Why doesn't local administrator group have full administrator rights?

Discussion in 'Windows 7 Help and Support' started by KevinS, Feb 22, 2010.

  1. KevinS

    KevinS New Member

    Joined:
    Feb 22, 2010
    Messages:
    6
    Likes Received:
    0
    A little background and info: I support a number of people who for one reason or another need to be able to do things a local admin can do like install programs and start services (or more accurately allow a program they're running to start a service). All users are in the local administrators group. The local admin account is enabled (and renamed) so that we as administrators have local access when the machine comes in for service. The machines are joined to a AD domain so that we can control a lot of the security via GPO. Everything worked fine in XP.

    We are getting a few different "you do not have permission" errors. When the user tries to run OpenAFS (which starts a service) they get a "you do not have permission" error. There is no way around this error.

    Also, when the users try to run Lotus Notes they get a "you do not have permission" error. When we go into compatibility mode and check the "run as administrator" (or just right click and "run as administrator) it works fine, but they have to click the elevated privileges. The program was installed while logged in as the user.

    Again, all users are members of the local administrators group. When the local admin account logs in all these programs run fine. This behavior started in Vista and I chalked it up to "vista sucks". Windows 7 so far seems to be great, except that like in vista, members of the local administrators group are not really local administrators. How do I make them true local administrators?
     
  2. cybercore

    cybercore New Member

    Joined:
    Jul 7, 2009
    Messages:
    15,823
    Likes Received:
    321
    You may want to go into the security settings on your C system or any other drive accessed (directly or through software) by the local admin group, then enter the advanced security settings and grant the local group necessary permissions.

    There is also the possibility that some programs aren't written very well and have to be both installed and run as administrator.
     
  3. KevinS

    KevinS New Member

    Joined:
    Feb 22, 2010
    Messages:
    6
    Likes Received:
    0
    hmmm, I hadn't bothered with looking at permissions because this is a fresh build and in my stubborn head I'm thinking "but I'm a LOCAL ADMINISTRATOR!!!! Nothing should be off limits!" Well that's mostly true. Looking at the security for the c:\ it shows the local administrator group as having full control, but it shows the owner as "TrustedInstaller".

    Either way, local administrator group has full control rights at the root of C, which is inherited down the line.
     
  4. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    Does this mean that you have configured the local administrators group on the Windows 7 machine to include all members of the "Domain Users" group?
     
  5. KevinS

    KevinS New Member

    Joined:
    Feb 22, 2010
    Messages:
    6
    Likes Received:
    0
    No, we add the individual users account to the group. That way if someone else on the domain logs in they don't have rights.
     
  6. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    Then you may have to run the whole resultant set of policies thing to see if that user has any conflicting memberships in domain groups or organizational units, etc. that might be causing the issue. But first just as an experiment, try turning off the UAC on the local machine and see if that has any impact at all.
     
  7. tswann01

    tswann01 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    4
    Likes Received:
    0
    Kevin et al,

    I have run into the same issue ... the first time it happened, I discounted it as an aberration. Today, it happened again. The Administrators group has Full Control, but I get errors telling me I lack sufficient permissions. Then, I assign the Users group Full Control, and the error goes away.

    I am a member of the Administrators group. I never saw this issue on WinXP. I have seen it 2x now in the ~1 month that I have had Win7.

    My workaround to this point has been to take the offending file and assign Full Control to the Users group. I'm sure this is sub-optimal from a security perspective, so I'm definitely open to suggestions.

    We also use AD.

    Thanks!!
     
  8. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    tswann01:
    Hello and welcome to the forums.
    Double check and make sure that your user account does not have any cross group membership conflicts. If you are a member of the administrators group then set that as you primary group and remove the "Users" group from your account and see if that helps. Setting the full control on the user's group as a solution would suggest that your account is a member of a groups (probably users) that has less privledges (permissions) to the resource and as a consequence your account is resorting to the most restrictive permissions.
     
  9. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    To even further muddy the waters of understanding the problem, it seems that the issue can be related to UAC (User Account Control) running on the local machine and or the server (2008 or 2008r2). It seems that with UAC turned on (default) that domain members or local users that are included in the "Administrators" group, (local or domain) receive what's called a "Filtered Token" which is evidently two access tokens representing his user account at logon and it seems as best I can tell the only account that is actually exempt from this behavior at least in the case of local accounts is the built in local administrator account (normally disabled by default.

    SOURCE: User Account Control Step-by-Step Guide
     
  10. tswann01

    tswann01 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    4
    Likes Received:
    0
    Trouble, I think you are right with this Filtered Token / UAC thing. In answer to your previous suggestion, which made perfect sense, I am listed as a member of the Administrators Group only, and am not a member of the Users group. So it must be that, behind the scenes, something is happening so that I am treated like a member of the Users group. I don't *see* any Service running called UAC or User Account Control ... is it not a Service?

    So I also notice that some programs allow me to "Run As Administrator" ... maybe that would be another possible way to avoid the User token issue.

    Thanks!
     
  11. Trouble

    Trouble Noob Whisperer

    Joined:
    Nov 30, 2009
    Messages:
    13,845
    Likes Received:
    833
    On the individual machines you can check and adjust the local user account control settings by simply typing
    user account control
    into the search box and hitting enter. You can then turn it off by sliding the control all the way to the bottom and rebooting to test and see if that is what is producing your issues.
    And yes choosing "Run as Administrator" is also a potential option, however depending on the application your results can very as to how successful that option can be. You can set this option to be persistent, by simply right clicking the shortcut to the executeable and choosing properties and then the compatability tab and checking the box and you can set other compatability options there as well.
    Keep us posted.
    Regards
    Randy
     
  12. hriosm

    hriosm New Member

    Joined:
    Feb 4, 2012
    Messages:
    2
    Likes Received:
    0

    You already made my day. this is a great solution, my question would be :
    why this applies only at determinated instalations? i have installed some w2008 R2 server, and this is the first one that makes me crazy with "not permissions" messages.
    if anybody know this other answer i will be happy.
     

Share This Page

Loading...