1

I'm in an Active Directory domain, remoted into a Server in which my domain account is in the Administrators group.

Someone else removes me from that Administrators Group while I'm still logged in. However, I still retain all my admin rights until I log off.

That seems counterintuitive, so I wonder if there is something that I'm missing? I've seen the question about emergency logoff - is this my only choice, or are there other ways to force at least a permission update to the user so that while they may still be logged in, they at least no longer have admin rights?

Community
  • 1
Michael Stum
  • 4,010
  • 4
  • 35
  • 48
  • 2
    Your question refers to both `permissions` and `rights`, so just to clarify (because I think it's important to make the distinction); while being a member of the Administrators group does proffer `permissions` on objects in AD, as well as the file system, the complementing aspect are the `user rights` granted to users in the Administrators group. In the context of this question, when you talk about the `permissions` you're granted as a member of the domain Administrators group I think you're really referring to the `user rights` granted to you via that group membership. – joeqwerty Feb 24 '15 at 02:36

1 Answers1

6

No - the admin permissions are due to a group membership.

A group membership is stored in a user's kerberos ticket, which will persist until they log out or the ticket expires and is renewed (its lifetime is 10 hours by default but may be customized in your domain).

Logging them off or waiting for the expiration are the only ways to take away the group memberships that grant admin rights.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248