Can a Domain Admin login to domain machines using its username, but locally?

Moses

2/18/23, 8:45 AM

My question is as follows:

If Domain Admins are members of every local Administrators group, isn't that mean that a domain admin user - let's say "test", can login via (let's say RDP) to a domain machine locally, by typing for example - "dom_machine\test"?

Also, why wouldn't you see by running net user on a domain machine all domain admins as well?

I don't have a test environment to check it so I'll be happy to know.

Thanks!

105

0 + 0

domain

Score:0

Server

BitGen01100000

2/18/23, 11:02 AM

Tl;dr:

No, it doesn't work like that. You seem to have mixed up a few things! ;)

Longer version:

There is a difference between having the rights to do something on a domain computer and having the user created locally on that machine.

What happens when you log in normally is that the domain joined computer asks the domain controller if the user exists in this domain. And if you change the domain part to the name of the local computer. It will not ask the domain controller any more, it will instead ask the local computer if the user exists. And if you don't have the same user created on that machine. It will not let you in. So this is only a question of where you have created the user.

The reason why you want to have the user created on the domain controller is that it is easier to manage there, than if you had to create the user separately on each machine. Because every time you need to change anything on that user, like the password, you would have to go around to every machine and change it there too.

What happens when you try to do something as a domain user is that the computer asks the domain controller (Or the local computer if it is a local user) what rights the user has, and if the rights specified in the domain controller matches the rights that is required by the executed task it will continue. Otherwise it will tell you that you don't have the right to do what you were trying to do.

So while the domain admin might be in the local administrator group (which has the same rights as a local administrator has) it is not the same thing as if the account was created on the local machine.

About the net user command: This command gets the list of local accounts. And since it doesn't ask the domain controller for the users created there it doesn't show those users. (This is by design as it would be a security hole to let the domain users know about all the users that are created in the domain.)

I would recommend that you read a bit more about the concept of a domain network. I don't know what your setup looks like. But I got the feeling that you only have your domain admins created on the domain controller? If that's the case then you're missing out on a lot of the features that the domain controller brings! And I would recommend that you move the users from the local machines to the domain controller!

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can a Domain Admin login to domain machines using its username, but locally?

TH: ผู้ดูแลระบบโดเมนสามารถลงชื่อเข้าใช้เครื่องโดเมนโดยใช้ชื่อผู้ใช้ แต่ภายในเครื่องได้หรือไม่

RO: Se poate conecta un administrator de domeniu la mașinile de domeniu folosind numele de utilizator, dar local?

RU: Может ли администратор домена войти на компьютеры домена, используя свое имя пользователя, но локально?

VI: Quản trị viên miền có thể đăng nhập vào các máy miền bằng tên người dùng của nó, nhưng cục bộ không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.