domain admins

When I add a domain user to the domain admins group on the SBS server the
user has administrative authority on their local computer. What mechanism is
employed to allow this to take place? Thanks, John

On 03/09/10 17:52, john wrote:
> When I add a domain user to the domain admins group on the SBS server the
> user has administrative authority on their local computer. What mechanism is
> employed to allow this to take place? Thanks, John

Have a look at the local groups on a LAN machine. The Domain Admins
group of the local domain is explicitly a member of the Administrators
group. They have admin privileges on all of the LAN computers, not just
their own.

It's occasionally necessary to do this temporarily, as some
poorly-written programs require a user to have admin privileges on the
first run.

--
Joe

I'm aware that on the domain client computer Domain Admins is a member of the
Administrators group, however, I thought that when I placed the user in a
security group on the server, that it only applied on the server. Is there a
GPO on the server that shoves the authorization down to the client or is it
somehow part of the authorization ticket the client is gtanted? I know it
works, however, I just can't figure out how it works. Thanks, John

"Joe" wrote:

> On 03/09/10 17:52, john wrote:
> > When I add a domain user to the domain admins group on the SBS server the
> > user has administrative authority on their local computer. What mechanism is
> > employed to allow this to take place? Thanks, John
>
> Have a look at the local groups on a LAN machine. The Domain Admins
> group of the local domain is explicitly a member of the Administrators
> group. They have admin privileges on all of the LAN computers, not just
> their own.
>
> It's occasionally necessary to do this temporarily, as some
> poorly-written programs require a user to have admin privileges on the
> first run.
>
> --
> Joe
> .
>

On 03/09/10 20:58, john wrote:
> I'm aware that on the domain client computer Domain Admins is a member of the
> Administrators group, however, I thought that when I placed the user in a
> security group on the server, that it only applied on the server. Is there a
> GPO on the server that shoves the authorization down to the client or is it
> somehow part of the authorization ticket the client is gtanted? I know it
> works, however, I just can't figure out how it works. Thanks, John
>

I don't think any policies are involved, I think this is basic ACL
stuff, as you say, settled at logon time. The authentication is cached,
and allows a domain admin known to the machine i.e. before cache
timeout, to administer the machine even without a network connection.

--
Joe

The domain admins group is in Active Directory not a local group ob the
server. You have to trust your domain admins. Whatever you do they have the
power to undo. If you have a reason that someone, say a contractor or
outside support tech, needs domain admin access but you don't want them
mucking about with computers then you have to disable the account whenever
they are not logged on. For them to logon you would enable the account then
monitor what they are doing. When they're finished disable the account
again.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

"john" <> wrote in message
newsBBA0B6C-E565-471D-B026-...
> I'm aware that on the domain client computer Domain Admins is a member of
> the
> Administrators group, however, I thought that when I placed the user in a
> security group on the server, that it only applied on the server. Is there
> a
> GPO on the server that shoves the authorization down to the client or is
> it
> somehow part of the authorization ticket the client is gtanted? I know it
> works, however, I just can't figure out how it works. Thanks, John
>
> "Joe" wrote:
>
>> On 03/09/10 17:52, john wrote:
>> > When I add a domain user to the domain admins group on the SBS server
>> > the
>> > user has administrative authority on their local computer. What
>> > mechanism is
>> > employed to allow this to take place? Thanks, John
>>
>> Have a look at the local groups on a LAN machine. The Domain Admins
>> group of the local domain is explicitly a member of the Administrators
>> group. They have admin privileges on all of the LAN computers, not just
>> their own.
>>
>> It's occasionally necessary to do this temporarily, as some
>> poorly-written programs require a user to have admin privileges on the
>> first run.
>>
>> --
>> Joe
>> .
>>

I used the WinNT provider in a JScript to enumerate the group membership of a
domain user. I ran the script on a client computer. The result was a list of
groups the user belonged to on SBS. If I disconnected the network cable the
script failed. Operating under the assumption that users logon to client
computers and use resources on the SBS (users not logged onto SBS) I have to
conclude that these groups are pushed down to the client computer. I would
like to know how, why and when and the logic behind it. Most of the groups
the user belongs to (e.g. domain user) don't have any meaning on the client
computer. The only relevent one is domain administrator. Thanks, John

"Kerry Brown" wrote:

> The domain admins group is in Active Directory not a local group ob the
> server. You have to trust your domain admins. Whatever you do they have the
> power to undo. If you have a reason that someone, say a contractor or
> outside support tech, needs domain admin access but you don't want them
> mucking about with computers then you have to disable the account whenever
> they are not logged on. For them to logon you would enable the account then
> monitor what they are doing. When they're finished disable the account
> again.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
> "john" <> wrote in message
> newsBBA0B6C-E565-471D-B026-...
> > I'm aware that on the domain client computer Domain Admins is a member of
> > the
> > Administrators group, however, I thought that when I placed the user in a
> > security group on the server, that it only applied on the server. Is there
> > a
> > GPO on the server that shoves the authorization down to the client or is
> > it
> > somehow part of the authorization ticket the client is gtanted? I know it
> > works, however, I just can't figure out how it works. Thanks, John
> >
> > "Joe" wrote:
> >
> >> On 03/09/10 17:52, john wrote:
> >> > When I add a domain user to the domain admins group on the SBS server
> >> > the
> >> > user has administrative authority on their local computer. What
> >> > mechanism is
> >> > employed to allow this to take place? Thanks, John
> >>
> >> Have a look at the local groups on a LAN machine. The Domain Admins
> >> group of the local domain is explicitly a member of the Administrators
> >> group. They have admin privileges on all of the LAN computers, not just
> >> their own.
> >>
> >> It's occasionally necessary to do this temporarily, as some
> >> poorly-written programs require a user to have admin privileges on the
> >> first run.
> >>
> >> --
> >> Joe
> >> .
> >>
> .
>

When you logon with a domain user account to a domain joined computer that
currently is not connected to the domain the logon uses cached credentials
if the domain user has previously logged on to the computer while connected
to the domain. This means that if a user logged on with a domain admin
account then the computer was disconnected form the network the user could
still logon with the domain admin account and have the same privileges on
the computer as if the computer was still connected to the domain. This is
needed for laptops which may or may not be connected to the network.

Domain group policies are also cached on a domain joined computer. Whatever
group policies were in place the last time the computer was connected remain
in place until the computer is reconnected to the domain and the policies
updated or the computer is disjoined from the domain.

In your case the script would have had to query a domain controller for the
information. If the computer was not connected it would fail. The computer
doesn't need that information because it has the cached user SID which is
all it needs to apply permissions and policies.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"cullirod" <> wrote in message
news:3D47B7DC-A6F3-4A60-BEF4-...
> I used the WinNT provider in a JScript to enumerate the group membership
> of a
> domain user. I ran the script on a client computer. The result was a list
> of
> groups the user belonged to on SBS. If I disconnected the network cable
> the
> script failed. Operating under the assumption that users logon to client
> computers and use resources on the SBS (users not logged onto SBS) I have
> to
> conclude that these groups are pushed down to the client computer. I would
> like to know how, why and when and the logic behind it. Most of the groups
> the user belongs to (e.g. domain user) don't have any meaning on the
> client
> computer. The only relevent one is domain administrator. Thanks, John
>
> "Kerry Brown" wrote:
>
>> The domain admins group is in Active Directory not a local group ob the
>> server. You have to trust your domain admins. Whatever you do they have
>> the
>> power to undo. If you have a reason that someone, say a contractor or
>> outside support tech, needs domain admin access but you don't want them
>> mucking about with computers then you have to disable the account
>> whenever
>> they are not logged on. For them to logon you would enable the account
>> then
>> monitor what they are doing. When they're finished disable the account
>> again.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>>
>> "john" <> wrote in message
>> newsBBA0B6C-E565-471D-B026-...
>> > I'm aware that on the domain client computer Domain Admins is a member
>> > of
>> > the
>> > Administrators group, however, I thought that when I placed the user in
>> > a
>> > security group on the server, that it only applied on the server. Is
>> > there
>> > a
>> > GPO on the server that shoves the authorization down to the client or
>> > is
>> > it
>> > somehow part of the authorization ticket the client is gtanted? I know
>> > it
>> > works, however, I just can't figure out how it works. Thanks, John
>> >
>> > "Joe" wrote:
>> >
>> >> On 03/09/10 17:52, john wrote:
>> >> > When I add a domain user to the domain admins group on the SBS
>> >> > server
>> >> > the
>> >> > user has administrative authority on their local computer. What
>> >> > mechanism is
>> >> > employed to allow this to take place? Thanks, John
>> >>
>> >> Have a look at the local groups on a LAN machine. The Domain Admins
>> >> group of the local domain is explicitly a member of the Administrators
>> >> group. They have admin privileges on all of the LAN computers, not
>> >> just
>> >> their own.
>> >>
>> >> It's occasionally necessary to do this temporarily, as some
>> >> poorly-written programs require a user to have admin privileges on the
>> >> first run.
>> >>
>> >> --
>> >> Joe
>> >> .
>> >>
>> .
>>

I found that the SIDs for the security groups are sent to the domain client
in the TGT. There is an area in the TGT for vendor supplied authorization
data (see cc752815). The data area is described in aa302203.

"Kerry Brown" wrote:

> When you logon with a domain user account to a domain joined computer that
> currently is not connected to the domain the logon uses cached credentials
> if the domain user has previously logged on to the computer while connected
> to the domain. This means that if a user logged on with a domain admin
> account then the computer was disconnected form the network the user could
> still logon with the domain admin account and have the same privileges on
> the computer as if the computer was still connected to the domain. This is
> needed for laptops which may or may not be connected to the network.
>
> Domain group policies are also cached on a domain joined computer. Whatever
> group policies were in place the last time the computer was connected remain
> in place until the computer is reconnected to the domain and the policies
> updated or the computer is disjoined from the domain.
>
> In your case the script would have had to query a domain controller for the
> information. If the computer was not connected it would fail. The computer
> doesn't need that information because it has the cached user SID which is
> all it needs to apply permissions and policies.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>
>
> "cullirod" <> wrote in message
> news:3D47B7DC-A6F3-4A60-BEF4-...
> > I used the WinNT provider in a JScript to enumerate the group membership
> > of a
> > domain user. I ran the script on a client computer. The result was a list
> > of
> > groups the user belonged to on SBS. If I disconnected the network cable
> > the
> > script failed. Operating under the assumption that users logon to client
> > computers and use resources on the SBS (users not logged onto SBS) I have
> > to
> > conclude that these groups are pushed down to the client computer. I would
> > like to know how, why and when and the logic behind it. Most of the groups
> > the user belongs to (e.g. domain user) don't have any meaning on the
> > client
> > computer. The only relevent one is domain administrator. Thanks, John
> >
> > "Kerry Brown" wrote:
> >
> >> The domain admins group is in Active Directory not a local group ob the
> >> server. You have to trust your domain admins. Whatever you do they have
> >> the
> >> power to undo. If you have a reason that someone, say a contractor or
> >> outside support tech, needs domain admin access but you don't want them
> >> mucking about with computers then you have to disable the account
> >> whenever
> >> they are not logged on. For them to logon you would enable the account
> >> then
> >> monitor what they are doing. When they're finished disable the account
> >> again.
> >>
> >> --
> >> Kerry Brown
> >> MS-MVP - Windows Desktop Experience: Systems Administration
> >> http://www.vistahelp.ca/phpBB2/
> >>
> >> "john" <> wrote in message
> >> newsBBA0B6C-E565-471D-B026-...
> >> > I'm aware that on the domain client computer Domain Admins is a member
> >> > of
> >> > the
> >> > Administrators group, however, I thought that when I placed the user in
> >> > a
> >> > security group on the server, that it only applied on the server. Is
> >> > there
> >> > a
> >> > GPO on the server that shoves the authorization down to the client or
> >> > is
> >> > it
> >> > somehow part of the authorization ticket the client is gtanted? I know
> >> > it
> >> > works, however, I just can't figure out how it works. Thanks, John
> >> >
> >> > "Joe" wrote:
> >> >
> >> >> On 03/09/10 17:52, john wrote:
> >> >> > When I add a domain user to the domain admins group on the SBS
> >> >> > server
> >> >> > the
> >> >> > user has administrative authority on their local computer. What
> >> >> > mechanism is
> >> >> > employed to allow this to take place? Thanks, John
> >> >>
> >> >> Have a look at the local groups on a LAN machine. The Domain Admins
> >> >> group of the local domain is explicitly a member of the Administrators
> >> >> group. They have admin privileges on all of the LAN computers, not
> >> >> just
> >> >> their own.
> >> >>
> >> >> It's occasionally necessary to do this temporarily, as some
> >> >> poorly-written programs require a user to have admin privileges on the
> >> >> first run.
> >> >>
> >> >> --
> >> >> Joe
> >> >> .
> >> >>
> >> .
> >>
> .
>