Local administrator has domain access
I have added a domain user account to the local administrators account on a client PC running XP SP3. I discovered by accident that this user has access to shares on a domain server running Win Server 2000. The shares have security rights for the domain admins security group, and the user is not a member of the domain admins group, yet it appears that the granted access is somehow tied in with the domain admin groupor the domain administrator account. If I remove the domain admin group from the security privileges for the share, the user loses access. I am at a loss in how assigning local admin privileges gives this user domain level access.
July 29th, 2009 11:45pm

You are making a mistake. You should never add a normal userto the local administrators group. Maybe the local admins are member of the domain admins group? First take a look which permissions the local administrator group has on that computer, and go further from there. Certifications: MCSA 2003 MCSE 2003
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2009 8:38pm

Hi, Please help to collect the following information for research: 1.Could you reproduce this issue on another client?2.Collect the CACLS report of the share: On Domain Server, run "CACLS [Path of the file]\FileName" >>c:\cacls.txt. Use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address. 3.Please collect two report, before and after removing Domain Admin Group. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
July 31st, 2009 11:26am

I discovered this behavior as well by accident yesterday. I was logging onto a machine I suspected had malware. I logged onto it using the local administrator account. I went to a file share that has NTFS file permissions with only "domain/Administrators" and "domain admins" allowed access. I expected to be prompted for credentials, but was not and was allowed full access to the shared folder. I tried this on a coupleof other machines with the same result. As a control, i also checked with a normal domain accountand it was denied access as it should have been.This is very concerning. Like broadmeadow, I have from time to time had to allow a normal domain user to have admin rights on a local machine. I do it usually to allow them to load poorly written software that is legitimate and unfortunately necessary, like the Blackberry desktop stuff that has to be loaded by the user of the Blackberry.
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2009 3:18pm

Hi, Try to checkif there is any cached credentials stored on the Windows XP. Run "control userpasswords2", switch to Advanced tab, clear all cached credentials and test. If the issue still occurs, check if the password of local administrator is the same on clients and server. Try to change the local admin password to any one and test. Is there any progress? Also try to check if you have run "net use" command or map the share. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
August 10th, 2009 4:46am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics