Local admin rights not flowing through

I've got a weird issue that I hope someone knows what's going on...

I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
workstations all with the same issue. I had to re-create the user accounts
in 2003 since I couldn't find a direct upgrade path which was no big deal.

Anyway, all of my workstations are XP SP2.

The workstations did not have local administrator rights so the users could
not install their own applications. I added into each user's workstation
their domain login name and added them as local administrator. I can log in
as them to the local workstation and gain local admin, but if I login into
the domain I do not get local administrator rights.

Here's what I tried:

Deleting the profiles, deleting references in the registry to that user,
re-creating the profile by logging in again.

I noticed when I logged in with the new user that it took a while to create
the profile. When I logged in with the original user, even though the
profile directories were deleted it just said loading profile and entered
winxp quickly. So it looks like it was grabbing a profile from somewhere. I
examined the PC and their home directory but could not find another profile
directory.

Created a new user on the domain, created a new user on the local
workstation and this new user did get local admin.

Re-formatted a PC and re-patched. Added the original user in the local
workstation as local administrator and the problem was still there. No local
administrator rights.

It seems to be a profile/policy issue but no policies or roaming profiles
are defined in the new domain.

Does anyone have any idea on what is going on with this?

Eric wrote:

>
> The workstations did not have local administrator rights so the users could
> not install their own applications.

.... Which is generally a good thing.


> I added into each user's workstation
> their domain login name and added them as local administrator.


Does this mean that you created a local account on the computer with
the same username as the domain account? If so, why?


> I can log in
> as them to the local workstation and gain local admin, but if I login into
> the domain I do not get local administrator rights.
>


Yes, that's the way it should work, if you created local accounts for
each user, and then added only those local accounts to the local
administrators group.


> Here's what I tried:
>
> Deleting the profiles, deleting references in the registry to that user,
> re-creating the profile by logging in again.
>
> I noticed when I logged in with the new user that it took a while to create
> the profile. When I logged in with the original user, even though the
> profile directories were deleted it just said loading profile and entered
> winxp quickly. So it looks like it was grabbing a profile from somewhere. I
> examined the PC and their home directory but could not find another profile
> directory.
>
> Created a new user on the domain, created a new user on the local
> workstation and this new user did get local admin.
>
> Re-formatted a PC and re-patched. Added the original user in the local
> workstation as local administrator and the problem was still there. No local
> administrator rights.
>
> It seems to be a profile/policy issue but no policies or roaming profiles
> are defined in the new domain.
>
> Does anyone have any idea on what is going on with this?


The systems are acting perfectly normally, and there's nothing wrong.
If you want your users to have local administrative privileges (which I
think is a mistake, but it's your LAN) while logged in to the domain,
simply add each user's domain account to the computer's local
administrator group.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

I am trying to add them to the local administrators group.

This is a small company who's employees are technical in nature. We do a
lot with engineering and designing/programming. The people need local admin
access to perform their job.

From my past experience, if you create a local user and add them into the
local administrators group and that login ID has the same login ID as the
domain account then when the user logs into the domain they will get the
local administrator privs. This is not happening in my current setup and is
needed.

"Bruce Chambers" wrote:

> Eric wrote:
>
> >
> > The workstations did not have local administrator rights so the users could
> > not install their own applications.
>
> .... Which is generally a good thing.
>
>
> > I added into each user's workstation
> > their domain login name and added them as local administrator.
>
>
> Does this mean that you created a local account on the computer with
> the same username as the domain account? If so, why?
>
>
> > I can log in
> > as them to the local workstation and gain local admin, but if I login into
> > the domain I do not get local administrator rights.
> >
>
>
> Yes, that's the way it should work, if you created local accounts for
> each user, and then added only those local accounts to the local
> administrators group.
>
>
> > Here's what I tried:
> >
> > Deleting the profiles, deleting references in the registry to that user,
> > re-creating the profile by logging in again.
> >
> > I noticed when I logged in with the new user that it took a while to create
> > the profile. When I logged in with the original user, even though the
> > profile directories were deleted it just said loading profile and entered
> > winxp quickly. So it looks like it was grabbing a profile from somewhere. I
> > examined the PC and their home directory but could not find another profile
> > directory.
> >
> > Created a new user on the domain, created a new user on the local
> > workstation and this new user did get local admin.
> >
> > Re-formatted a PC and re-patched. Added the original user in the local
> > workstation as local administrator and the problem was still there. No local
> > administrator rights.
> >
> > It seems to be a profile/policy issue but no policies or roaming profiles
> > are defined in the new domain.
> >
> > Does anyone have any idea on what is going on with this?
>
>
> The systems are acting perfectly normally, and there's nothing wrong.
> If you want your users to have local administrative privileges (which I
> think is a mistake, but it's your LAN) while logged in to the domain,
> simply add each user's domain account to the computer's local
> administrator group.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH
>

It should work [if that is what you REALLY want to do] if you add their
domain user account to the local administrators group on their workstation.
You may have other issues going on here also though. First make absolutely
sure that you have DNS configured correctly for your domain as per the KB
article in the link below [NEVER ever have an ISP DNS server is the
preferred DNS server list of ANY domain computer] and run the support tool
netdiag on your domain controllers and a couple domain workstations having
this problem and run the support tool dcdiag and gpotool on your domain
controllers looking for any problems. Also look in the logs of the domain
controllers and domain workstations via Event Viewer to see if any related
problems are found. --- Steve

http://support.microsoft.com/default...en-us%3B291382

"Eric" <Eric@discussions.microsoft.com> wrote in message
news:E9700A33-9CFD-4CF8-8E92-E52150E88DA0@microsoft.com...
> I've got a weird issue that I hope someone knows what's going on...
>
> I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
> workstations all with the same issue. I had to re-create the user
> accounts
> in 2003 since I couldn't find a direct upgrade path which was no big deal.
>
> Anyway, all of my workstations are XP SP2.
>
> The workstations did not have local administrator rights so the users
> could
> not install their own applications. I added into each user's workstation
> their domain login name and added them as local administrator. I can log
> in
> as them to the local workstation and gain local admin, but if I login into
> the domain I do not get local administrator rights.
>
> Here's what I tried:
>
> Deleting the profiles, deleting references in the registry to that user,
> re-creating the profile by logging in again.
>
> I noticed when I logged in with the new user that it took a while to
> create
> the profile. When I logged in with the original user, even though the
> profile directories were deleted it just said loading profile and entered
> winxp quickly. So it looks like it was grabbing a profile from somewhere.
> I
> examined the PC and their home directory but could not find another
> profile
> directory.
>
> Created a new user on the domain, created a new user on the local
> workstation and this new user did get local admin.
>
> Re-formatted a PC and re-patched. Added the original user in the local
> workstation as local administrator and the problem was still there. No
> local
> administrator rights.
>
> It seems to be a profile/policy issue but no policies or roaming profiles
> are defined in the new domain.
>
> Does anyone have any idea on what is going on with this?

I do have DNS configured correctly, including the reverse lookup zone. I use
a .local extension for internal DNS. I also looked at the event logs on both
the domain controller and the local workstations and all were squeaky clean.

I haven't tried a netdiag yet though. I'll give that a shot tomorrown. Any
other ideas anyone?

Thanks

"Steven L Umbach" wrote:

> It should work [if that is what you REALLY want to do] if you add their
> domain user account to the local administrators group on their workstation.
> You may have other issues going on here also though. First make absolutely
> sure that you have DNS configured correctly for your domain as per the KB
> article in the link below [NEVER ever have an ISP DNS server is the
> preferred DNS server list of ANY domain computer] and run the support tool
> netdiag on your domain controllers and a couple domain workstations having
> this problem and run the support tool dcdiag and gpotool on your domain
> controllers looking for any problems. Also look in the logs of the domain
> controllers and domain workstations via Event Viewer to see if any related
> problems are found. --- Steve
>
> http://support.microsoft.com/default...en-us%3B291382
>
> "Eric" <Eric@discussions.microsoft.com> wrote in message
> news:E9700A33-9CFD-4CF8-8E92-E52150E88DA0@microsoft.com...
> > I've got a weird issue that I hope someone knows what's going on...
> >
> > I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
> > workstations all with the same issue. I had to re-create the user
> > accounts
> > in 2003 since I couldn't find a direct upgrade path which was no big deal.
> >
> > Anyway, all of my workstations are XP SP2.
> >
> > The workstations did not have local administrator rights so the users
> > could
> > not install their own applications. I added into each user's workstation
> > their domain login name and added them as local administrator. I can log
> > in
> > as them to the local workstation and gain local admin, but if I login into
> > the domain I do not get local administrator rights.
> >
> > Here's what I tried:
> >
> > Deleting the profiles, deleting references in the registry to that user,
> > re-creating the profile by logging in again.
> >
> > I noticed when I logged in with the new user that it took a while to
> > create
> > the profile. When I logged in with the original user, even though the
> > profile directories were deleted it just said loading profile and entered
> > winxp quickly. So it looks like it was grabbing a profile from somewhere.
> > I
> > examined the PC and their home directory but could not find another
> > profile
> > directory.
> >
> > Created a new user on the domain, created a new user on the local
> > workstation and this new user did get local admin.
> >
> > Re-formatted a PC and re-patched. Added the original user in the local
> > workstation as local administrator and the problem was still there. No
> > local
> > administrator rights.
> >
> > It seems to be a profile/policy issue but no policies or roaming profiles
> > are defined in the new domain.
> >
> > Does anyone have any idea on what is going on with this?
>
>
>

It sounds like it could be a problem with contacting the domain controller
at logon. It could be the user is logging on via cached credentials even
just briefly as is often the case where clients have wireless network
connections. You can check the security log on the client workstation,
assuming auditing of logon events is enabled as shown in Local Security
Policy, to see if cached logons are happening as evidenced by type 11
logons. Try using the support tool whoami /groups to compare the security
token of the domain user compared to the domain user to see if
builtin\administrators is shown for the domain user. Also run rsop.msc on
the domain computer in question to see if there are any differences in user
configuration group policy settings for the domain user that could be
restricting the user such as Software Restriction Policies. Another
possibility is that the domain user is a member of a group that has deny
permissions in some access control list that may be restricting them. ---
Steve


"Eric" <Eric@discussions.microsoft.com> wrote in message
news:45EAB03A-3DC4-40A7-B4AD-BEEF14DD56E4@microsoft.com...
>I do have DNS configured correctly, including the reverse lookup zone. I
>use
> a .local extension for internal DNS. I also looked at the event logs on
> both
> the domain controller and the local workstations and all were squeaky
> clean.
>
> I haven't tried a netdiag yet though. I'll give that a shot tomorrown.
> Any
> other ideas anyone?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> It should work [if that is what you REALLY want to do] if you add their
>> domain user account to the local administrators group on their
>> workstation.
>> You may have other issues going on here also though. First make
>> absolutely
>> sure that you have DNS configured correctly for your domain as per the KB
>> article in the link below [NEVER ever have an ISP DNS server is the
>> preferred DNS server list of ANY domain computer] and run the support
>> tool
>> netdiag on your domain controllers and a couple domain workstations
>> having
>> this problem and run the support tool dcdiag and gpotool on your domain
>> controllers looking for any problems. Also look in the logs of the domain
>> controllers and domain workstations via Event Viewer to see if any
>> related
>> problems are found. --- Steve
>>
>> http://support.microsoft.com/default...en-us%3B291382
>>
>> "Eric" <Eric@discussions.microsoft.com> wrote in message
>> news:E9700A33-9CFD-4CF8-8E92-E52150E88DA0@microsoft.com...
>> > I've got a weird issue that I hope someone knows what's going on...
>> >
>> > I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
>> > workstations all with the same issue. I had to re-create the user
>> > accounts
>> > in 2003 since I couldn't find a direct upgrade path which was no big
>> > deal.
>> >
>> > Anyway, all of my workstations are XP SP2.
>> >
>> > The workstations did not have local administrator rights so the users
>> > could
>> > not install their own applications. I added into each user's
>> > workstation
>> > their domain login name and added them as local administrator. I can
>> > log
>> > in
>> > as them to the local workstation and gain local admin, but if I login
>> > into
>> > the domain I do not get local administrator rights.
>> >
>> > Here's what I tried:
>> >
>> > Deleting the profiles, deleting references in the registry to that
>> > user,
>> > re-creating the profile by logging in again.
>> >
>> > I noticed when I logged in with the new user that it took a while to
>> > create
>> > the profile. When I logged in with the original user, even though the
>> > profile directories were deleted it just said loading profile and
>> > entered
>> > winxp quickly. So it looks like it was grabbing a profile from
>> > somewhere.
>> > I
>> > examined the PC and their home directory but could not find another
>> > profile
>> > directory.
>> >
>> > Created a new user on the domain, created a new user on the local
>> > workstation and this new user did get local admin.
>> >
>> > Re-formatted a PC and re-patched. Added the original user in the local
>> > workstation as local administrator and the problem was still there. No
>> > local
>> > administrator rights.
>> >
>> > It seems to be a profile/policy issue but no policies or roaming
>> > profiles
>> > are defined in the new domain.
>> >
>> > Does anyone have any idea on what is going on with this?
>>
>>
>>