domain-account).

    What's the cause and how to fix.

    Wednesday, July 6, 2011 12:58 PM

All replies

  • This is probably caused by a group policy applied in your domain.

    Namely,there is a policy:

    Computer Configuration / Windows Settings /Security Settings / Restricted Groups

    Domain administrators can configure this policy so that only authorized users are members of certain groups (including local Administrators group).

    So, when your computer refreshes its policy, it removes unauthorized members from restricted group.

    You may run gpresult /v from the CMD window to get the details of applied policies.

    You may ask your domain admins how to solve your problem.
    Wednesday, July 6, 2011 2:00 PM
  • When logging in with a domain account, there are indeed a lot of policies  being applied for this PC (belonging to a classroom, and for which one of the policies is to block accounts with Administrator rights), but when I log on with the admin account, I specify   MYCOMPUTERNAME\admin as username to cleraly do a local login.

    So the policiies should not be applied. And if I then do gpresult /v Ithere is almost nothing applied: all  N/A  (Not applicable).

    Or is there still something 'remembered' from the Domain account login ???



    Wednesday, July 6, 2011 3:28 PM
  • Policies get applied in the following order

    1. Local policies are applied (those defined on the local computer)
    2. Active Directory (AD) Site policies are applied (those linked to an AD site), overwriting local policies. If there are policies conflicting with local policies, then AD site policies win.
    3. Active Directory domain policies are applied, overwriting any previous policies (if a conflicting situation occurs).
    4. Any other policies linked to Orgranizational Units within a domain are applied, overwriting any previous policies.

    There are other situations.

    For example, domain admins may enforce, let's say, domain policy. This means that conflicting settings comming after domain policy will not overwrite domain policy settings, hence domain policy is enforced.

    Policies are also applied:

    • at computer level. This means that any user logging in on that computer will get these settings
    • at user level. This means that this user will get the settings from that policy, no matter on which computer (s)he logs in.

    In your case the policy applies to the computer, no matter which user logs in afterwards.
    Computer Configuration / Windows Settings /Security Settings / Restricted Groups

    I would recommend you contact your domain admins and raise a change request that will put you in a group of users who have local admin rights.

    BTW, is the computer yours,or your company's?


    Thursday, July 7, 2011 6:18 AM
  • Hi,

    I believe that the domain applies a policy at the computer level, which would explain why my local account 'admin' gets thrown out of the

    Administrators group by enforcment of domain policies.

    Just out of curiosity: domain policies never override the Administrators's rights of the built-in Windows7 'Administrator' account ?

    That's what I experience ... (I enabled it, default disabled)


    Wednesday, July 13, 2011 7:18 AM
  • I know it's been a few years, but was this ever solved? I've been having this same issue with my domain's Windows 7 clients. 

    During first time setup, we create a local administrator account (called 'admin') that can be used for installing/connecting to domain/etc. After all group policy is applied from the domain, that local account gets kicked out of the Administrators group.

    This is a problem, because when we encounter a machine that hasn't been used for awhile and has lost it's relationship with the domain, we have no way to reconnect it to our domain short of either a format/restore or another workaround to enable the local "Administrator" account in Windows 7 to reconnect it. 

    Our domain has a working administrator account - we'll call it "admindomain". I even tried making a local account on a Windows 7 machine with the same name, thinking GP would see that and keep that in the Administrators group, but after a gpupdate /force it took that one out of the Administrators group as well. 

    The local "Administrator" account was never touched, but that account isn't enabled by default, nor do we go out of our way to enable it with a setup either.

    Les52 mentioned there's a policy in Computer Configuration/Windows Settings/Security Settings/Restricted Groups but is there a way to search within GPM to see if a GPO touches that on every machine?

    Wednesday, November 6, 2013 4:51 PM