1

I'm working at a place where all the computers are connected to a domain. Now, out of curiously, I used a LiveUSB and enabled 2 administrator accounts. The administrator accounts are local. However when I installed software, and then logged into the domain level user account, I was able to run the software I installed on the local admin account.

Why is this? Why is software I installed on a local account, made available on a domain level account, as if the domain level account was a normal local account.

Improve this question
6
  • 2
    In general, software installs install for all users. So if you do the install as a local admin, anyone that logs onto the machine will be able to see the software. Having said that, as a domain admin, if you did that at my work, your manager would be having a talk with you after getting their butt chewed by the CIO. Domain user accounts have restrictions for a reason.
    – EBGreen
    Commented May 19, 2015 at 15:41
  • 2
    This was possible because an incorrect configured domain policy. Why exactly do you feel this was strange though? You logged into an account and installed an application, with the proper permissions allowing it to be configred, for any local user to run. Although you log into a domain, there is still a local user account, that is used when you do so. Which is the the reason you can still access your desktop even if the domain controller is not up.
    – Ramhound
    Commented May 19, 2015 at 15:42
  • I just see it as strange because the way I thought of it was wrong. It's still a local account connecting to the domain correct? Even if the domain is not up, because it's local, I can still access it, right?
    – user407055
    Commented May 19, 2015 at 15:50
  • If you used a live CD then it is not a local account connecting to the domain. the account has to exist in AD and be logged into the domain to be connected to the domain.
    – EBGreen
    Commented May 19, 2015 at 15:51
  • @EBGreen - Just for my understanding, how can you tell that the admin accounts are not local accounts? When I used the LiveUSB, the 2 admin accounts appeared when I was looking at the SAM file, but the domain level account didn't appear, and from the LiveUSB it doesn't appear that I could have switched the password. I was only able to switch/remove the password from the 2 admin accounts.
    – user407055
    Commented May 19, 2015 at 15:58

3 Answers 3

Reset to default
1

Programs usually install to C:\Program Files [(x86)], so any account logged into that computer will be able to run the program, no matter what domain the account is on. There is no separate Program Files folder for every account.

The programs installed on that computer will only work on that computer, though, since they're only installed there.

Improve this answer
2
  • "Programs install to C:\Program Files [(x86)]" - That's not a hard and fast rule. Chrome for example used to install itself in AppData (and AFAIK still does depending on certain conditions), and there are apps that install elsewhere by default (not to mention users can change the destination too).
    – Karan
    Commented May 19, 2015 at 22:21
  • @Karan Yes, but programs that show up to all users are in Program Files. I'll add a "usually" in.
    – TheWanderer
    Commented May 20, 2015 at 0:17
0

This isn't a question of whether a domain or local account was used, but rather what type of program was installed.

Programs installed on Windows computers are either accessible to all users (per-machine) or only the program's installing user (per-user). A software developer decides which it will be when preparing their application for distribution as evidenced by this FAQ entry for Advanced Installer (a software "packaging" system):

Question: How do I make the package install per-user or per-machine?

Answer: In order to allow the user to choose the installation type at run-time add the InstallType dialog to the project....In Install Parameters Page set the install type to: Per-machine if user is administrator, per-user otherwise.

For example, many computer games can be run by any user that logs on the computer, while Windows 8 Metro Apps are only accessible to the user that was signed-in when the app was installed.

The role domain vs. local accounts play in software installation has to do with permissions to modify the computer's configuration. Domain accounts (including those with Admin rights) can be and often are further restricted from making changes to computers that can affect whether (or how) applications behave when installed. Of course, many programs require Administrative rights to install, but there's no distinction between domain or local administrative rights excepting cases where an administrative user account has had some restrictions imposed on it by the domain.

Bottom line: If you can indeed install the program in question, it's up to the software developer whether just you, or everyone that has access to the computer can run the application.

Improve this answer
-1

It depends on your software and its installation folder.

Generally speaking any admin should have access to any software hence be able to run it unless you disable access to it on NTFS level.

If you install it to "everyone" (to "c:\program files" with icons in c:\users\All Users) any one will be able to run it. If you install it so-called "only for you" (C:\Users\<YOUR_PROFILE>\...) you will not see it in your menu and desktop on another account, but (if your second account has admin rights) you still be able to run it directly from this folder. But if your app uses some registry hives in HKEY_USERS\S-1-5-<YOUR_SID> you will not be able to run it from different account. You also may use folder encryption to prevent other admins from accessing your app. But domain admins may have key to read even encrypted folder (depends on domain policy).

Improve this answer
2
  • Where the icons go have no bearing on whether or not other users can run the software. Installing the actual software to the user's profile would prevent other users from running it unless they are admins, but in a profile synced environment, that is just one more way to piss off the domain admins. Almost every modern app writes information to the user's hive. Then when a different user runs it, it writes to that user's hive. Writing to the user's hive does not in and of itself prevent the software from running for a different user.
    – EBGreen
    Commented May 19, 2015 at 15:50
  • I agree with you about everything you said but only modern and well-written apps can run regardless user registry hive content. There are some bad apps unfortunately. And also installing software to home folder / %APPDATA% may prevent it from running even by local admins if you use EFS and admins have no keys. It depends on policy.
    – user996142
    Commented May 19, 2015 at 16:08

You must log in to answer this question.