Issue in demoting users from Admin to Power Users

G

Guest

I have found it necessary to remove local admin rights for users on their W2K
workstations. We went through a conversion of sorts recently which required
them to be admin for that conversion. Their network user names will not be
changing so I have demoted to Power User level and made sure the existing
user profile under documents and settings is afforded full rights with this
same login name. That way, I assume they will login with the same profile
and get the same settings for desktop/office/outlook. I have tested this on
a machine I setup for this purpose and all went fine. I went to do a test
with my first real user and it says she's using the same profile but nothing
carries over. In fact, none of her network mapped drives or redirected My
Documents folder contain anything. We redirect the My Documents folder to a
folder on the net. Am I missing a step I must do? Since it says she's
logged in with the same profile (verified by typing 'set' at command prompt),
what would cause everything including her network drives to not come back?
In addition, why do her individual user settings/preferences not carry over?

Thanks in advance for your assistance
 
S

Steven L Umbach

Maybe I am missing something but what you are trying to accomplish should be
relatively simple. You remove the users domain account from the local
administrators group on their computer and add it to the power users group.
That should not affect they way they logon to their computer or access
domain resources. It will however deny them access to resources on "their"
computer that requires local administrator rights including in the all users
profile folder and subfolders. By default a user has full control or modify
permissions to their user profile regardless of their local computer group
membership. You might want to try on another computer to see what happens.
On the computer where you are having a problem, try adding the user back to
the local administrators group to see if the problem goes away. If it does
you know you have a permission problem on that computer that you need to
track down. I would look at the all users profile first is that proves to be
the case.--- Steve
 
R

Roger Abell

Steven L Umbach said:
Maybe I am missing something but what you are trying to accomplish should be
relatively simple. You remove the users domain account from the local
administrators group on their computer and add it to the power users group.
That should not affect they way they logon to their computer or access
domain resources. It will however deny them access to resources on "their"
computer that requires local administrator rights including in the all users
profile folder and subfolders. By default a user has full control or modify
permissions to their user profile regardless of their local computer group
membership. You might want to try on another computer to see what happens.
On the computer where you are having a problem, try adding the user back to
the local administrators group to see if the problem goes away. If it does
you know you have a permission problem on that computer that you need to
track down. I would look at the all users profile first is that proves to be
the case.--- Steve
Click to expand...

Hi Steve,
The All Users profile ? That did not occur to me.
I (at a loss) am curious of your reasoning here.
 
R

Roger Abell

I have been looking at your post for a day, and am still
rather stumped, based on what is said.
The two things that have occurred to me are:
1. check the share level permissions on the network
share to which you redirect My Documents
(this would only affect the My Docs part of the issue)
2. check the ownership of the profile and its key files
(like ntuser.dat) as I am assuming Administrators will
have been set as Owner if these were first created while
the account was a local admin.
Never-the-less, I do not see how these would give what
you are reporting.
 
S

Steven L Umbach

Hey Roger.

I may be shooting in the dark but since these users were working fine as
local admins it "may" be worth a look in the all users/application
data/subfolders for lack of permissions if there is a problem with a certain
application working correctly for the applications that have subfolders
there. I am not quite clear on what is going on in this situation as far as
what was done. It seems like an over complication of events. --- Steve
 
R

Roger Abell

Steven L Umbach said:
Hey Roger.

I may be shooting in the dark but since these users were working fine as
local admins it "may" be worth a look in the all users/application
data/subfolders for lack of permissions if there is a problem with a certain
application working correctly for the applications that have subfolders
there. I am not quite clear on what is going on in this situation as far as
what was done. It seems like an over complication of events. --- Steve
Click to expand...

I see. Thx Steve. I was, as with rest of this post, having a hard
time seeing what could be at issue, with only group membership
changes of the account, and All Users normally ACL'd for Users.
 
R

Roger Abell

When you removed account from Administrators and placed
instead as member of Power Users, did you also make sure
it was member of Users, or that either Domain Users or
Authenticated Users was still member of the machine local
Users group ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Demoting users from admin to limited 2
Network Print Issue 6
Deny Simultaneous Logins to All Users EXCEPT Admin? 4
Problems with user accounts/security settings 2
who do I resolve this roaming profile issue? 1
All "Admin" users not identical? 1
Outlook 2003 & 2007: Local & Network Profiles 3
Power Users 1

Top