Sign in with
Sign up | Sign in
Your question

Why is my domain user a local admin?

Tags:
  • Domain
  • Computers
  • Business Computing
  • Standard
Last response: in Business Computing
Share
August 6, 2014 4:59:04 AM

Hi everyone,

I recently completed the install of Windows Server Essentials 2012 R2.

I created a standard user (Sam) via the server dashboard.
I downloaded the connect software and connected my computer to the domain.
I logged in to my computer using my standard user domain credentials.

All works, however, I noticed I have full administrator control of my computer.

Is this the normal behaviour, that Standard domain user are Local machine Administrators?

I can't find a way to specify what local rights the domain account should have.

Thanks.

More about : domain user local admin

August 6, 2014 2:26:38 PM

Look at the local "Administrators" group on the member PC, odds are that you'll find either "domain members" (bad, bad, bad...) or a specific domain user account in addition to "Administrator" and "Domain Admins".
m
0
l
August 7, 2014 4:30:28 AM

This is weird because it is literally a brand new Server Essentials 2012 R2 installation following basic installation procedure.

I went to Active Directory Users and Computers and looked into the Builtin folder for the Administrators group and the Users group.

In the Administrators group, members are:
Administrator
Domain Admins
Enterprise Admins
Media Admins
Root (a server user I created at installation)

In the Uers group, members are:
Authenticated Users
Domain Users
INTERACTIVE

More info:
This is the first computer I joined to the domain (I will test a second computer today).
When I joined the computer, I made sure to enter the standard user credentials.
Not sure why my Standard domain user account ends up being local admin of the machine.....
m
0
l
Related resources
August 7, 2014 7:14:19 AM

Ok, now check all the "Admin" groups in the domain. Your user (or a group your user belongs to) appears in one or more of them.
m
0
l
August 7, 2014 8:04:35 AM

I just created a brand new standard user and connected a computer to the server using those credentials, and again, the resulting local account is admin of the machine.

I thought of something though:
Because both computers I connected so far were computers already in use and on both computers, the old local user accounts were administrators, is it possible that when the computer is connected to the domain it keeps the same local account type?
m
0
l
August 7, 2014 8:10:41 AM

No, the local accounts have no bearing. Your "standard" users are being made members of a domain group that has local admin rights. As I pointed out above, you need to check the groups at the domain level.
m
0
l
August 18, 2014 7:36:06 AM

Look at the users on the local machine. You will see the groups and accounts that belong to the local admin rights group. The account you are using on the domain is a member or a group there.
m
0
l
!