Re: Local Admin vs Domain Admin problems

From: Andrew (andrew_at_fredlewis.com)
Date: 06/02/03 

Date: Mon, 2 Jun 2003 08:43:40 -0400

Yes that helps. I guess ive been in the habit of making local accounts also
on each machine as well as creating the account in the AD. I always thought
that it was necessary. So I don't need to add the user to the local machine
as well?

Thanks

"Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
news:O56fwExJDHA.2224@TK2MSFTNGP11.phx.gbl...
> I would guess that what you've actually ended up doing is to create a new
> user account on the local machine with the same name as the one on the
> domain and added this to the local administrators group.
>
> I am also guessing that you did this by using the Users and Passwords
applet
> in control panel.
>
> The best way to get things straight is as follows:
>
> My Computer (right click)| Manage | Computer Management (Local) | System
> Tools | Local Users and Groups | Users
>
> Unless you really want users to have local accounts, you should only see
> Administrator and Guest in here.
>
> If you believe you've mistakenly created a local account, disable it (but
> don't delete it).
>
> Next, go into Local Users and Groups | Groups | Administrators
>
> In here, you should see "Administrators" and also "MyDomain\Domain
Admins".
>
> You may also see a user account here. If it's prefixed by the name of
your
> domain, then you've correctly set it up. If it just lists a user name,
> you've given a local account administrator privileges rather than the
domain
> account. If so, add the domain account to this group.
>
> One other tip is that it's possible to add "INTERACTIVE" to the local
> administrators group, which results in anyone who logs in at the machine
> itself is an administrator of that machine, but user accessing it remotely
> get no additional rights.
>
> Hope this helps
>
> Oli
>
>
>
> "Andrew" <andrew@fredlewis.com> wrote in message
> news:ObZay7tJDHA.2148@TK2MSFTNGP12.phx.gbl...
> > This company I do work for has a client who needs to be able to install
> > programs on his local machine and change things. I give him
administrative
> > rights on his local machine but when I go into his network properties it
> > says the property *** is disabled. The only way I can get it to work
is
> to
> > give him Domain Admin rights and set that as his primary group.
> >
> > I also have a similiar issue with quickbooks 2001. It only works if the
> user
> > is a member of the domain admins group and set to primary.
> >
> > How do I go about these things that need higher level rights without
> making
> > someone a domain admin?
> >
> >
>
>