windows 7 - Can non-admin user add himself administrator privileges?

06
2014-04
  • Fulproof

    Whenever I reboot Windows 7, I find that my domain user, under which I login and work, is not any more part of local Administrators group (or any groups included into Administrators group or domain administrators group) which is the result of domain policies applied during reboot.

    So, I have to add my domain user to local machine Administrators group upon each reboot. I thought, only administrators can add users to Administrators group. So, why is it possible that non-admin user can add herself to administrators?

    I am also puzzled by this situation because I beleived that some of the rights/accesses require reboot in order adding to admin group would take force but on rebooting the domain policies exclude my domain users from Administrators group, then I add "myself" to administrators group.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    permissions - Unable to authenticate to Windows Server 2003 for file browsing as non-administrator user
  • Fopedush

    I've got a windows server 2003 box containing a raid 5 array I use for mass storage. I want to set up a special non-administrator account that can be used to browse files over the network, with only read access. Ideally I'll map my network drive as this user to avoid accidentally hosing my data, and mount as an administrator user on occasions where I actually need write access.

    I've created a non-administrator user on the Windows Server box (called "ReadOnly"), and granted the user read permissions on the folders I need. However, when I try to browse to the files, and authenticate as this user, I'm told "Permission denied". If I throw the readOnly user into the administrators group, however, I can authenticate and browse just fine. I am, of course, only attempting to browse to folder for which I have given this user read permissions.

    Obviously my ReadOnly user is missing some privilege here, but I can't figure out what it is. I've been digging around in group policy editor all day to no avail. What am I missing?

    Fake Edit: I'm doing my browsing from a Windows 7 box, but I don't think that is relevant.


    • Related Answers
  • ggutenberg

    There's 2 sets of permissions you need to look at - sharing permissions and file permissions. Share permissions are set on the share itself and file permissions are set on the directory structure. Without sharing permission you won't be able to map the drive. With sharing permission but no file permission you will be able to map the drive but not browse it.

    You need to make sure your ReadOnly user has access to BOTH sets of permissions, and also that it's not in any group that has Deny permissions set on the share or files, as Deny overrides everything.