Why doesn't local administrator group have full administrator rights?

#1
A little background and info: I support a number of people who for one reason or another need to be able to do things a local admin can do like install programs and start services (or more accurately allow a program they're running to start a service). All users are in the local administrators group. The local admin account is enabled (and renamed) so that we as administrators have local access when the machine comes in for service. The machines are joined to a AD domain so that we can control a lot of the security via GPO. Everything worked fine in XP.

We are getting a few different "you do not have permission" errors. When the user tries to run OpenAFS (which starts a service) they get a "you do not have permission" error. There is no way around this error.

Also, when the users try to run Lotus Notes they get a "you do not have permission" error. When we go into compatibility mode and check the "run as administrator" (or just right click and "run as administrator) it works fine, but they have to click the elevated privileges. The program was installed while logged in as the user.

Again, all users are members of the local administrators group. When the local admin account logs in all these programs run fine. This behavior started in Vista and I chalked it up to "vista sucks". Windows 7 so far seems to be great, except that like in vista, members of the local administrators group are not really local administrators. How do I make them true local administrators?
 


#2
You may want to go into the security settings on your C system or any other drive accessed (directly or through software) by the local admin group, then enter the advanced security settings and grant the local group necessary permissions.

There is also the possibility that some programs aren't written very well and have to be both installed and run as administrator.
 


#3
hmmm, I hadn't bothered with looking at permissions because this is a fresh build and in my stubborn head I'm thinking "but I'm a LOCAL ADMINISTRATOR!!!! Nothing should be off limits!" Well that's mostly true. Looking at the security for the c:\ it shows the local administrator group as having full control, but it shows the owner as "TrustedInstaller".

Either way, local administrator group has full control rights at the root of C, which is inherited down the line.
 


Trouble

Noob Whisperer
#4
All users are in the local administrators group
Does this mean that you have configured the local administrators group on the Windows 7 machine to include all members of the "Domain Users" group?
 


#5
Does this mean that you have configured the local administrators group on the Windows 7 machine to include all members of the "Domain Users" group?
No, we add the individual users account to the group. That way if someone else on the domain logs in they don't have rights.
 


Trouble

Noob Whisperer
#6
Then you may have to run the whole resultant set of policies thing to see if that user has any conflicting memberships in domain groups or organizational units, etc. that might be causing the issue. But first just as an experiment, try turning off the UAC on the local machine and see if that has any impact at all.
 


tswann01

Well-Known Member
#7
Kevin et al,

I have run into the same issue ... the first time it happened, I discounted it as an aberration. Today, it happened again. The Administrators group has Full Control, but I get errors telling me I lack sufficient permissions. Then, I assign the Users group Full Control, and the error goes away.

I am a member of the Administrators group. I never saw this issue on WinXP. I have seen it 2x now in the ~1 month that I have had Win7.

My workaround to this point has been to take the offending file and assign Full Control to the Users group. I'm sure this is sub-optimal from a security perspective, so I'm definitely open to suggestions.

We also use AD.

Thanks!!
 


Trouble

Noob Whisperer
#8
Kevin et al,

I have run into the same issue ... the first time it happened, I discounted it as an aberration. Today, it happened again. The Administrators group has Full Control, but I get errors telling me I lack sufficient permissions. Then, I assign the Users group Full Control, and the error goes away.

I am a member of the Administrators group. I never saw this issue on WinXP. I have seen it 2x now in the ~1 month that I have had Win7.

My workaround to this point has been to take the offending file and assign Full Control to the Users group. I'm sure this is sub-optimal from a security perspective, so I'm definitely open to suggestions.

We also use AD.

Thanks!!
tswann01:
Hello and welcome to the forums.
Double check and make sure that your user account does not have any cross group membership conflicts. If you are a member of the administrators group then set that as you primary group and remove the "Users" group from your account and see if that helps. Setting the full control on the user's group as a solution would suggest that your account is a member of a groups (probably users) that has less privledges (permissions) to the resource and as a consequence your account is resorting to the most restrictive permissions.
 


Trouble

Noob Whisperer
#9
To even further muddy the waters of understanding the problem, it seems that the issue can be related to UAC (User Account Control) running on the local machine and or the server (2008 or 2008r2). It seems that with UAC turned on (default) that domain members or local users that are included in the "Administrators" group, (local or domain) receive what's called a "Filtered Token" which is evidently two access tokens representing his user account at logon and it seems as best I can tell the only account that is actually exempt from this behavior at least in the case of local accounts is the built in local administrator account (normally disabled by default.

Filtered Token.
When a user with administrative rights, other powerful privileges, or a specific group membership logs on, the Windows operating system creates two access tokens that represent the user account. One has all the user’s group memberships and privileges, while the filtered token represents the user with the equivalent of standard user rights. A filtered token is used to run the user’s programs by default. An unfiltered token is associated only with elevated programs. An account that is a member of the Administrators group and gets a filtered token at logon is called a Protected Administrator account.
When an administrator logs on to a computer that is running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access.

UAC
Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.
SOURCE: User Account Control Step-by-Step Guide
 


tswann01

Well-Known Member
#10
Trouble, I think you are right with this Filtered Token / UAC thing. In answer to your previous suggestion, which made perfect sense, I am listed as a member of the Administrators Group only, and am not a member of the Users group. So it must be that, behind the scenes, something is happening so that I am treated like a member of the Users group. I don't *see* any Service running called UAC or User Account Control ... is it not a Service?

So I also notice that some programs allow me to "Run As Administrator" ... maybe that would be another possible way to avoid the User token issue.

Thanks!
 


Trouble

Noob Whisperer
#11
On the individual machines you can check and adjust the local user account control settings by simply typing
user account control
into the search box and hitting enter. You can then turn it off by sliding the control all the way to the bottom and rebooting to test and see if that is what is producing your issues.
And yes choosing "Run as Administrator" is also a potential option, however depending on the application your results can very as to how successful that option can be. You can set this option to be persistent, by simply right clicking the shortcut to the executeable and choosing properties and then the compatability tab and checking the box and you can set other compatability options there as well.
Keep us posted.
Regards
Randy
 


#12
On the individual machines you can check and adjust the local user account control settings by simply typing
user account control
into the search box and hitting enter. You can then turn it off by sliding the control all the way to the bottom and rebooting to test and see if that is what is producing your issues.
And yes choosing "Run as Administrator" is also a potential option, however depending on the application your results can very as to how successful that option can be. You can set this option to be persistent, by simply right clicking the shortcut to the executeable and choosing properties and then the compatability tab and checking the box and you can set other compatability options there as well.
Keep us posted.
Regards
Randy

You already made my day. this is a great solution, my question would be :
why this applies only at determinated instalations? i have installed some w2008 R2 server, and this is the first one that makes me crazy with "not permissions" messages.
if anybody know this other answer i will be happy.
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.