Permissions

[kjonnnnn]

Here's my situation.

When NT was installed on the computers here before I started EVERYBODY was either in the Administrators or Domain Administrators Groups. I am now removing all from those groups. There are only two people here that should be in those groups.

Here's my problem on some computers the user is having trouble accessing programs that are installed on their own computers. They can log into the network fine. But, when trying to access for instance MS Image Composer, the computer wants an ID and PASSWORD for \\the user PC\C$. Even though they have local administrator status on their own computer, it would even let me access their IDs.

Now if use my ID and Password as administrator, it accepts it and they can get into the program.

What is the problem here. I DONT want all those people have administrative rights... (enough has been messed up already because of it.)

 

[PAndersen]

Well, you have removed the users from the Administrators
Groups. Maybe, if you create a new group, include the
users in it, and set permissions and restrictions for
that group ....

 

[Guest_imported]

Well u still have to have the user set as an administrator on the server to be able to access administrative shares or c$, this is because these hidden shares are designed for admin use only

 

[kjonnnnn]

Im sorry, but it makes no sense for a user to need administrative network rights to simply click and use a program that is installed on their computer.

There must be something else.

 

[french01]

Do the users have a Local WkStn account for the user with admin permissions as well as a Domain account that has had permissions reduced to "Domain User". (And they are using that domain account to log on. This would only give the user base permissions to domain resourses and the local box.)

Or

Are you using exlusively Domain User accounts where, on each WKstn, the user's domain account is added to the his/her local WkStn Administators Local Group? This would give the user base permissions to domain resources but full Admin permissions to the local box.

 

[kjonnnnn]

on their local workstations, they are in User and Administrators accounts.

For the network, they are just Users.

When they click on a program thats installed on their local machine, it wants a password.

 

[french01]

Kill all users accounts on the local Workstation except for the Administrator account. (change it's password and keep it secured from the users)

On the workstation:

1. Ensure "Domain Admins" is a member of the local "Administrators" group.

2. Ensure "Domain Users" group is a member of the local "Users" group.

3. Add the personal Domain account (ie. MY_DOMAIN\User1) of the primary user to the workstations Administators group.

As long as the locally installed application is not calling resources outside the the local box, all should work.

-Hugh

 

[kjonnnnn]

Thanks I'll try this.

 

[kjonnnnn]

Wait... there are no Domain accounts on a local workstation.

 

[mcconmw]

He is referring to the Domain Admin and Domain user group from your domain. When you go into the machines local group administrator and click the add button. Select your domain and add the Domain Admin account from there. Hope this helps.

 

[kjonnnnn]

But if Domain Admins are in the Network ADministrators group and i put this user in the Domain Admin group, that means they will have admin rights, RIGHT?

I dont want that.

I just want them to be able to access anything on their own desktops.

 

[mcconmw]

You want the user in question in the local administrators group. The other stuff is just to get you back to the standard default. I believe what french01 is trying to accomplish is to set you back to the default setting as if you had a fresh install and just added it to the domain with the exception of explicity granting the user in question admin rights to the local machine.

 

[french01]

kjonnnnn, you appear to have the idea backwards. The User will not have Admin permissions on the network. You do not add the user to Domain Admins.

We are trying to give the Domain Admin group (ie: You and the one other tech you mention above) to have God rights to each workstation. We do this by placing the group that lives on the domain called Domain Admins into the group that lives on the workstation called Administators. You need to do this from the individual workstation as described by mcconmw above.

We allow the end user to ONLY use the base level User account on the domain to logon with (anywhere). We do this by killing all user logon accounts from the workstations so that the only account left for them to use is the one on the domain.

This account only has User rights (anywhere).

Except: for the user's workstation, where we add that specific domain account for that user into the workstation's Administators group (but only on that one workstation) that elevates that user account to God statis (but only on that workstation).

Adding the Domain Users group into the local Users group on each workstation then allows all users to be able to logon to and use, any computer in the network but they would only be able to administer their own specific machine.

Cheers Hugh

 

[rjbj]

I have had this problem on Windows 2000 professional. Here is what I did to solve it. At the run dialog type "regedt32" without quotations. Then go to HKEY_Local_Machine\Software, highlight the software that you need to change permissions to and go to "Security" drop down to "Permissions" and add the user domain account to the permissions list and give them full control.

 

[pbxman]

why is the computer looking for \\userpc\c$ to run a local file on that machine itself?

Check to make sure the LOCAL permissions on the computers are set correctly. It sounds like they have been messing around setting permissions on their C: folders as well.

Overall, it looks like the problem is in the security structure itself. \\userpc\c$ probably comes up because the previous connections & settings were made by domain admin accounts instead of administrator accounts.

Now is the time to lock-down your users. Give them only the access they need - nothing more. Most users should not be local administrators either..try making them power users if need be. They should not be able to change permissions.