Re: XP Professional Adminstraor Account...?

kjemison <kjemison@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thank you Lanwench for your help. I am impressed with your knowledge
and would like to get to your level of expertise.

Aw, heck. That's very nice of you. I just spend way too much time with this

I would like to
know if you learned this information from the MVP program or just in
day to dayworking on systems?

As they say, I just picked it up on the streets. You have to do something
when you have a liberal arts degree and don't want to flip burgers. ;)

I was certified as MCSE on NT4 many
years ago. I understand the AD and DNS setups for all my clients.
However, I did not continue my certs into the W2K series... maybe I
should! :)

Naw, just get eval copies & set up virtual environments to play with. If
you're a consultant, get into the MS Partner program and look at the's a nice deal. Or there's MSDN.

Anyway, your thoughts and comments would be appreciated.
Thank you again!

I never did complete my MCSE back in the NT4 days - did the core tests but
got bored & skipped the rest. Maybe *I* should've proceeded & kept up, but
it hasn't seemed to hurt me so far.

Anyway, thank you for your kind words ...nice to know I've bamboozled you
all into thinking I know what I'm doing! :)

Kell Jemison - MCSE NT4

"Lanwench [MVP - Exchange]" wrote:

kjemison <kjemison@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Over the years working with W2K Pro and XP Pro on a W2K Domain I
have always had problems with installing programs on the
workstations and permissions.

Logged onto domain from workstation as Administrator. Navigated to
users and gave the user administrative rights.
Logged out and logged back in under the users account in which I
just gave full administrative rights.
Attempt to install program and the install will fail while copying
files etc with a permissions error. If the user has full
administrative rights, then why does this error occur?

Thank you and I hope I was clear on my description.
Kell Jemison

Firstly, if you have a domain - here's an easier way to control local
permissions for domain users. It's not the only way (there are also
Restricted Groups) but I find this very easy to manage.

Set up AD security groups (universal) called LocalAdmins,
LocalPowerUsers, RDUsers (for Remote Desktop access)

On your DC, create a batch file with the following commands:

net localgroup administrators DOMAIN\localadmins /add
net localgroup power users DOMAIN\localpowerusers /add
net localgroup remote desktop users DOMAIN\rdusers /add

In Group Policy, create a GPO & link it at the appropriate level in
AD (a custom OU where your computers live, not the built-in
Computers OU. You should have your own OU hierarchy anyway).

Edit the GPO - go to Computer Configuration \ Windows Settings \
Scripts (startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in
the window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied
when they restart, and you can now control all this at the server by
adding / removing the domain users from the domain groups. Users
shouldn't have any admin or power user rights, but sometimes when I
set up a new user, I often find I need to add their domain account
to LocalAdmins before I log in as them the first time, in order to
install any sw that insists it be installed by the user him/herself
...then remove them from the domain LocalAdmins group on the domain
when done. However, most software can be installed by any
admin-equivalent account, and then *run* by user accounts.

THAT SAID - if your domain user is in the local administrators
group, it can't be a permissions error. Double check...have the
logged in user right-click on the Start button,and see whether
"Explore All Users" is in the context menu. That's the quickest way
to test, in my opinion. If they don't see Explore All Users, they
don't have admin rights.

Some software may insist on being installed by an account called
Administrator, although that's rare.