2K domain: local vs. domain administrators

[cleverhandle]

In a 2K AD domain, is anyone other than the local Administrator allowed to run Windows Update, modify the registry, and do similar low-level tasks? I seem to get access restriction for this even when logged in as an "Enterprise Admin".

 

[dbwillis]

I am, my account is added under Domain and Enterprise Admin, any group policies set for restriction on this?
I know theres a MS how-to for 'keeping the policy not to apply to admins.."

 

[spyordie007]

You (or a group you are part of) needs to be a local admin in order to do any of this stuff, the security groups "domain admins" and "enterprise admins" are just that, security groups and if "enterprise admins" dont have local admin rights to a specific box than you will not be able to do this stuff to them.

-Spy

 

[cleverhandle]

Thanks, spy, that pointed me in the right direction. I'm forgetting - being a *nix guy - that groups can be included in groups. Checking out the (local) Administrators group on the client machine shows that (local user) Administrator and (domain group) Domain Admins are members. Not Enterprise Admins, though... wasn't that supposed to have the highest privileges? These are default installs - this is just a test network at my place - so no group policies or anything yet.

In any event, adding myself to the Domain Admins group takes care of it. Only after a reboot, though - does the client cache authentication info or something?

 

[Nothinman]

does the client cache authentication info or something?

Of course it does, it's Windows. But a logoff/logon should do it, no need to reboot.