-1

I have strange issue in Active Directory environment. Let me try to explain step by step;

  • I have two DCs one of Primary second one is Additional. also repplication is work well between them.
  • Imagine you have two users named Xuser and Yuser. I logon to Client both of them. Yuser is a standart user and Xuser is belongs to Domain Admins security group.
  • I logon with Xuser on client. When i try attempt reach to Device Manager UAC Prompts appear and i enter my password. Succesfully enter to Device Manager and can change everyting.
  • After that i remove Xuser from Domain Admins group than log off and logon again to client with Xuser again. When i try reach to device manager UAC prompts appear and when i enter my password Windows says "Device Manager opened but as a standart user you can't change anyting bla bla..."

So far everything is normal. Strange thing is second part.

  • I logoff from Xuser than logon with Yuser in same client. (Just remember: When Xuser last logged out, it did not have admin rights.)
  • I try reach to Device Manager and UAC Prompts appear again. I chooser "Another Account" and enter Xuser credentials and "Device Manager opened but as a standart user you can't change anything bla bla..." warnings come again as a normally.
  • Meanwhile i added Xuser to Domain Admins security group again. Than i check PDC and ADC repplication status and i am sure PDC and ADC are repplicated last changes.
  • I logout from Yuser and Login with Yuser again. I try reach to Device Manager. When UAC promts appeared, enter the Xuser credentials (remember we add Xuser to Domain Admins security group again) same warning coming which "Device Manager opens but as a standart users."

So why windows don't recognise Xuser is a Domain Admin!

  • I Logoff from Yuser and Logon to Xuser again. Try open Device Manager again. It's open normally as a admin.
  • When i logout from Xuser and try same thing with Yuser and enter Xuser credentials Device Manager opens as a admin now.

My personal opinion is that unless you grant domain rights to a user, other logged-in users cannot perform transactions using the information of the user you have granted rights to.

Is it normal thing? So how i manage the client pcs?

Thanks and best regards.

Improve this question
2
  • You don’t use a domain admin to mange the computers, you use restricted group and add your account or a group to delegate admin right to all computers. Search restricted group gpo)
    – yagmoth555
    Commented May 18 at 0:55
  • @yagmoth555 thanks for your remind me Restricted Group Gpo. I will work on this. This is the best way i think. Could you please send this as a answer an i will accept it.
    – Lacrymae
    Commented May 18 at 18:37

1 Answer 1

Reset to default
1

Caching. The client did not discard the XUser privileges (from the earlier invocation of XUser credentials at the UAC prompt) when you logged out YUser. So your adding XUser back to the domain admins group was not seen, because the workstation had XUser's credentials as not a domain admin still cached. When you logged YUser out and logged in as XUser, it fetched down the updated profile, and suddenly the workstation knew XUser was domain admin. So this is working as intended. I suspect that it does at least check if XUser is still Domain Admin if the currently cached credentials say it is, but I can't be sure.

How to manage the client PCs? The way it's intended is that you have an account that is always Domain Admin that you use for management, and reply with that account's credentials when the UAC prompt appears. If a domain admin has been fired, his account should be deactivated, and you don't want anyone poking at computers using his credentials once that has happened. The Windows security model is fairly restrictive, not permitting anyone to modify a machine unless they have admin permission on the machine (and domain admins have admin permission on all domain machines).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .