I'm pulling my hair out on this, and I don't understand what I'm missing.
I have an admin Name Bob. I have added Bob to a global security group named "LocalAdmins".
We go to PC (Harry's) that is joined to the domain, add the "LocalAdmins" group to the Administrators group under Local users and groups, and reboot.
Bob tries to install some software on Harry's PC, it asks for credentials, as Harry does not have admin rights, and Bob enters his credentials. It does not work. (also tried right-click, run as admin, same result)
I remove the LocalAdmins group from Local Admins, and add Bob directly.
Reboot. Bob can install software on Harry's PC.
I've checked that the domain shows Bob as being a part of the "LocalAdmins" AD group with:
NET USER bob /domain
I've made sure LocalAdmins shows up when I run "net localgroup Administrators".
It doesn't make any sense. Is there something I'm missing?
I'm not using a GPO or anything like that for this, just doing it manually.
Domain level is Win 2003, (thought we are running all win 2012 DC's)
Best Answer
To long for a comment; but To make a simple test; Make like in the start; please add the LocalAdmin groups to your Local Admin group and remove the direct Bob entry
Login as Bob on Harry computer. Issue a whoami /groups /fo list, let us know the output. You should see BUIlTIN/Administrator, if not then;
Your bug remind me of nested group limitation/bug, as from memory with GPO, aka Restricted Group policy you can bypass that restriction. I suspect your domain level dont help us there.
Not much documentation still exist, but see there;
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776499(v=ws.10)?redirectedfrom=MSDN
or there;
https://www.cbfive.com/no-local-group-nestingeven-if-it-looks-like-there-is/