0
0
Whenever I reboot Windows 7, I find that my domain user, under which I login and work, is not any more part of local Administrators group (or any groups included into Administrators group or domain administrators group) which is the result of domain policies applied during reboot.
So, I have to add my domain user to local machine Administrators group upon each reboot. I thought, only administrators can add users to Administrators group. So, why is it possible that non-admin user can add herself to administrators?
I am also puzzled by this situation because I beleived that some of the rights/accesses require reboot in order adding to admin group would take force but on rebooting the domain policies exclude my domain users from Administrators group, then I add "myself" to administrators group.
Fulproof
Posted 2013-11-28T04:07:36.400
Reputation: 101
I would ask you IT Admin the reason this is possible. – Ramhound – 2013-11-28T04:15:09.570
If you're not admin, you can't even access Computer Management page (which I tend to use to add user into Local Administrator group). Your current domain username MAY be part of another Domain Group which is member of the Local Administrator group (that you somehow not aware of). The removal of your Domain\User from the Local Admin group does not remove you from whatever Domain Group that may have admin right on the machine. – Darius – 2013-11-28T06:34:27.237
@Ramhound , thanks I've asked. They do not even know why my account is continuously kicked out of Administrators group on each reboot. The funny thing is that this happen on my local workstation while my domain user sticks with Administrators group on dozens of remote servers – Fulproof – 2013-11-28T08:18:18.307
@Darius , I know. But this is my question: "Whether is it possible and how that my account is administor without being part of any group giving administrator membership"? – Fulproof – 2013-11-28T08:19:54.050
@Fulproof - The simple answer is that your account is still a domain administrator, domain permissions override local, permissins – Ramhound – 2013-11-29T01:01:18.140
@Fulproof Your workplace seems to use similar group policy to where I work. Our group policy are set to overwrite any entry in the "Administrators" group with some groups that the Domain Admin has set. So even if you can add your own username into the Local Admin group, the group policy will kick in at the next reboot and your username will get wiped. But the reason you still have admin right will be as Ramhound's comment, your username is part of a group that either inside the Local Admin group, or you are part of Domain Admin group. – Darius – 2013-11-29T02:26:50.567
@Ramhound and Darius, thanks. I am sure my domain account is not part of domain administrators. I can only think out that my domain user rights are being cached – Fulproof – 2013-11-29T09:20:43.040
What issues are you having, that you want the "domain user" to be part of the "local administrators"-group? Perhaps you don't see it, but the domain-user might still be part if it, because you can go to the "Computer Management page" like Darius suggested. The fact you can add yourself to the local administrators group shows you're already part of it and have "admin privileges". So you should be able to do anything an administrator can, locally. – Rik – 2013-11-29T10:51:55.130
possible duplicate of How to create an admin account from non-admin privileges
– a CVn – 2014-06-01T15:42:27.593