Satish wrote me the following question:
I would like to know that, is there any way that we ( as a normal domain user with out any admin privileges )logon to a desktop which has been added to a domain and then manage to do admin tasks like changing time ,or editing grouppolicy on the local machine.
The answer to this is basically No. Obviously, there are some ways that you can gain admin access to the local machine but that may not really help either. I will not go into the ways that one would be able to gain this access over a machine but let’s just assume that you do get your hands on a local admin account and you log in as that user. When a computer is connected to a Domain it has two sets of policies, the local computer and user policy settings and the domain computer and user policy. The Domain policy is always going to override the local policy of the machine. This means that if you do log in and change settings such as the background, the clock, or anything else that can be defined by a group policy, the policy will revert back to the domain policy as soon as the machine is able to check in with the domain and pull that policy down. So basically I am saying that changing the local policy settings will essentially have no affect on the machine if the Domain Administrators have done a good job and set up all the policies that they care about in the domain policy. The only way to change that is to modify the policy or move your Computer and or User objects to OU’s that do not have that policy applied to them in Active Directory. Unfortunately, you will need appropriate permissions to do either of those actions. Perhaps not Domain Admin rights, but an administrator would have to delegate that permission down to your domain account for you to make the changes.
I hope that makes sense and answers your question. If not, or if you have any other questions, please go to http://sysadminsmith.com and click on the Submit a Question link on the right.