Re: Local Admin vs Domain Admin problems

From: Andrew (andrew_at_fredlewis.com)
Date: 06/03/03 

Date: Tue, 3 Jun 2003 09:41:26 -0400

I went to the domain controller and added the user to the "administrators"
group. The primary group is still set to users though. He is complaing it
still will not let him install apps. Do i need to change the primary group
to administrators and remove him from the users group?

"Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
news:OwqTeATKDHA.1372@TK2MSFTNGP12.phx.gbl...
> You just need to place the AD user's account in the local administrators
> group. You shouldn't need to create any user accounts.
>
> On most setups, the local users group should contain an administrator
> account and a disabled guest account. On XP machines, you'll see a vendor
> support account which is also disabled by default.
>
> The reason your user wasn't seeing the properties was that he was still
not
> an administrator of the local machine. All you'd done was to create
another
> account, which happened to have the same name, that had administrator
> rights. That was of no benefit for your user, though, because he was
> logging in using the AD account.
>
> Hope this helps
>
> Oli
>
> "Andrew" <andrew@fredlewis.com> wrote in message
> news:#AuqbQQKDHA.2216@TK2MSFTNGP12.phx.gbl...
> > Yes that helps. I guess ive been in the habit of making local accounts
> also
> > on each machine as well as creating the account in the AD. I always
> thought
> > that it was necessary. So I don't need to add the user to the local
> machine
> > as well?
> >
> > Thanks
> >
> > "Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
> > news:O56fwExJDHA.2224@TK2MSFTNGP11.phx.gbl...
> > > I would guess that what you've actually ended up doing is to create a
> new
> > > user account on the local machine with the same name as the one on the
> > > domain and added this to the local administrators group.
> > >
> > > I am also guessing that you did this by using the Users and Passwords
> > applet
> > > in control panel.
> > >
> > > The best way to get things straight is as follows:
> > >
> > > My Computer (right click)| Manage | Computer Management (Local) |
System
> > > Tools | Local Users and Groups | Users
> > >
> > > Unless you really want users to have local accounts, you should only
see
> > > Administrator and Guest in here.
> > >
> > > If you believe you've mistakenly created a local account, disable it
> (but
> > > don't delete it).
> > >
> > > Next, go into Local Users and Groups | Groups | Administrators
> > >
> > > In here, you should see "Administrators" and also "MyDomain\Domain
> > Admins".
> > >
> > > You may also see a user account here. If it's prefixed by the name of
> > your
> > > domain, then you've correctly set it up. If it just lists a user
name,
> > > you've given a local account administrator privileges rather than the
> > domain
> > > account. If so, add the domain account to this group.
> > >
> > > One other tip is that it's possible to add "INTERACTIVE" to the local
> > > administrators group, which results in anyone who logs in at the
machine
> > > itself is an administrator of that machine, but user accessing it
> remotely
> > > get no additional rights.
> > >
> > > Hope this helps
> > >
> > > Oli
> > >
> > >
> > >
> > > "Andrew" <andrew@fredlewis.com> wrote in message
> > > news:ObZay7tJDHA.2148@TK2MSFTNGP12.phx.gbl...
> > > > This company I do work for has a client who needs to be able to
> install
> > > > programs on his local machine and change things. I give him
> > administrative
> > > > rights on his local machine but when I go into his network
properties
> it
> > > > says the property *** is disabled. The only way I can get it to
work
> > is
> > > to
> > > > give him Domain Admin rights and set that as his primary group.
> > > >
> > > > I also have a similiar issue with quickbooks 2001. It only works if
> the
> > > user
> > > > is a member of the domain admins group and set to primary.
> > > >
> > > > How do I go about these things that need higher level rights without
> > > making
> > > > someone a domain admin?
> > > >
> > > >
> > >
> > >
> >
> >
>
>