OS permissions

So just a quick question. I know i'm over looking something but can't figure it out.

I have a new computer that I've reformatted and reinstalled the OS, Office, apps etc... I do this as administrator no biggie. When I log in as the user they are unable to install anything, also if i go to network control panel it says they can't do anything because they don't have the correct permissions. NOW the computer that this user is currently using,they have no problems installing anything. They are able to make changes and configure as they need. But yet on the new computer that is going to them I can't do anything.

The machine is added to the ADI domain. The users memberships haven't changed. And there are no GPO's applied to the domain at all.

What am i missing?
Thanks in advance,
Keith

The obvious answer, and I say this because you have indicated otherwise, is they are local admins on their machines, but not the newly imaged box your logging is as them. Which by the way is a good thing. The real question is, why are you allowing users to have admin access? Almost always a bad idea. With a few exceptions of course and assumably you've already addressed that.

The users shouldn't/don't/won't have admin rights. I'm the only one logging in as admin. They should be able to install on their own though. I didn't make that clear earlier. There are a couple of users who will be powerusers. But this particular user should be able to install. Which she can do now on her old computer but when I log in as her on the new computer it doesn't allow me to install anything.

That's what i'm not understanding. The permissions will follow the user so the permissions should apply to the new computer.


Edit: An addition to what you said. Even if the user was a member of local admins in AD. Wouldn't that allow them to install on the new computer?

Er huh? Permissions will follow?

There are a few scenarios this would be true. Like if they are in the domain admin group when you put the box on the domain. Otherwise no, You'll have to manually add the domain account to the local group. I don't like adding users to the power users group either. Ways to cause problems similar to adding them to the local admin group. Users shouldn't install software. THat's my philosophy anyway.

I could definitely be completely misunderstanding your narratives. But if I am not then no, when you add a machine to the domain, that domain/users group is added to the local users group. Allows them to logon and open apps but installing would not be allowed.

flboad said:

That's what i'm not understanding. The permissions will follow the user so the permissions should apply to the new computer.

Click to expand...

This statement is completely incorrect.

Domain group memberships follow the user. All other rights are asssigned locally unless otherrwise set with domain group policy or local machine policies.

If the user is a member of a group that has admin rights on all computers, the rights will follow (the only group like this on a default install with more than user rigths is Domain Admins), but otherwise the security for a user defaults to the local "users" group for all domain users.

Ok, Thanks to both of you I completely understand now. I understand what I was doing wrong. I was assigning memberships on the Domain Controller. I thought they took over local settings. When I checked local users & Groups i saw that they were indeed power users on the old computer but not on the new one.

I'm an idiot but now I know. So I’m an educated idiot. Thanks for you help.

Keith