Adding a local group to Windows Administrators group, no admin privs? | Off Topic | unofficial empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

You are not logged in. [Log In] empegbbs.com » Forums » General Discussion » Off Topic » Adding a local group to Windows Administrators group, no admin privs?

Topic Options

#367464 - 29/08/2016 18:34 Re: Adding a local group to Windows Administrators group, no admin privs? [Re: tfabris]
drakino carpal tunnel Registered: 08/06/1999 Posts: 7868	Originally Posted By: tfabris - Add a Domain sub-group to a Local Admins group = works. - Add a Local sub-group to a Local Admins group = fails. Is that what you're getting? Yep, exactly. Originally Posted By: tfabris Next question: - Do you get this same behavior whether you do the job scriptingly, or by hand from the "Users and Groups" screen in COMPMGMT.MSC? If you haven't tried the latter, try it and see if maybe there are warnings popping up that you don't see in the script. Aha, I think you're on to something. Thanks for the reminder to try it manually. The GUI refuses to let me add a local group to another local group in general. When it's set to search or resolve from the local machine, groups isn't listed as an object type. Only "Other Objects", "Built-in security principals" and "Users". The GUI is gating the possibility of adding a local group to another local group. When search is set to search the directory, object types lists a forth entry of "Groups". Looks like DSC is able to inject a local group without an error. The GUI showing the local group looks right, where the added subgroup even has the proper local groups icon instead of a directory group. But no code is likely hooked up behind the scenes to properly grant permissions from the parent group. Interestingly, a second test adds to the theory that the gate to adding a local group to another local group is only in the GUI. I created a new local group called "TomTest" and added my domain account DOMAIN\tom as a member via the GUI. The following command also succeeded without error, adding the TomTest group to the Administrators local group. Code: C:\>net localgroup Administrators TomTest /add The command completed successfully. After this, the GUI shows the TomTest group inside the local Administrators group. DOMAIN\tom still lacked admin access. Further testing though seems to point to the gate only being in place when all actions are done the same way. Code: C:\>net localgroup Test1 /add The command completed successfully. C:\>net localgroup Test2 /add The command completed successfully. C:\>net localgroup Test2 DOMAIN\tom /add The command completed successfully. C:\>net localgroup Test1 Test2 /add System error 1388 has occurred. A new member could not be added to a local group because the member has the wrong account type.
Top

View All Topics

Entire topic
Subject	Posted by	Posted
Adding a local group to Windows Administrators group, no admin privs?	drakino	29/08/2016 17:28
Re: Adding a local group to Windows Administrators group, no admin privs?	tfabris	29/08/2016 17:35
Re: Adding a local group to Windows Administrators group, no admin privs?	drakino	29/08/2016 18:34