Group membership and rights

[Patrick]

We have a Win2003 DC (was upgraded from Win2K) and network
is mixed with 2000 & 2003 servers and W2K and XP
workstations. Login scripts are of the .vbs type,
not .bat and run at the OU level.

Problem is, when I place my users in the Domain Users
group as well as custom groups I've created that grant
access to necessary shares, their drives dont map at
login, certain apps dont run, and if the PC doesn't have a
domain user profile already created, they cant even log in.

As a result, I have most of my users in the Domanin Admins
group!!!! And thats gotta change!!!

Should I not have users in the Dom Users grp but maybe
Power Users? What local group should the local user
account on the workstation be a member of? Am I totally
screwing something up?

Thanks much in advance,
Patrick

 

[Cary Shultz [A.D. MVP]]

Patrick,

Are you using Group Policy to 'deliver' your logon scripts?

Let's see an example of your logon script. Since you have all WIN2000 /
WINXP clients you might want to take a look at Richard Mueller's website at
http://www.rlmueller.net as he has some examples of .vbs logon scripts that
map network drives according to group membership.

I might suggest that you take a look at DNS as well. Are all of your
systems - in their TCP/IP configuration settings - pointing to your internal
DNS Server(s)? And by all systems I mean Domain Controllers, Member Servers
and workstations. They should not point to any external DNS Server at all!

Let's start there.

Cary

 

[Herb Martin]

Problem is, when I place my users in the Domain Users

group as well as custom groups I've created that grant
access to necessary shares, their drives dont map at
login, certain apps dont run, and if the PC doesn't have a
domain user profile already created, they cant even log in.

As a result, I have most of my users in the Domanin Admins
group!!!! And thats gotta change!!!

Follow Cary's link but consider that you likely need to
work on your understanding of permissions on shares
and NTFS volumes (file and directories.)

As long as you grant the proper permissions (based on the user's
groups) there is zero reason to put a user in Domain Admins.

AND putting someone in Domain Admins will NOT fix a problem
that could not be fixed by granting the proper access.

Should I not have users in the Dom Users grp but maybe
Power Users? What local group should the local user
account on the workstation be a member of? Am I totally
screwing something up?

Usually Users, or MAYBE Power Users too, but these MACHINE
groups won't help you at all on DOMAIN resources (network servers.)

Maybe you also have a problem with your scripts or even the GPOs
that are linked to your OUs.

Are they being applied (GPResult or RSoP will help determine this.)

Do the users have READ+ on the Logon script files? (Without this
they cannot run them.)

Do the users have at least READ+ on the shares to which you map
them? Do they also have at least READ+ on SOME of the files there,
on the file to which they need access?