Windows Server 2003
1833825 Members
1976 Online
110063 Solutions
New Discussion

Re: User's right in Local Machine

 
SOLVED
Go to solution
Danny_86
Advisor

User's right in Local Machine

Hi,

In a laptop that is running WinXP, I've checked through the Local Administrators Group and do not see any user or user group assigned to it. But when a user login to the laptop, they are able to install program. So I would like to check how can this be possible? Is it done via some group policy pushed down from the DC? I'm trying to restrict the user from installing anything on their machine. Please advice.

Thank you
Danny
3 REPLIES 3
Hugo Tigre
Trusted Contributor
Solution

Re: User's right in Local Machine

hi danny,

If you have that laptop logged in the domain, then that user that is logging in, is in the Active Directory not in the local computer. And that account can be many things, like an administrator, a domain administrator, etc.

And also, the account that are on the AD don't appear on the local computers. You can still use the local computer accounts to log on the computers, but in this case you can't log on to the domain, and probably won't get access to the recourses that you need.

So, first thing you should check is if the user account that is being used in that computer, is in the AD and with what privileges.


regads,
hugo
Ronald Postma
Honored Contributor

Re: User's right in Local Machine

Hi Danny,
One thing I find rather strange. If the laptop is joined to the domain the domain admins group is automaticly added to the local admins of that laptop.

If the laptop is added to the domain, something is not default if the group is empty, I can not thing of an GP that removes the domain admins from the local admins.

But you can add a domain group to the local group "Power users" and "users" in useraccount in the control panel, I also think that can be done with GP,.

Regards, Ronald
The logic of Microsoft: "Press START to shut down the pc"
Danny_86
Advisor

Re: User's right in Local Machine

Hi Everyone,

Thank you for your help. I've found that this is set in the group policy that is pushed down to the user.

thank you very much

br
danny