Re: Local Admin vs Domain Admin problems

From: Andrew (andrew_at_fredlewis.com)
Date: 06/04/03 

Date: Wed, 4 Jun 2003 09:37:48 -0400

Ok I understand what you are saying now, but if I log into his machine, how
do I see he AD user account in order to add him to the administrators group
from there?

Thanks

"Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
news:%23ugwjXfKDHA.2096@TK2MSFTNGP12.phx.gbl...
> OK. Adding a user to the administrators group on the domain controller
will
> make him an administrator of the domain controller -- not an administrator
> of the domain. It will help him install applications on your domain
> controller, but won't help him install anything on his workstation.
>
> The only group you can add him to on the domain that will help him install
> applications on his machine is "domain admins" and, as you're well aware,
> you don't want to do that.
>
> You need to log in as a domain administrator AT HIS MACHINE and place his
> domain user account in the administrators group on that machine using the
> method I outlined in an earlier post.
>
> You can also do this remotely, but it sounds like you might be happier
doing
> it at the machine.
>
> The "primary group" field is for Apple Macintosh compatibility. It makes
no
> odds here.
>
> Regards
>
> Oli
>
>
> "Andrew" <andrew@fredlewis.com> wrote in message
> news:O8fQVVdKDHA.1652@TK2MSFTNGP12.phx.gbl...
> > I went to the domain controller and added the user to the
"administrators"
> > group. The primary group is still set to users though. He is complaing
it
> > still will not let him install apps. Do i need to change the primary
group
> > to administrators and remove him from the users group?
> >
> > "Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
> > news:OwqTeATKDHA.1372@TK2MSFTNGP12.phx.gbl...
> > > You just need to place the AD user's account in the local
administrators
> > > group. You shouldn't need to create any user accounts.
> > >
> > > On most setups, the local users group should contain an administrator
> > > account and a disabled guest account. On XP machines, you'll see a
> vendor
> > > support account which is also disabled by default.
> > >
> > > The reason your user wasn't seeing the properties was that he was
still
> > not
> > > an administrator of the local machine. All you'd done was to create
> > another
> > > account, which happened to have the same name, that had administrator
> > > rights. That was of no benefit for your user, though, because he was
> > > logging in using the AD account.
> > >
> > > Hope this helps
> > >
> > > Oli
> > >
> > > "Andrew" <andrew@fredlewis.com> wrote in message
> > > news:#AuqbQQKDHA.2216@TK2MSFTNGP12.phx.gbl...
> > > > Yes that helps. I guess ive been in the habit of making local
accounts
> > > also
> > > > on each machine as well as creating the account in the AD. I always
> > > thought
> > > > that it was necessary. So I don't need to add the user to the local
> > > machine
> > > > as well?
> > > >
> > > > Thanks
> > > >
> > > > "Oli Restorick" <youcanguess@willowhayes.co.uk> wrote in message
> > > > news:O56fwExJDHA.2224@TK2MSFTNGP11.phx.gbl...
> > > > > I would guess that what you've actually ended up doing is to
create
> a
> > > new
> > > > > user account on the local machine with the same name as the one on
> the
> > > > > domain and added this to the local administrators group.
> > > > >
> > > > > I am also guessing that you did this by using the Users and
> Passwords
> > > > applet
> > > > > in control panel.
> > > > >
> > > > > The best way to get things straight is as follows:
> > > > >
> > > > > My Computer (right click)| Manage | Computer Management (Local) |
> > System
> > > > > Tools | Local Users and Groups | Users
> > > > >
> > > > > Unless you really want users to have local accounts, you should
only
> > see
> > > > > Administrator and Guest in here.
> > > > >
> > > > > If you believe you've mistakenly created a local account, disable
it
> > > (but
> > > > > don't delete it).
> > > > >
> > > > > Next, go into Local Users and Groups | Groups | Administrators
> > > > >
> > > > > In here, you should see "Administrators" and also "MyDomain\Domain
> > > > Admins".
> > > > >
> > > > > You may also see a user account here. If it's prefixed by the
name
> of
> > > > your
> > > > > domain, then you've correctly set it up. If it just lists a user
> > name,
> > > > > you've given a local account administrator privileges rather than
> the
> > > > domain
> > > > > account. If so, add the domain account to this group.
> > > > >
> > > > > One other tip is that it's possible to add "INTERACTIVE" to the
> local
> > > > > administrators group, which results in anyone who logs in at the
> > machine
> > > > > itself is an administrator of that machine, but user accessing it
> > > remotely
> > > > > get no additional rights.
> > > > >
> > > > > Hope this helps
> > > > >
> > > > > Oli
> > > > >
> > > > >
> > > > >
> > > > > "Andrew" <andrew@fredlewis.com> wrote in message
> > > > > news:ObZay7tJDHA.2148@TK2MSFTNGP12.phx.gbl...
> > > > > > This company I do work for has a client who needs to be able to
> > > install
> > > > > > programs on his local machine and change things. I give him
> > > > administrative
> > > > > > rights on his local machine but when I go into his network
> > properties
> > > it
> > > > > > says the property *** is disabled. The only way I can get it
to
> > work
> > > > is
> > > > > to
> > > > > > give him Domain Admin rights and set that as his primary group.
> > > > > >
> > > > > > I also have a similiar issue with quickbooks 2001. It only works
> if
> > > the
> > > > > user
> > > > > > is a member of the domain admins group and set to primary.
> > > > > >
> > > > > > How do I go about these things that need higher level rights
> without
> > > > > making
> > > > > > someone a domain admin?
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>