Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Domain users and the super admin account

08 Sep 2009   #1

Windows 7
Domain users and the super admin account

Hey all,

I have recently installed Windows 7 on my development machine at work primarily in order to test it and get a feel for it and all the little things that can go wrong before the IT department I work for roll it out to all the other employees at the company. (They're still on XP SP 3).

Unfortunately, I'm experiencing several crippling issues caused by the stricter administration model used in Windows 7 (and Vista, for that matter) compared to Windows XP. We have programs crashing or refusing to install or run because they were designed for XP and require admin rights. So when they're unable to acquire them from Windows 7, the programs throw exceptions. An example of this is Trend Micro OfficeScan, a popular antivirus program used in many companies. This program is caused to install by start-up scripts that are run when you log on to your computer using your domain username and credentials, but the installer crashes, because the domain user is not a local super admin.

And that's the core of this question. I want my domain user to have full administrative privileges. I've done a lot of research on this particular problem and I realize it's possible to activate a special super admin-account that has full access to everything on the computer, but that workaround doesn't cut it for me, because the only thing that accomplishes is to make the super admin account available for login, but the super admin account is not a domain user at my company's network, it is a local user. It doesn't have access to the company's network resources and therefore, it is useless to me. What I want, is for my domain user and credentials to have super admin privileges.

Is that possible in Windows 7? I am essentially looking for a way to elevate any user of a system to have the same privileges as the super admin account. I realize this is a potential security risk because everybody and everything has access to installing everything on the system, but frankly, the amount of software that Windows 7's security model causes to malfunction due to too strict security features is too high a price to pay.

In many cases, it corresponds to pulling the network cable out of the wall: Sure, you won't get attacked by malware, but you won't get any work done either.

Any and all help appreciated.

My System SpecsSystem Spec
08 Sep 2009   #2

Windows 10 Pro x64 x2 Windows 10 Enterprise x64, Ubuntu

Due to the Dual token design of the security model in use you will have issues with applications designed for the older model.

The solution to this need not be an all or nothing one however, It should be possible to give the required installer rights to the user group(s) concerned, directly.

This may be done universally to the complete program files folder(s) or more usefully to individual folders for the older problem apps.

I have seen situations where a non working older program can be made to work/Install by the granting a standard user full access rights to a single settings file or to the installation folder.

Depending on what you desire as a company you can make some groups allowed to install some software or not just by the application of the correct rights, In a domain environment this is of course a lot easier than a peer to peer set up.

Unfortunately due to the developers taking the easy way out with regards to administrative rights with XP there will be some re-thinking required by those tasked with moving to a more secure modern OS. This is quite possible though there will be a learning curve.

The main issue with application installation is not the need for a "super" admin but the "trusted user" used by UAC to protect the Program store. by taking ownership of the role of this "User" most if not all issues may be resolved.

Full information on the Trusted Installer scenario is available from Microsoft on technet - or of course by many independents
My System SpecsSystem Spec
10 Sep 2009   #3

Windows 7 x86/x64, Server 2008r2, Web Server 2008

I ran into the same issuse.
Login in to the local administrator account.
Go under Administrative tools,
>Local Users and Groups,
and make sure Domain Admin is added to the list of administrators.

Run cmd,
gpupdate /force
That updates all of your group policies.
Log back in as your domain administrator account and see if that works.
My System SpecsSystem Spec

06 Jan 2011   #4

Windows 7 Home Premium 64-bit
Domain users' security access control fix

I was very frustrated as well with Windows 7 not allowing any users logged into a domain any administrative access, so I started searching.

I was unable to find anything resembling "Local Users and Groups" under "Adminisrative Tools". After hacking around for an hour, I was able to finally locate something I saw in another page. They said:

Login in to the local administrator account.
Control Panel
Administrative Tools
>Local Users and Groups (and several steps after that)

Well at that step I was lost because there is NO "Local Users and Groups" in my Administrative Tools, thank you very much. I finally found "Local Users and Groups" a different way:

Control Panel
Users Accounts
Manage User Accounts
"Advanced" tab
in the "Advanced user mangement" section, click the [Advanced] button
DOMAIN\Domain Users

Of course you put in your domain name where I typed "DOMAIN", and click several buttons, right clicking, and double clicking in many places to follow the bread crumb trail I presented here.

Best of luck making Microsoft security work for you!
My System SpecsSystem Spec
10 Oct 2011   #5

Windows 7 Pro 64bit

The last post's approach fixed the problem for me, so just thought I'd add that the quick way to get to the local users & groups control area is to do:

Start | Run | lusrmgr.msc | enter

Or of course Win+R and lusrmgr.msc

My System SpecsSystem Spec
10 Oct 2011   #6

Windows 7 Ultimate x64

Right click on My Computers, Manage, and Local Users and Groups will be listed under "System Tools".

And unless somebody changed something, Domain admins will always be added to the local admin group on workstations when they are joined to the particular domain.
My System SpecsSystem Spec

 Domain users and the super admin account

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar help and support threads
Thread Forum
Windows 7 Domain Users Cannot Update w/o Admin
Our computer network was Windows XP Pro. We upgraded the computers to Windows 7 Pro. Under XP, users were allowed to update without any problems. With Windows 7, it prompts for an administrator account. The computers already have checked "Allow all users to install updates on this...
Windows Updates & Activation
Creating a local admin account NOT on domain
Hello, I am on a domain at my job and amd setting up a laptop for a user. We always set everyone up on the domain, but I am wanting to set up a local admin account, not on our domain so they cannot access all of our files. What is the best way to go about this?
General Discussion
Admin and Standard Account Users
Hi All, Windows 7 Professional 64bit I have used the guide on how to enable and hide the in-built admin account and was successful however I found that after making the account I used to set up Windows 7 from admin to standard user and then disabling the in-built admin account the UAC...
General Discussion
Advice about Admin users and if I can delete account or not?
Hi, I just want to delete my User account "David". When I initially installed Windows I provided the name David so I was the main and only User account. Now is it possible to delete that account, leaving me back at a user account screen to create a new main and only account? Note: I do not...
General Discussion
Can't login to local admin account after joining sbs2008 domain
Hi, we upgraded from sbs2003 server to sbs2008 server. We removed the pc from the old domain and then added it to the new domain. Something went wrong after we joined the new domain it doesn't see the new domain for login and the local Administrator account has been disabled. The only account...
Network & Sharing
Account Operators group, the Domain Admins group, the Enterprise Admin
how do I add these permissions to my account? I'm trying to change "How a Service is Started" and it won't let me without one of these persmissions. thx

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:55.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App