My question is ...

How do I grant domain admins the same rights at the local built in account "Administrator" when I add a new server to the domain to avoid domain admins having to constantly escalate permissions beyond what they seem to have?

EDIT:

This seems to be causing some confusion so ...

I have a domain, with a domain admins group of which I am a member. I have a new server, just joined the domain, and on that server I can login because the local group "Administrators" has member "Domain Admins".

So I as a domain admin on this server am also considered to be a local Admin too.

Now lets say I want to install a new applciation on the server and this requires admin rights.

I right click the installer, I then select "Run as Administrator" and get the usual UAC dialog pop up.

I put MY credentials in there (from my domain account, the same credentials I used to login to the server with) ... and it rejects those credentials with the validation message ... "The requested operation requires elevation".

So my question is ...

Why are my domain administrator credentials not enough to allow me to act as a local administrator on the box when I am in the Domain Admins group which is a member of the local Administrators group?

Instead I have to "elevate" my permissions to the account named "Administrator" on the local machine before my Account is granted the rights to do the install.

9

1 Answer

Microsoft TechNet article (v=ws.11).aspx provides a perfect answer for this; and it's to do with the fact that even "local Administrator" accounts still run with "standard user" tokens for normal day-to-day activity.

What does "running with a full administrator token" or "running with an elevated token" mean in User Account Control?

Applies To: Windows Server 2008 R2

Applications normally run with the level of access granted in a standard user access token, even if the applications are started by a user that is a member of the local Administrators group. "Running with a full administrator access token," sometimes referred to as "running with an elevated access token," means that an application is allowed to use the user's full administrator access token, which includes the administrator security identifiers (SIDs).

Note The user must be logged on as a local administrator or be able to provide credentials for a member of the local Administrators group.

Side note: Although the article applies to Server 2008 R2 the same would also apply to all modern Windows client and server versions.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy