Re: Issue in demoting users from Admin to Power Users

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/13/05

  • Next message: modakindia: "Prevent to use Network Neighbourhood,Clock,Printer,etc." 
    Date: Wed, 13 Apr 2005 01:37:39 -0500

    Hey Roger.

    I may be shooting in the dark but since these users were working fine as
    local admins it "may" be worth a look in the all users/application
    data/subfolders for lack of permissions if there is a problem with a certain
    application working correctly for the applications that have subfolders
    there. I am not quite clear on what is going on in this situation as far as
    what was done. It seems like an over complication of events. --- Steve

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uLzZZD$PFHA.3928@TK2MSFTNGP09.phx.gbl...
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:Oq1yPP9PFHA.3628@TK2MSFTNGP12.phx.gbl...
    >> Maybe I am missing something but what you are trying to accomplish should
    > be
    >> relatively simple. You remove the users domain account from the local
    >> administrators group on their computer and add it to the power users
    > group.
    >> That should not affect they way they logon to their computer or access
    >> domain resources. It will however deny them access to resources on
    >> "their"
    >> computer that requires local administrator rights including in the all
    > users
    >> profile folder and subfolders. By default a user has full control or
    > modify
    >> permissions to their user profile regardless of their local computer
    >> group
    >> membership. You might want to try on another computer to see what
    >> happens.
    >> On the computer where you are having a problem, try adding the user back
    > to
    >> the local administrators group to see if the problem goes away. If it
    >> does
    >> you know you have a permission problem on that computer that you need to
    >> track down. I would look at the all users profile first is that proves to
    > be
    >> the case.--- Steve
    >>
    >
    > Hi Steve,
    > The All Users profile ? That did not occur to me.
    > I (at a loss) am curious of your reasoning here.
    > --
    > Roger
    >
    >> "scot welker" <scotwelker@discussions.microsoft.com> wrote in message
    >> news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
    >> >I have found it necessary to remove local admin rights for users on
    >> >their
    >> >W2K
    >> > workstations. We went through a conversion of sorts recently which
    >> > required
    >> > them to be admin for that conversion. Their network user names will
    >> > not
    >> > be
    >> > changing so I have demoted to Power User level and made sure the
    > existing
    >> > user profile under documents and settings is afforded full rights with
    >> > this
    >> > same login name. That way, I assume they will login with the same
    > profile
    >> > and get the same settings for desktop/office/outlook. I have tested
    > this
    >> > on
    >> > a machine I setup for this purpose and all went fine. I went to do a
    > test
    >> > with my first real user and it says she's using the same profile but
    >> > nothing
    >> > carries over. In fact, none of her network mapped drives or redirected
    > My
    >> > Documents folder contain anything. We redirect the My Documents folder
    > to
    >> > a
    >> > folder on the net. Am I missing a step I must do? Since it says she's
    >> > logged in with the same profile (verified by typing 'set' at command
    >> > prompt),
    >> > what would cause everything including her network drives to not come
    > back?
    >> > In addition, why do her individual user settings/preferences not carry
    >> > over?
    >> >
    >> > Thanks in advance for your assistance
    >>
    >>
    >
    >

  • Next message: modakindia: "Prevent to use Network Neighbourhood,Clock,Printer,etc."

    Relevant Pages

    • Re: Access rights?
      ... template to see if permissions are different from default. ... > order to create the users profile and copy files into the ... > the Administrators group membership. ...
      (microsoft.public.win2000.security)
    • Re: Vista connect problem.
      ... I narrowed this down to the users profile as the problem. ... joining Vista Business PC's with no user profiles. ... Do these permissions need to be applied only ot the ... from your newsreader: microsoft.private.directaccess.partnerfeedback. ...
      (microsoft.public.windows.server.sbs)
    • Re: Keyset does not exist
      ... Oh and try to change the permissions of the ... > directory from the users profile instead of the 'All users' profile. ... >> permissions on the container key. ... >> private key context from a certificate. ...
      (microsoft.public.platformsdk.security)
    • Re: Protecting the All Users Start Menu
      ... Cary Shultz wrote: ... I like to create the 'stuff' that I want to be available to everyone in the default users profile. ... The permissions would be where I would start. ... Also, as aptly stated, if your domain user account objects are member of the local Administrators group on the computers then there is really nothing that you can do.....other than threaten them with bodily ...
      (microsoft.public.win2000.active_directory)
    • Re: Unable to expand the folder
      ... Nope- tried setting up the users profile too. ... Even when I added myself to the permissions on the users ... account from the server. ... > can you access the mailbox if you set up a profile for it? ...
      (microsoft.public.exchange.admin)
    • Quantcast