Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

User Account Rights

Status
Not open for further replies.
Smorgan11

Smorgan11

IS-IT--Management
Sep 23, 2003
326
GB
Guys hope you are well and can help with this issue!


Just got a new client. The previous guy who did the IT is still at the company but is no longer in charge of the IT.

I have changed admin password and made sure his account is only domain users.

However the otehr day i had locked a PC as administrator and he managed to unlock it using his account.Checked all user accoutns no one bar me is an Administrator or has any rights above domain users

What i would like is what user rights or account rights this guy has??? Is there a program i can find out the rights of everyone in the company!

Have checked everything with a fine tooth comb.

he does not know admin password and i know his password tired to logon server and he is denied


Many Thanks for your help

S
 
Sort by date Sort by votes
You say he unlocked a PC using his account details but was denied when he attempted to logon to a server, looks like he had local admin rights on that PC then. Maybe he explicitly added his user account to the local admin group on all PCs??

Also check what other groups he is a member of, maybe restricted groups were being used to add local admin rights??

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
 
Upvote 0 Downvote
Just found out that this guy also managed to put a new PC in the domain!

Will check the PC's tomorrow as he is not in and see if he has local rights

Strange how he can add PC's top the network!!! thought you had to have admin rights to do this!


Many Thanks

S
 
Upvote 0 Downvote
By default any domain user can add upto 10 stations to the domain.
I'd check pagys suggestion and check local admin rights.
 
Upvote 0 Downvote
porkchopexpress is correct see the following link, read the second one listed.


to stop users from adding workstations to the domain do this:

In the properties of the Domain Controllers OU in AD, open the Default Domain Controllers policy. Expand Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment. Edit the policy "Add Workstations to the Domain". Remove Authenticated Users and add Domain Admins.

As for the unlocking of a locked workstation, did he setup any delegations for himself while he was still an admin? not sure if unlocking locked workstations is something you can delegate or not, never tried to delegate that authority.

hope this helps,

RoadKi11
 
Upvote 0 Downvote
You may have checked the known user accounts, but have you looked for other accounts? He could have created an additional account and added it to an administrators group. It wouldn't have to be Domain Admins, it could be Enterprise Admins too.
 
Upvote 0 Downvote
Guys,

Many Thanks for this. He had added himself to that particular PC. Also i have now removed the authenticated users from the OU



Many Thanks Again

S
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
572
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
802
goombawaho
goombawaho
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
215
penguinroundup
penguinroundup
goombawaho
  • Locked
  • Question
How to open Change user role for user accounts wizard
Replies
2
Views
149
goombawaho
goombawaho
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
405
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top