Printable View
We are currently migrating from windows XP machines to Windows 7 in our AD domain 2003. Windows 7 on these computers (as in XP), the domain administrators group is a member of local administrators to machines but, oddly, when opening a session with a domain admin account, it has not all local administrator privileges. This phenomenon does not occur with XP. I just want to know why domain administrator but not the machine.
I am also facing similar problem. This is reflected, for example, the obligation to perform "as administrator" for some applications or scripts that they work. These same applications (or scripts) in a "normal" from the local administrator account Windows 7 of our machines are no problem. Why domain administrators, members of the local administrators group, they did not have the same privileges as the local admin accounts?
Do not you rather refer to the UAC? Even as admin of the machine if you throw software you have a window that appears and asks you permissions. If that is the UAC that does not mean that you do not have permission for it you just have to continue and it will work otherwise it will ask you to enter the admin account. Otherwise, normally even without your group added to local admin group as you log on with an account you domain admins you have full control over the machine. Have you tried another account with admin area?
No, the UAC is not an issue for simple reason that I disabled for the administrator accounts. I even checked in the BDR if the key was well positioned: NA. I will take a concrete example: With a domain admin account, I log on a machine and I run win7 prompt command line to initiate an audit of the local hard disk (chkdsk c: / f). Response of Windows: "You do not have the privileges required to run this operation." For this to pass it is necessary that I open the command prompt "as administrator". The phenomenon occurs with all of the domain admin accounts without exception. I'm beginning to wonder if my master deployment would not just HS.
Bad idea to disable it, it greatly reduces security. UAC behavior logic. Just cause elevation of privilege before? Else perform tasks requiring elevated privileges. UAC is? Even more important when you are logged in Admin> domain: You have so many rights that Is pretty good for be accused of an elevation of privilege: imagine a worm that running under your account.
That still poses problems, we, the admins, because we rarely do we connect with the admin account the machine room (especially remote). This account does not have the required permissions on our structure and AD in general. Be warned, this is indeed good but we are still supposed to know what we're doing. Is there any solution for problem?