0

I am working in an Windows active directory environment.

I am connected to a windows workstation with a domain user.

Here is what I see when I type:

whoami /groups

BUILTIN\Administrators      Alias     S-XXXXX              Group used for deny only

I have a local administrator account too and a domain administrator account. I have tried to add my user to this group. I have also tried to remove it from the group and add it again (with "net localgroup groupname username /add") command.

It does not work. My user is still present in this "Deny" group.

How can I add my user to Administrators group ?

Thanks

Bob5421
  • 319
  • 3
  • 8
  • 16
  • The "deny" is part of User Account Control. You can read up on it here: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works – Greg Askew Jul 03 '23 at 19:01
  • UAC works with access tokens ? I do not understand why groups are involved... – Bob5421 Jul 03 '23 at 19:05
  • Looks like you may be seeing the "deny only" comment due to how you're viewing `whoami`, not a permissions thing as such. See https://blogs.infosupport.com/uac-and-tokens/ which matches what I see, eg if I run `whoami /groups` from an elevated cmd prompt I get "Mandatory Group, Enabled by default, Enabled group" instead of "Group used for deny only". – Keith Langmead Jul 04 '23 at 05:10

0 Answers0