Home
Certification Preparation
Microsoft
Windows 2000 Core
network vs. local permissions
w^rl0rd
If a user is assigned local Admin rights, but doesn't have network Admin rights assigned through Active Directory, would the users local Admin rights be cancelled out when logged onto the network?
I hope that wasn't too confusing.
The permissions will depend if logged on locally or over the network right?
Find more posts tagged with
Comments
pandimus
Technically that person would not really have any rights, except on that one computer. (well any rights not otherwise given in their permissions set in AD). So that person can set up anything on that computer. But as soon as they do anything on the network they have whatever permissions that are set in AD.. Sorry for repeating. So to answer you question.. Yes they lose those permissions. Or even better they never even had them.. If i'm confusing you please tell me..
w^rl0rd
So network permissions override local?
So if someone is a User in AD, but an Admin locally, after authenticating they will effectively be a User right?
pandimus
depends where they log in at.. If they log in locally at that terminal they have permissions to change the settings on that computer, but if they log on the network then they will have just there user permissions.
Rexel
Yep .. from my understanding
Network Login - AD assigned rights and permissions.
Local machine login - rights and permissions assigned to the user's account locally.
GPO's in AD will over-ride any rights a user has assigned locally when logging onto a correctly configured AD enabled domain
Just gotta love AD!
w^rl0rd
Thanks Rexel and Pandimus. That's what I thought.
One of my users had deskside support come out and assign him to the Admin group, but he never had his network permissions changed.
After logging into the box, he wondered why he still had User level perms.
Anyway, thanks for clearing it up for me.
Rexel
Happy to help
lmulli
If you have used lusmgr.msc on the local machine to add the users network account to the local admin group, then regardless of what type of user they are on the network, they will remain an admin on the local machine.
This is quite a useful feature as it happens. Only recently I had to add a number of users to the local admin group in order for some financial software to function correctly. Bit of a security threat to the local machine, but when it only takes 10 minutes or so to re-image, and most users aren't bothered in wrecking their systems anyway, its not all bad news
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
