I have strange issue in Active Directory environment. Let me try to explain step by step;
- I have two DCs one of Primary second one is Additional. also repplication is work well between them.
- Imagine you have two users named Xuser and Yuser. I logon to Client both of them. Yuser is a standart user and Xuser is belongs to Domain Admins security group.
- I logon with Xuser on client. When i try attempt reach to Device Manager UAC Prompts appear and i enter my password. Succesfully enter to Device Manager and can change everyting.
- After that i remove Xuser from Domain Admins group than log off and logon again to client with Xuser again. When i try reach to device manager UAC prompts appear and when i enter my password Windows says "Device Manager opened but as a standart user you can't change anyting bla bla..."
So far everything is normal. Strange thing is second part.
- I logoff from Xuser than logon with Yuser in same client. (Just remember: When Xuser last logged out, it did not have admin rights.)
- I try reach to Device Manager and UAC Prompts appear again. I chooser "Another Account" and enter Xuser credentials and
"Device Manager opened but as a standart user you can't change anything bla bla..."
warnings come again as a normally. - Meanwhile i added Xuser to Domain Admins security group again. Than i check PDC and ADC repplication status and i am sure PDC and ADC are repplicated last changes.
- I logout from Yuser and Login with Yuser again. I try reach to Device Manager. When UAC promts appeared, enter the Xuser credentials (remember we add Xuser to Domain Admins security group again) same warning coming which "Device Manager opens but as a standart users."
So why windows don't recognise Xuser is a Domain Admin!
- I Logoff from Yuser and Logon to Xuser again. Try open Device Manager again. It's open normally as a admin.
- When i logout from Xuser and try same thing with Yuser and enter Xuser credentials Device Manager opens as a admin now.
My personal opinion is that unless you grant domain rights to a user, other logged-in users cannot perform transactions using the information of the user you have granted rights to.
Is it normal thing? So how i manage the client pcs?
Thanks and best regards.