Administrators aren't Administrators !?

[J741]

New user account in SBS 2003 as a member of the 'Power user' group can't install any software on his workstation. The error message reports that he must be a member of the local administrator goup. Change the user profile in SBS 2003 to be a member of the 'Administrators' group, and the user still can not install any software on his workstation. The 'you must be an administrator' message still occurs. Why, and what can I do about it?

- James.


My memory is not as good as it should be, and neither is my memory.

I have forgotten more than I can remember

 

[Koonan]

If you are talking about the Administrators on the SBS server, which is really "AD". This Administrators group is a Domain Local group, which doesn't have Admin rights on local workstations. The Domain Admins group does have rights to local workstations, but don't add this user to that group. What you really need to do is add this user's account to the Local Administrators group on his workstation.

 

[J741]

Uhm, O.K.

What?

I'm not sure I understand you. Do you mean I need to go to every workstation and add every user to the local user management and then assign the 'administrator' rights there?

I thought the whole point of Active Directory users was to be able to centrally manage such rights.

I want the users to have 'Administrator' rights for the workstations, but not have 'Domain Admin' rights.


- James.

My memory is not as good as it should be, and neither is my memory.

I have forgotten more than I can remember

 

[dvannoy]

Add the "User" to the local Administrators group.

The user would be the user setup in AD for that workstation.

goto the administrators group, then add make sure your location is set to your domain name then click advanced..under comman queries next to starts with..in the textbox next to starts with type the first letter of the users name you want to make a local admin. then when you find the name, double click it and then you will get prompted for a domain admin user name and password. that's it.

I hope this helps

 

[J741]

O.K. I've just done a bit og searching on Google, and found that this can be done either manually from each workstation as you are suggesting, or through the use of a group policy setting in Active Directory. The only problem is I haven't found out the exact procedure to edit or create an aoppropriate group policy setting in Active Directory. I have no idea what I'm doing as far as Group Policies go. Can someone provide more information?

- James.


My memory is not as good as it should be, and neither is my memory.

I have forgotten more than I can remember

 

[58sniper]

You'll find many don't recommend that users be local admins. But, you can make them so using restricted groups. This works for local admins, power users, whatever.

Using Restricted Groups

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[J741]

O.K. So I found the 'Restricted Groups' policy in the 'Domain Security Policy' control under 'Administrative Tools' on the start menu.

I added the 'Administrators' group to the policy and added the 'Administrator', 'Domain Users', and 'Authenticated Users' as members of the group. (I will adjust these members after I actually get it working)

Then I went to the workstation and logged-in as a user and noticed absolutely no difference. The user still can not install any software, check for Windows Updates, or even change the date or time. This is very very frustrating.

So why would the policy not apply !?

- James.


My memory is not as good as it should be, and neither is my memory.

I have forgotten more than I can remember

 

[Koonan]

Personally I would create my own GPO (Group Policy Object). The Domain Security Policy is only for Domain Controllers not workstations.

Remember when you do make changes to a Group Policy it is only refreshed every 90 minutes. You can use the GPUPDATE.exe command to force a refresh.

 

[J741]

There are three security poily editors that I can find in SBS 2003. "Domain Controller Security Policy", "Domain Security Policy", and "Local Security Policy". Now, from the naming of these policies I am under the assumption that the "Domain Controller Security Policies" and "Local Security Policy" would affect my server, and the "Domain Security Policy" would affect all computers which log in to the domain. Is this assumption correct, or am I missing something here?

- James.


My memory is not as good as it should be, and neither is my memory.

I have forgotten more than I can remember

 

[Koonan]

For the most part all of those policies only control your Domain Controller. Here's where you need to go.

Open your Active Directory Users & Computers (ADUC). Right click on your domain and choose Properties. Then choose the Group Policies tab. You should see a Default Domain Policy. For now this is the one you should change or you can create a new GPO. I won't go into why some people don't like to modify the Default Domain Policy. You seem to have a small install and this shouldn't be a big deal for you.

 

[58sniper]

J741 - you are correct, but you can create additional policies as needed. I typically recommend a separate policy just for Restricted Groups, and I apply it to the OU that contains the computers (not the default one called "computers").

Pat Richard, MCSE MCSA:Messaging CNA
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt