Re: Creating a Power Users Group where none exists

From: Chris Porter (anonymous_at_discussions.microsoft.com)
Date: 04/30/04

Next message: Chris Porter: "Re: Creating a Power Users Group where none exists"
Previous message: Joe: "Win2k shuts down with message "C:\Windows\System32\lsass.exe" Status Code 128"
In reply to: Steven L Umbach: "Re: Creating a Power Users Group where none exists"
Next in thread: Chris Porter: "Re: Creating a Power Users Group where none exists"
Reply: Chris Porter: "Re: Creating a Power Users Group where none exists"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 Apr 2004 19:06:05 -0700

Thanks! i'm going to give this a shot. i found a document on msft that outlined what the differences were between a power user and a regular user.. after applying all of those settings to files & reg keys.. still nothing. so here's hoping :)

i've tried talking to intuit about this, but their support database is 'extensive' and has what i would guess to be 3 articles in it about anything.. and their training is just about as good. if i ask about registry keys, their response will probably be something like "so & so has already been married, and their gift registry is closed"

(yeah i'm a bit bummed by them... at the moment)

o and get this.... their 2004 version is out.... still no security stuff taken in to account....

Thanks for your help!
-Chris

     ----- Steven L Umbach wrote: -----

     Hi Chris.

     Try contacting the publisher to see if they can tell you what registry/folder
     permissions need to be changed to allow a regular user to run their application.
     Sounds kind of nuts that a 2003 application still requires users to have excessive
     permissions. If they refuse to help or act stupid, then you may try using the free
     tools filemon and regmon from SysInternals to roll your own permissions changes. You
     need to logon as a regular user and then use runas to invoke filemon and then read
     the log where access is denied. Make the necessary change and try again. You may need
     to do the same with regmon.

     If that does not work you can apply the compatws.inf template to that server which
     will change permissions so that regular users will have the same permissions as a
     power user but not the additional rights such as the ability to create shares and non
     admin users, but still not recommended on a domain controller. I don't see how you
     can possibly give them admin permissions to a domain controller because then everyone
     will be a domain administrator and you do NOT want that and may have to resort to
     installing another server to use as TS and not make it a domain controller - believe
     me the cost would be justified. --- Steve

     http://www.sysinternals.com/ntw2k/source/filemon.shtml
     http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_SCEdefaultpols.htm

     "chrisporter" <news_porter@yarooze.com> wrote in message
     news:5219005D-24D2-47D4-9885-C01C35B881AB@microsoft.com...
> HI all,
>> I'm (unfortunately) running Term-Serv on our Domain Controller.. not by choice. the
     term-serve is created specifically for users to connect to quickbooks2003 which
     requires "Power User" rights or higher. this is fine for all of our XP machines on
     the netowrk as they offer both local and domain logins.. but my PDC becuase its a PDC
     doesnt have a local login anymore, and therefore, no "Power Users Group". It appears
     that there is no way around this except to give all users Admin rights.. which for
     obvious reasons is just stupid..
>> anybody have a work around, or know the steps to emulate a "power users group" on a
     Domain Controller?
>> Thanks in advance for your help!
> -Chris
>

Next message: Chris Porter: "Re: Creating a Power Users Group where none exists"
Previous message: Joe: "Win2k shuts down with message "C:\Windows\System32\lsass.exe" Status Code 128"
In reply to: Steven L Umbach: "Re: Creating a Power Users Group where none exists"
Next in thread: Chris Porter: "Re: Creating a Power Users Group where none exists"
Reply: Chris Porter: "Re: Creating a Power Users Group where none exists"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Weird Permissions Problem
... When logging into a DOMAIN CONTROLLER as what we refer to ... them rights to. ... Example in one container we created a OU ADMIN ... WHY are the permissions not working properly apparently? ...
(microsoft.public.windows.server.active_directory)
Re: Given access to edit active directory
... If you let someone log into a domain controller then there is a good chance they can bypass any security you put into place. ... Have the local admins load the admin pack tools on their PCs and just delegate access to them to manage users. ... Author of O'Reilly Active Directory Third Edition ... the admin permissions to a lot of server. ...
(microsoft.public.windows.server.active_directory)
Re: enable "runas" under account, without log into workstations ?
... > regular user with some permissions mods to program files folder, ... > help with tracking down permissions problems if you logon as regular user ... item 1 states that you create the account as an admin. ...
(microsoft.public.windows.server.networking)
SQL permissions function fails in tempdb
... This also causes the system stored procedures ... sp_tables and sp_columns to fail when used in tempdb. ... likely the actual permissions of temp tables and the fact that they ... one for sa and one for a regular user. ...
(microsoft.public.sqlserver.security)
Re: Restrict browsing partitions/directories hard disk
... The question I didn't see asked is ..."What permissions does the user have?" ... if a regular user is ... > cannot be run by that user anymore. ... > while startup remains error-free and all programs can still be run? ...
(microsoft.public.win2000.security)