Domain users and the super admin account

[Christian]

Hey all,

I have recently installed Windows 7 on my development machine at work primarily in order to test it and get a feel for it and all the little things that can go wrong before the IT department I work for roll it out to all the other employees at the company. (They're still on XP SP 3).

Unfortunately, I'm experiencing several crippling issues caused by the stricter administration model used in Windows 7 (and Vista, for that matter) compared to Windows XP. We have programs crashing or refusing to install or run because they were designed for XP and require admin rights. So when they're unable to acquire them from Windows 7, the programs throw exceptions. An example of this is Trend Micro OfficeScan, a popular antivirus program used in many companies. This program is caused to install by start-up scripts that are run when you log on to your computer using your domain username and credentials, but the installer crashes, because the domain user is not a local super admin.

And that's the core of this question. I want my domain user to have full administrative privileges. I've done a lot of research on this particular problem and I realize it's possible to activate a special super admin-account that has full access to everything on the computer, but that workaround doesn't cut it for me, because the only thing that accomplishes is to make the super admin account available for login, but the super admin account is not a domain user at my company's network, it is a local user. It doesn't have access to the company's network resources and therefore, it is useless to me. What I want, is for my domain user and credentials to have super admin privileges.

Is that possible in Windows 7? I am essentially looking for a way to elevate any user of a system to have the same privileges as the super admin account. I realize this is a potential security risk because everybody and everything has access to installing everything on the system, but frankly, the amount of software that Windows 7's security model causes to malfunction due to too strict security features is too high a price to pay.

In many cases, it corresponds to pulling the network cable out of the wall: Sure, you won't get attacked by malware, but you won't get any work done either.

Any and all help appreciated.

 

[Barman58]

Due to the Dual token design of the security model in use you will have issues with applications designed for the older model.

The solution to this need not be an all or nothing one however, It should be possible to give the required installer rights to the user group(s) concerned, directly.

This may be done universally to the complete program files folder(s) or more usefully to individual folders for the older problem apps.

I have seen situations where a non working older program can be made to work/Install by the granting a standard user full access rights to a single settings file or to the installation folder.

Depending on what you desire as a company you can make some groups allowed to install some software or not just by the application of the correct rights, In a domain environment this is of course a lot easier than a peer to peer set up.

Unfortunately due to the developers taking the easy way out with regards to administrative rights with XP there will be some re-thinking required by those tasked with moving to a more secure modern OS. This is quite possible though there will be a learning curve.

The main issue with application installation is not the need for a "super" admin but the "trusted user" used by UAC to protect the Program store. by taking ownership of the role of this "User" most if not all issues may be resolved.

Full information on the Trusted Installer scenario is available from Microsoft on technet - or of course by many independents

 

[mckillwashere]

I ran into the same issuse.
Login in to the local administrator account.
Go under Administrative tools,
>Local Users and Groups,
>Groups
and make sure Domain Admin is added to the list of administrators.

Run cmd,
gpupdate /force
That updates all of your group policies.
Log back in as your domain administrator account and see if that works.

 

[ericward]

Domain users' security access control fix

I was very frustrated as well with Windows 7 not allowing any users logged into a domain any administrative access, so I started searching.

I was unable to find anything resembling "Local Users and Groups" under "Adminisrative Tools". After hacking around for an hour, I was able to finally locate something I saw in another page. They said:

Login in to the local administrator account.
Control Panel
Administrative Tools
>Local Users and Groups (and several steps after that)

Well at that step I was lost because there is NO "Local Users and Groups" in my Administrative Tools, thank you very much. I finally found "Local Users and Groups" a different way:

Control Panel
Users Accounts
Manage User Accounts
"Advanced" tab
in the "Advanced user mangement" section, click the [Advanced] button
Groups
Administrators
[Add...]
DOMAIN\Domain Users

Of course you put in your domain name where I typed "DOMAIN", and click several buttons, right clicking, and double clicking in many places to follow the bread crumb trail I presented here.

Best of luck making Microsoft security work for you!

 

[Funkster]

The last post's approach fixed the problem for me, so just thought I'd add that the quick way to get to the local users & groups control area is to do:

Start | Run | lusrmgr.msc | enter

Or of course Win+R and lusrmgr.msc

hth,
--
Olly

 

[pparks1]

Right click on My Computers, Manage, and Local Users and Groups will be listed under "System Tools".

And unless somebody changed something, Domain admins will always be added to the local admin group on workstations when they are joined to the particular domain.