Re: XP Professional Adminstraor Account...?

Thank you Lanwench for your help. I am impressed with your knowledge and
would like to get to your level of expertise. I would like to know if you
learned this information from the MVP program or just in day to dayworking on
systems? I was certified as MCSE on NT4 many years ago. I understand the AD
and DNS setups for all my clients. However, I did not continue my certs into
the W2K series... maybe I should! :)
Anyway, your thoughts and comments would be appreciated.
Thank you again!

Kell Jemison - MCSE NT4

"Lanwench [MVP - Exchange]" wrote:

kjemison <kjemison@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Over the years working with W2K Pro and XP Pro on a W2K Domain I have
always had problems with installing programs on the workstations and

Logged onto domain from workstation as Administrator. Navigated to
users and gave the user administrative rights.
Logged out and logged back in under the users account in which I just
gave full administrative rights.
Attempt to install program and the install will fail while copying
files etc with a permissions error. If the user has full
administrative rights, then why does this error occur?

Thank you and I hope I was clear on my description.
Kell Jemison

Firstly, if you have a domain - here's an easier way to control local
permissions for domain users. It's not the only way (there are also
Restricted Groups) but I find this very easy to manage.

Set up AD security groups (universal) called LocalAdmins, LocalPowerUsers,
RDUsers (for Remote Desktop access)

On your DC, create a batch file with the following commands:

net localgroup administrators DOMAIN\localadmins /add
net localgroup power users DOMAIN\localpowerusers /add
net localgroup remote desktop users DOMAIN\rdusers /add

In Group Policy, create a GPO & link it at the appropriate level in AD (a
custom OU where your computers live, not the built-in Computers OU. You
should have your own OU hierarchy anyway).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server by adding /
removing the domain users from the domain groups. Users shouldn't have any
admin or power user rights, but sometimes when I set up a new user, I often
find I need to add their domain account to LocalAdmins before I log in as
them the first time, in order to install any sw that insists it be installed
by the user him/herself ...then remove them from the domain LocalAdmins
group on the domain when done. However, most software can be installed by
any admin-equivalent account, and then *run* by user accounts.

THAT SAID - if your domain user is in the local administrators group, it
can't be a permissions error. Double check...have the logged in user
right-click on the Start button,and see whether "Explore All Users" is in
the context menu. That's the quickest way to test, in my opinion. If they
don't see Explore All Users, they don't have admin rights.

Some software may insist on being installed by an account called
Administrator, although that's rare.