Domain user with local admin rights OFF the network

Having a issue with our new WIndows 7 machines. Have added pc to domain (2003 Server/AD), have added domain user to local admin group (e.g. DOMAIN\user) Can run applications as administrator as long as they are connected physically to domain. Pull the plug, the user DOES NOT have admin rights to add printer, run app. etc. Never had this problem with XP. If you plug the machine back into the wire, admin rights are back... What do I need to change?
Thanks in advance.


Noob Whisperer
very cool....guessing GPO domain or perhaps local, stopping the cacheing of security credentials. Can you log off and log onto the computer with the domain users credentials when they are unplugged

You CAN login using Domain user credentials when disconnected; just no admin rights. No changes to GPO, using only default. Should be no local policy being applied.


Noob Whisperer
Any errors being reported in event viewer, any pop up dialog box messages, options greyed out, I assume we're talking about adding a local printer when disconnected so what exactly is happening when you try, or am I completely missing the mark

Haven't looked in eveny viewer - will do. Adding a local printer was EXACTLY what the user was trying to do - came back with error " You need to be logged on as administrator - or have admin equivl rights..." You are right on! We have numerous users that work locally in office (on Domain) that take their laptops home. One profile, one user, same files, no syncing, etc... User took laptop home, tried to add printer - Let me take a look at event logs.


Noob Whisperer
You can have a look at this, since apparently your domain user, who has been added to the local administrators group, is still not being recognized as a local administrator it may help. It seems the situation is the same as yours it discusses a local security policy and adding a guid, I haven't had time to test it but it might help get you by for now Install printer without being administrator


Noob Whisperer
This is just another shot in the dark here but have you tried to disable locally, UAC (user account control) on the Win7 laptop, just as an experiment. I have seen some weird behavior in domain environments associated with this applet. You can look here if you aren't familiar Disable User Account Control (UAC) in Windows 7 - IIS Hacks | Server and System Administration

Only thing in event viewer worth noting; "The processing of group policy failed bacause of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has been successfully processed. If you do not..." Will take a look at Guid info. Bigger concern was no admin rights for programs, changes to registry, etc - Printer not such a worry. '

Security log shows successful logon using explicit credentials followed by an account was successfully logged on, then special privileges assigned to new logon. ACU was/is set to Notify me only when making changes...Will drop to lowest and try this agin.

Local Group Policy is as follows; will change one at a time to see what happens...

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Modeâ€Â￾ IS set to “Elevate without promptâ€Â￾

Detect application installations and prompt for elevationâ€Â￾ was set to "Enabled" will change to “Disabled"

Run all administrators in Admin Approval Modeâ€Â￾ IS set to “Disabled"

Only elevate UIAccess applications that are installed in secure locations was set to "Enabled" will change to "Disabled" - Let's see what happens - Thanks everybody!!!!


Noob Whisperer
Please keep me posted, very interesting problem. I wouldn't be suprised to find out that UAC doesn't play nice with cached domain credentials

Made all changes to registry (so user does have some rights) to disable UAC, made the changes to the Group Policy. No change - Will look back at the GUID to see if it is just printer install - Strange - I was able to start a program setup from DVD (Roxio). May just be printers; I have created a local account for user to restart if necessary to get around issue. I just know more will be coming down the road. Let you know once I read how to add exception.

Have gone into GPO and added the two classGuid for printers from site. Also set "allow non-admin to install drivers" to ENABLED - with GUID added. No change.


Noob Whisperer
It can't possibly be this you think it's possible that somehow their could possibly be some user account corruption locally, have you tried it with another domain user account. I will see if I can duplicate the problem here but the only options I have are a 2003 SBS AD/DC and a 2008r2 AD/DC not sure if I can get it done but I'm willing to try. If for no other reason than to try and resolve it locally

We have a few desktops here that are running Windows 7. As soon as I can kick the users off, I will disconnect ethernet and see what happens. All users are setup as local admins - domain authentication. I'll let you know what I find.


Noob Whisperer
Just to keep you up with what I'm doing here. Windows7 32bit client machine. I joined it to my 2008r2 AD domain. Created a new user account in domain called testuser. On the windows 7 client added that specific domain user, not the entire domain users group, just that guy to the local administrator group. Logged on as that user, disconnect the ethernet cable, logged off and logged back on to make sure I was using cached credentials. Plugged in my spare HP 990cxi, usb printer and printer was installed automatically without any prompts for elevated privledges or anything, just worked automagically, printed test page successfully. No problems what so ever. Now with try my 2003 SBS domain and see what happens there.

Not laptop or PC specific; Same problem on 3 desktops; Unable to installl printer app/not memeber of Admin group. Plug the cable back in, and they can all run application. Bizarre!

Sounds like you are having better luck than I am. We add only the primary user from our Domain users list 2003AD, eg. DOMAIN\user and the Domain Administrators to the Local Administrators group. Can run only if it sees the network...

May be it is specific to this Canon software? Let me try some HP or other printer installer...Dymo maybe...


Noob Whisperer
Are you right clicking on the programs executeable and choosing "Run as Administrator" and if so are you being prompted for a username and password?

When the machine is connected to the wire, do not have to right-click, run as - Runs fine, normal...
With cable unplugged, right-click, Run as Administrator fails. Consistent across 3 machines now. STill haven't had a chance to try other printer software.


Noob Whisperer
Just so you know, I repeated steps from post #14 only this time using my 2003 SBS AD domain. The printer installed without incident, even removed it and plugged it into another usb port and again installed no problem. Not any help I know just going through some steps. Trying to think of some software I could use to emulate your issue.

This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.