I never knew that

Lee H

Hi

A standard user of a domain can add a client to the domain as long as he/she has local admin rights on the local pc, also AD will track the amount of PC's joined to domain and will only allow 10

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

Lee H

tiersten

Eh? You sure? That makes no sense and its a massive security issue if it does...

sprkymrk

Yeah, and it only works if you want to add the computer to the built-in Computers container. It won't work in an organization that keeps computers in different OU's. In that case you either need to have a GPO applied that allows it or else you need to pre-populate the computer object and change the "Allow to add to domain" to something other than the default Domain Administrator.

sprkymrk

tiersten wrote:

Eh? You sure? That makes no sense and its a massive security issue if it does...

Yes, he's right. Tell me how that would be a massive security issue though?

Lee H

So what your saying Spymark is that if the client is added to the default Computers container then a standard user can do this, but if there is some kind of rule set up that put it into a seperate OU then the standard user will not be able to do it

tiersten

sprkymrk wrote:

tiersten wrote:

Eh? You sure? That makes no sense and its a massive security issue if it does...

Yes, he's right. Tell me how that would be a massive security issue though?

Do you want computer appearing on your domain that are untrusted? Or does that count as a minor issue in your book?

I've seen a few places which granted specific users local admin on their PCs whilst having a regular domain account. It was usually due to some legacy applications.

sprkymrk

Lee H wrote:

So what your saying Spymark is that if the client is added to the default Computers container then a standard user can do this, but if there is some kind of rule set up that put it into a seperate OU then the standard user will not be able to do it

Correct.

tiersten

sprkymrk wrote:

Lee H wrote:

So what your saying Spymark is that if the client is added to the default Computers container then a standard user can do this, but if there is some kind of rule set up that put it into a seperate OU then the standard user will not be able to do it

Correct.

Why would you want this functionality?

sprkymrk

tiersten wrote:

sprkymrk wrote:

tiersten wrote:

Eh? You sure? That makes no sense and its a massive security issue if it does...

Yes, he's right. Tell me how that would be a massive security issue though?

Do you want computer appearing on your domain that are untrusted? Or does that count as a minor issue in your book?

I've seen a few places which granted specific users local admin on their PCs whilst having a regular domain account. It was usually due to some legacy applications.

If your users are already local admins on their computer, that is a security issue. The fact that they can add a computer to the domain - well what would they actually have to do? If it's a company computer it's probably already on the domain and you already made them an admin on it so...

If they are able to bring a computer from home into your building, plug it into a jack and get on your network undetected, then adding it to the domain would actually be the least of your worries. I see it as an unneccessary right to be granted to a user, but not a massive security issue by itself. My guess is that it was done so remote sites without local IT support could function more easily. Once the computer is on the domain their should be policies in place (such as restricted groups) that would ensure domain users were not local admins, then rename and lock the local admin account or at least change it's p/w, etc.

nel

Lee, mark is spot on with this

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

We had to in a previous job otherwise our main production software would not run so effectivly if we didnt we wouldnt be able to create/sell newspapers

tiersten

sprkymrk wrote:

If your users are already local admins on their computer, that is a security issue. The fact that they can add a computer to the domain - well what would they actually have to do? If it's a company computer it's probably already on the domain and you already made them an admin on it so...

I'm not a Windows person so that is the part that seems strange. I would have expected only domain admins to be able to add a new client to the domain.

sprkymrk wrote:

Once the computer is on the domain their should be policies in place (such as restricted groups) that would ensure domain users were not local admins, then rename and lock the local admin account or at least change it's p/w, etc.

One place had none of that. Random users would have local admin because of some ancient legacy applications required it otherwise they'd bomb out with obscure errors. The manufacturer recommended solution was to give them local admin. The setup was originally done by somebody with absolutely no training and didn't even follow any sort of best practise guide. The worst part is that they were a bank...

Thankfully none of that was my concern. I was there to look after the iSeries and pSeries. I didn't bank there for obvious reasons

tiersten

nel wrote:

Lee, mark is spot on with this

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

We had to in a previous job otherwise our main production software would not run so effectivly if we didnt we wouldnt be able to create/sell newspapers

Typewriter, some paper, big pot of glue and a pair of scissors

I guess the main issue here is crap applications that require elevated priviledges when they really shouldn't need to.

Mishra

It's a pain to change this too. When we changed it we had to go under adsiedit to find the setting.

I'm not sure why Microsoft made this the default setting. It should have been an option but not a default setting.

"My guess is that it was done so remote sites without local IT support could function more easily."

This is what I've always heard. Nice post.

tiersten

Mishra wrote:

I'm not sure why Microsoft made this the default setting. It should have been an option but not a default setting.

Ditto. For most users/setups I'd expect this feature not be useful or needed.

Megadeth4168

nel wrote:

Lee, mark is spot on with this

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

We had to in a previous job otherwise our main production software would not run so effectivly if we didnt we wouldnt be able to create/sell newspapers

Similar scenario here.. We have software that most the users in the organization use that requires local admin rights to run correctly. I don't like it , but we don't really have a way around it at the moment.

nel

tiersten wrote:

nel wrote:

Lee, mark is spot on with this

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

We had to in a previous job otherwise our main production software would not run so effectivly if we didnt we wouldnt be able to create/sell newspapers

Typewriter, some paper, big pot of glue and a pair of scissors

I guess the main issue here is crap applications that require elevated priviledges when they really shouldn't need to.

Try telling that to journalists!!!!!

undomiel

I've been looking into the software around here that "requires" admin rights. So far I've been able to work around the problem with all the software. Generally it required granting modify or full control to the specific program folder. A few have been more complicated though. Peachtree for instance I had to grant control on the program folder, 4 files that it put in the Windows directory, and its registry keys. Works perfectly now.

dynamik

Peachtree is the bane of my existence. I've never had so many problems with a software package before.

undomiel

Peachtree has been relatively problem free over here. The only problem I ever had was running it under a restricted account. So I'll consider myself lucky.

Now Visual ERP on the other hand . . .

RTmarc

tiersten wrote:

nel wrote:

Lee, mark is spot on with this

Cant imagine a scenareo were someone would have local admin on PC but also be standard user on domain

We had to in a previous job otherwise our main production software would not run so effectivly if we didnt we wouldnt be able to create/sell newspapers

I guess the main issue here is crap applications that require elevated priviledges when they really shouldn't need to.

That's the problem. Interestingly enough, Microsoft admitted that the UAC in Vista was designed as an annoyance "feature" just for this problem. The comment made was that it was essentially created to annoy developers into creating applications that did not need elevated permissions.

To comment further, the company I work for is also in the same situation as described above. We have two applications that our employees use that will not function if the user has anything less than local admin rights. Unfortunately, we've been unable to manipulate folder and file permissions to the point it will run correctly sans local admin rights. And, as you can imagine, the software creator's blanket fix is local admin rights.

undomiel

RTmarc wrote:

And, as you can imagine, the software creator's blanket fix is local admin rights.

Yep that's the most annoying part. They generally just don't care because it is "good enough."

dynamik

Is it accessing the registry? You might be able to remedy that situation by changing the permissions there as well. I think there's a Sysinternals tool that'll help you with that, but I'm not familiar with it.

undomiel

Processor Monitor is what you're thinking of dynamik. I just thought of it while looking at another thread as well. It'd be a good way to find out what's breaking things in these programs.

RTmarc

FileMon is the other one to use.

undomiel

Process Monitor supercedes Filemon and Regmon as it combines the functionality of the two.

astorrs

undomiel wrote:

Process Monitor supercedes Filemon and Regmon as it combines the functionality of the two.

Yup and it adds way more functionality (namely non-destructive filters!)

Here is a great webcast from Mark about Process Monitor:

TechNet Webcast: Advanced Microsoft Windows Troubleshooting with Sysinternals Process Monitor (Level 300
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032345496&EventCategory=3&culture=en-US&CountryCode=US

snadam

dynamik wrote:

Peachtree is the bane of my existence. I've never had so many problems with a software package before.

wait till you get into Timberlilne....


after years of research and tweaking of the registries and file permissions with QuickBooks, we FINALLY got it down pat where it runs smooth and nobody has to have any local admin rights, then they decide to go with Timberline...Lets just say I dont like what they have to say in regards to what user rights need to be granted, nor what permissions need to be granted to its files/folders...god I hate that application

blargoe

Being able to join it to the domain isn't THAT big of a deal if they already have a valid user credential. It's not like they'd have "more access" if they're in the domain, as they can always "logon as" when they connect to a share from a non-domain computer.

Actually allowing rogue computers physical/wireless network access at all is the real risk.

Daniel333

I think it's funny how different shops run.

We are bank of well over 10,000 users with only 6-7 people in a remote office for support of actual PC problems (of course there are other teams). We require our end users to install hard drives and reimage their own machines. Although laptops are shippped in.

We're pushing for terminals here and there too. Won't even have to do that soon enough.