Re: Local Admin vs Domain Admin problems

From: Oli Restorick (youcanguess_at_willowhayes.co.uk)
Date: 06/03/03 

Date: Tue, 3 Jun 2003 18:30:13 +0100

OK. Adding a user to the administrators group on the domain controller will
make him an administrator of the domain controller -- not an administrator
of the domain. It will help him install applications on your domain
controller, but won't help him install anything on his workstation.

The only group you can add him to on the domain that will help him install
applications on his machine is "domain admins" and, as you're well aware,
you don't want to do that.

You need to log in as a domain administrator AT HIS MACHINE and place his
domain user account in the administrators group on that machine using the
method I outlined in an earlier post.

You can also do this remotely, but it sounds like you might be happier doing
it at the machine.

The "primary group" field is for Apple Macintosh compatibility. It makes no
odds here.

Regards

Oli

"Andrew" <andrew@fredlewis.com> wrote in message
news:O8fQVVdKDHA.1652@TK2MSFTNGP12.phx.gbl...
> I went to the domain controller and added the user to the "administrators"
> group. The primary group is still set to users though. He is complaing it
> still will not let him install apps. Do i need to change the primary group
> to administrators and remove him from the users group?
>
> "Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
> news:OwqTeATKDHA.1372@TK2MSFTNGP12.phx.gbl...
> > You just need to place the AD user's account in the local administrators
> > group. You shouldn't need to create any user accounts.
> >
> > On most setups, the local users group should contain an administrator
> > account and a disabled guest account. On XP machines, you'll see a
vendor
> > support account which is also disabled by default.
> >
> > The reason your user wasn't seeing the properties was that he was still
> not
> > an administrator of the local machine. All you'd done was to create
> another
> > account, which happened to have the same name, that had administrator
> > rights. That was of no benefit for your user, though, because he was
> > logging in using the AD account.
> >
> > Hope this helps
> >
> > Oli
> >
> > "Andrew" <andrew@fredlewis.com> wrote in message
> > news:#AuqbQQKDHA.2216@TK2MSFTNGP12.phx.gbl...
> > > Yes that helps. I guess ive been in the habit of making local accounts
> > also
> > > on each machine as well as creating the account in the AD. I always
> > thought
> > > that it was necessary. So I don't need to add the user to the local
> > machine
> > > as well?
> > >
> > > Thanks
> > >
> > > "Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
> > > news:O56fwExJDHA.2224@TK2MSFTNGP11.phx.gbl...
> > > > I would guess that what you've actually ended up doing is to create
a
> > new
> > > > user account on the local machine with the same name as the one on
the
> > > > domain and added this to the local administrators group.
> > > >
> > > > I am also guessing that you did this by using the Users and
Passwords
> > > applet
> > > > in control panel.
> > > >
> > > > The best way to get things straight is as follows:
> > > >
> > > > My Computer (right click)| Manage | Computer Management (Local) |
> System
> > > > Tools | Local Users and Groups | Users
> > > >
> > > > Unless you really want users to have local accounts, you should only
> see
> > > > Administrator and Guest in here.
> > > >
> > > > If you believe you've mistakenly created a local account, disable it
> > (but
> > > > don't delete it).
> > > >
> > > > Next, go into Local Users and Groups | Groups | Administrators
> > > >
> > > > In here, you should see "Administrators" and also "MyDomain\Domain
> > > Admins".
> > > >
> > > > You may also see a user account here. If it's prefixed by the name
of
> > > your
> > > > domain, then you've correctly set it up. If it just lists a user
> name,
> > > > you've given a local account administrator privileges rather than
the
> > > domain
> > > > account. If so, add the domain account to this group.
> > > >
> > > > One other tip is that it's possible to add "INTERACTIVE" to the
local
> > > > administrators group, which results in anyone who logs in at the
> machine
> > > > itself is an administrator of that machine, but user accessing it
> > remotely
> > > > get no additional rights.
> > > >
> > > > Hope this helps
> > > >
> > > > Oli
> > > >
> > > >
> > > >
> > > > "Andrew" <andrew@fredlewis.com> wrote in message
> > > > news:ObZay7tJDHA.2148@TK2MSFTNGP12.phx.gbl...
> > > > > This company I do work for has a client who needs to be able to
> > install
> > > > > programs on his local machine and change things. I give him
> > > administrative
> > > > > rights on his local machine but when I go into his network
> properties
> > it
> > > > > says the property *** is disabled. The only way I can get it to
> work
> > > is
> > > > to
> > > > > give him Domain Admin rights and set that as his primary group.
> > > > >
> > > > > I also have a similiar issue with quickbooks 2001. It only works
if
> > the
> > > > user
> > > > > is a member of the domain admins group and set to primary.
> > > > >
> > > > > How do I go about these things that need higher level rights
without
> > > > making
> > > > > someone a domain admin?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Quantcast