Recently brought a new Windows 7 computer onto our domain(Small Business Server 2003) The network is a main office(subnet 1) and a remote office(subnet 2) connected over a hardware VPN with NAT I added the computer in the main office and did the installs there with no issues as I am the Domain Admin. Sent the computer to him. User has some local software to install and I was planning on giving him a temporary admin account (not domain admin) to do the installs. Most of our users are technically savvy programmers quite capable of supporting their own apps. When he got computer he could do very little without privilege escalation prompts. I tried adding admin to his account, it still was not accepted. I tried adding a new user with admin and he could not even log in with it. Finally gave him an existing domain admin password and it worked. I changed the password when the install was done. A few days later user had to install more software and he tried to supply the new password for privilege escalation and it failed. Finally he tried the old password and it worked to clear the prompts and install software. I logged into the domain using that account with the new password to confirm that it had changed. I cannot see any issues with this computer joining the domain but it does not seem to be updating its domain user list. I certainly do not want him to be able to install software using old passwords. Does the privilege escalation require Domain admin rights to pass? I wonder if VPN might be just slow enough that Windows 7 thinks it is offline? Is there a timeout setting I can adjust? Do you have links to Microsoft documentation that can explain this better. Is this possible? A single admin account setup for allowing installs, User rights admin, not domain admin, after the user installs software change the password and they have to phone to get the new password. I suppose this is not much different than MS model where I remote control remote computer and supply the passwords for installs except I have to be available for the whole time install are happening to enter the prompts.

Hello, I'm having somewhat of a similar issue with a Win 7 Pro 64b computer. I completed the windows installation and most of the software using a local admin account, joined the domain as I usually do, added a domain user account (of the future user) and defined it as a member of the local administrators group (as I usually do with my XP Pro machines, and 2 other Win 7 Pro's) but this time it doesn't behave the same. The domain user account (standard domain user member) added to the local administrator group is not able to install anything without being prompted for domain administrator account credentials. I'm not sure if it has something to do with AppLocker, I'm not so savvy about win7 (apparently). Domain is managed by a Windows Server 2003. I have to state there's another 2 Win 7 computers, 32b and 64b that don't present this problem. This particular machine is a Lenovo, but I don't see any Lenovo application that would cause this issues. Thanks in advance for any replies.

Hi again, I've sorted out my problem. Seems I forgot to add the domain suffix when I added the domain user account into the local administrators group, so it automatically created a local account instead of a domain user account. Adding the domain user account again with the correct domain name syntax [domain name].[suffix] (eg. domain.com) and then modifying the group membership option to local administrators group allows full access to the domain user without UAC prompting for domain administrator credentials. Hope this helps. PS: my computers are in the same LAN with the controller, joined by a layer 2 channel, no VPN or subnets. Cheers.