Why Can't I Get on the Internet When I Use My Administrator Account?
By Jacob Andrew
For security reasons, many business networks limit certain administrator accounts from accessing the network. Limiting network access helps mitigate possible damage to the network from malware or other machine-level intrusions. How this is implemented varies from network to network, but Internet restriction is a default setting in a Windows-based, Active Directory-secured network.
Network Versus Local Administrator
If you can’t get onto the Internet with your administrator account, it’s likely that you’re using a “local” administrator account, which are found on all Windows-based computers and enable you to make changes to virtually any part of that computer. Though possessing full privileges to the hard drive on that machine, this local account is given, by default, “anonymous” privileges to any part of an Active Directory network. Anonymous privileges are, by default, very limited. Network admins can also configure tighter controls for anonymous-level accounts, including restrictions on Internet access. In order to have administrative privileges to the network, you need to log in with an administrator account on the domain. A domain administrator account does not necessarily need to be called “administrator.”
Caveats to Anonymous Privileges
Most administrators of an Active Directory network do not want local accounts to access network resources. Allowing such access allows virtually any machine that connects to the network the ability to do damage to network resources. If, for example, your personal laptop had a virus on it and then connected to the Active-Directory based work network, limitation at the network level would stop your computer from spreading the virus. You’ll never convince a network administrator to grant your local admin account Internet access when it has been restricted, as this will open up the network to virtually all computers with a local administrator account.
802.1X and TACACS
Many pieces of network equipment such as switches use 802.1X authentication to stop users from using the network unless they provide proper login credentials. As a result, being connected to the network but not logged in with network-recognized credentials causes the switch itself to shut down the physical port to which your computer is connected. This is called 802.1x authentication and completely isolates any unauthenticated user from the rest of the network.
Administrator and Network Access
To get both network access and administrative privileges, you need to get a domain administrator account. If you are not the administrator of the network, you’ll have to request these credentials. These credentials are stored locally, enabling you to log in as an administrator even when you’re not connected to the network. Once connected to the network, however, those credentials also identify you to the domain and networking equipment, enabling Internet access. These credentials often come with limitations, however, in order to maintain the integrity and safety of the network.
- Microsoft: Windows Dev Center -- Local User Accounts
- Microsoft: Windows Dev Center -- Domain User Accounts
- Microsoft: Roger's Security Blog -- Mitigating the Use of Local Admin
- Microsoft: Technet -- Wired and Wireless Networking with 802.1X Authentication
- Microsoft: Windows Server -- Cached and Stored Credentials Technical Overview
Jacob Andrew previously worked as an A+ and CCNA-certified technology specialist. After receiving his BA in journalism from the University of Wisconsin, Madison in 2012, he turned his focus towards writing about travel, politics and current technology.