Permissions and Domains

Hi Guys,
I have inherited a system and need to learn fast about
rights.
Specifically I need to allow some users full
administrative rights to their PCs so that they can load
and run any programs and drivers, but limit them to
just "users" on the network.
I also need to understand profiles as some of the XP
machines seem to have 8 or more different pofiles.
Can anyone point me to usefull URLs on these subjects
please.
Hazel

Torgeir
Wed Aug 04 07:23:40 CDT 2004

Hazel Kay wrote:

> Hi Guys,
> I have inherited a system and need to learn fast about
> rights.
> Specifically I need to allow some users full
> administrative rights to their PCs so that they can load
> and run any programs and drivers, but limit them to
> just "users" on the network.

E.g. add their domain user account to the local "Administrators"
group.


> I also need to understand profiles as some of the XP
> machines seem to have 8 or more different pofiles.
> Can anyone point me to usefull URLs on these subjects
> please.
> Hazel


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Hazel
Wed Aug 04 07:47:34 CDT 2004

Hi Torgeir,
In the User Accounts, they are set up as "Local Domain
Admins" and also as "Network Domain users", but they
still cant install many programs or drivers. They are
logging on as NetworkDomain\username. Should they be
loggin on as LocalDomain\user and if so do they still get
full access to the SBS network as users?

>-----Original Message-----
>Hazel Kay wrote:
>
>> Hi Guys,
>> I have inherited a system and need to learn fast about
>> rights.
>> Specifically I need to allow some users full
>> administrative rights to their PCs so that they can
load
>> and run any programs and drivers, but limit them to
>> just "users" on the network.
>
>E.g. add their domain user account to the
local "Administrators"
>group.
>
>
>> I also need to understand profiles as some of the XP
>> machines seem to have 8 or more different pofiles.
>> Can anyone point me to usefull URLs on these subjects
>> please.
>> Hazel
>
>
>--
>torgeir, Microsoft MVP Scripting and WMI, Porsgrunn
Norway
>Administration scripting examples and an ONLINE version
of
>the 1328 page Scripting Guide:
>http://www.microsoft.com/technet/scriptcenter/default.msp
x
>.
>

jeff
Wed Aug 04 08:37:04 CDT 2004

On Wed, 4 Aug 2004 04:48:46 -0700, "Hazel Kay"
<anonymous@discussions.microsoft.com> wrote:

>I have inherited a system and need to learn fast about
>rights.
>Specifically I need to allow some users full
>administrative rights to their PCs so that they can load
>and run any programs and drivers, but limit them to
>just "users" on the network.

Add their user account to the Local Administrators group on the
workstation (log in as the administrator of the workstation to have
access to this). You may find that adding them to Power Users does
what you need.

>I also need to understand profiles as some of the XP
>machines seem to have 8 or more different pofiles.

Systems get profiles for whichever account logs into them, and as an
administrator of the system you can delete any unwanted ones. Next
time a user logs in they'll get a profile added, if it's a roaming
profile it will pull an existing profile from the server.

>Can anyone point me to usefull URLs on these subjects

There are literally hundreds out there, but you may want to pick up a
book or two on Windows Network Administration, matching the OS you're
using. It's not a quick How-To for what you'll be facing, but it's
not rocket science either.

Jeff

Torgeir
Wed Aug 04 08:34:37 CDT 2004

Hazel Kay wrote:

> Hi Torgeir,
> In the User Accounts, they are set up as "Local Domain
> Admins" and also as "Network Domain users", but they
> still cant install many programs or drivers. They are
> logging on as NetworkDomain\username. Should they be
> loggin on as LocalDomain\user and if so do they still get
> full access to the SBS network as users?
Hi

Do *not* put the users in the domain administrators group.

The users need to log on as NetworkDomain\username.

For each computer the user is using, you need to add the
NetworkDomain\username account into the local "Administrators"
group on that computer.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Hazel
Wed Aug 04 10:29:30 CDT 2004

Hi Jeff and Torgeir,

Ive got it at last!
I thought that having accounts for the user in both local
and domain, with the local set to administrator was
enough.
I now realise that they are effectively two different
users and adding the rights in Advanced-Advanced-Groups
has sorted the problem.
Ive also got a lot to read havent I!
Thanks very much to both of you Guys!!

>There are literally hundreds out there, but you may want
to pick up a
>book or two on Windows Network Administration, matching
the OS you're
>using. It's not a quick How-To for what you'll be
facing, but it's
>not rocket science either.
>
>Jeff
>.
>

Lanwench
Wed Aug 04 11:44:18 CDT 2004

Hazel Kay wrote:
> Hi Jeff and Torgeir,
>
> Ive got it at last!
> I thought that having accounts for the user in both local
> and domain, with the local set to administrator was
> enough.
> I now realise that they are effectively two different
> users and adding the rights in Advanced-Advanced-Groups
> has sorted the problem.
> Ive also got a lot to read havent I!
> Thanks very much to both of you Guys!!

You should get rid of their local user accounts on all the workstations to
avoid confusion. Users should always log into the domain.
>
>> There are literally hundreds out there, but you may want to pick up a
>> book or two on Windows Network Administration, matching the OS you're
>> using. It's not a quick How-To for what you'll be facing, but it's
>> not rocket science either.
>>
>> Jeff
>> .

Hazel
Wed Aug 04 12:20:33 CDT 2004

Hey Lanwench,
Thanks for joining in!
Does this apply when some of the users have notebooks and
use them when not connected to the network?
(And not using them for remote access - YET!)

>You should get rid of their local user accounts on all
the workstations to
>avoid confusion. Users should always log into the domain.

Lanwench
Wed Aug 04 12:50:19 CDT 2004

Hazel Kays wrote:
> Hey Lanwench,
> Thanks for joining in!
> Does this apply when some of the users have notebooks and
> use them when not connected to the network?

Yep - they should be able to log in to the domain using cached credentials.
Test & try! Nicer also in that they only have one Windows profile.


> (And not using them for remote access - YET!)
>
>> You should get rid of their local user accounts on all the
>> workstations to avoid confusion. Users should always log into the
>> domain.

Hazel
Wed Aug 04 13:11:13 CDT 2004

Thats great, thanks a lot lanwench, I will try this as
soon as I get back in!

>-----Original Message-----
>Hazel Kays wrote:
>> Hey Lanwench,
>> Thanks for joining in!
>> Does this apply when some of the users have notebooks
and
>> use them when not connected to the network?
>
>Yep - they should be able to log in to the domain using
cached credentials.
>Test & try! Nicer also in that they only have one
Windows profile.
>
>
>> (And not using them for remote access - YET!)
>>
>>> You should get rid of their local user accounts on
all the
>>> workstations to avoid confusion. Users should always
log into the
>>> domain.
>
>
>.
>