active directory question

P

p0lish

Gawd
Joined
Sep 11, 2002
Messages
642
I run a small business network along with my other job stuff, and i have a question. I have been tweaking a few things here and there, and i was looking at AD stuff. I changed one workers "member of" to just domain user to try out what he would be able to do and not to do. I want to give said worker more privledges, and when i add back "administrator" to his member of options, he doens't have the ability to repair his LAN connection or modify time ect. I rebooted his computer a couple times, but it's still giving me problems. Any ideas?

Specs.

Server2003
DNS, DHCP, FTP, AD, ect.

thanks,

-p
 
alot of times when i change clients to domain user it messes up a bunch of programs and the only way to fix it is to set them as domain admins.

im still learning too, so im tagging in on this.
 
What group did you add him to? "Administrators" (with the s)?

If he needs to have access to do basic stuff, it is best to give him as limited access as he needs. This typically means leaving him as a domain user within AD and giving each user extra privileges on their personal computer.

If he must have admin access on his computer - go add his domain user account to the local administrator group on his computer. I don't believe administrator is necessary though - you may be able to get by with just the local power users group. If you need to do this with a large number of users, it is relatively easy to do this using a group policy.

EDIT: Marley pointed out a pretty big misconception, not to mention a huge security lapse. Users can definitely be setup as domain users only within active directory and still have full access to their client computer.

Devin


p0lish said:
I run a small business network along with my other job stuff, and i have a question. I have been tweaking a few things here and there, and i was looking at AD stuff. I changed one workers "member of" to just domain user to try out what he would be able to do and not to do. I want to give said worker more privledges, and when i add back "administrator" to his member of options, he doens't have the ability to repair his LAN connection or modify time ect. I rebooted his computer a couple times, but it's still giving me problems. Any ideas?

Specs.

Server2003
DNS, DHCP, FTP, AD, ect.

thanks,

-p
Click to expand...
 
That user needs to be either a power user or administrator of that computer. (Basically)
 
marley1 said:
alot of times when i change clients to domain user it messes up a bunch of programs and the only way to fix it is to set them as domain admins.

im still learning too, so im tagging in on this.
Click to expand...

Bad idea. You need to set them up as a workstation administrator. Making them a workstation admin isn't the best choice either but a million times better than them being a domain admin. If it's something you can do this on, create a GPO that gives them access to something they may need to do. Otherwise, here's a thread where we talked about setting up a workstation administrators group.
 
One thing you can do, which isn't the best security measure... but prevents user having Admin rights on the domain.

You can add domain users to the local Administrators group on each PC... they will effectively be Administrators on their own PC but have no power on the domain.
 
so really you want to make everyone Domain User, and add Domain Users to Power Users on the Local Machines?
 
marley1 said:
so really you want to make everyone Domain User, and add Domain Users to Power Users on the Local Machines?
Click to expand...

No, you want to create a group and add that group to the local workstations administrators group. Then add people as needed to that group in AD.
 
Is there a group called Workstation Administrators? Or do you simply mean Administrators?

We are talking bout the local groups right (Right click My Computer > Manage > Groups > Administrators?)
 
TheCreator said:
One thing you can do, which isn't the best security measure... but prevents user having Admin rights on the domain.

You can add domain users to the local Administrators group on each PC... they will effectively be Administrators on their own PC but have no power on the domain.
Click to expand...

No way.

No user should have local admin. troubleshoot your app. Search google.

Or do the reaserch yourself using filemon and regmon. most liskley the user just needs to be given elevated rights to the program files directory of the app and/or the resgirt keys for the app. Look at Microsofts application compatability toolkit for help as well.
 
marley1 said:
Is there a group called Workstation Administrators? Or do you simply mean Administrators?

We are talking bout the local groups right (Right click My Computer > Manage > Groups > Administrators?)
Click to expand...

You have to create the group in AD. Then add that group however you like to the Administrators group on the local workstation.


But as I said in my first post here, making them a workstation admin isn't the best choice either. I agree with oakfan but reading what you and the OP have posted, workstation admin is probably the easiest for you to do.
 
You must log in or register to reply here.
Back
Top