XP Professional Adminstraor Account...?

[Guest]

Hello,
Over the years working with W2K Pro and XP Pro on a W2K Domain I have always
had problems with installing programs on the workstations and permissions.

Scenario:
Logged onto domain from workstation as Administrator. Navigated to users and
gave the user administrative rights.
Logged out and logged back in under the users account in which I just gave
full administrative rights.
Attempt to install program and the install will fail while copying files etc
with a permissions error. If the user has full administrative rights, then
why does this error occur?

Thank you and I hope I was clear on my description.
Kell Jemison

 

[Lanwench [MVP - Exchange]]

Hello,
Over the years working with W2K Pro and XP Pro on a W2K Domain I have
always had problems with installing programs on the workstations and
permissions.

Scenario:
Logged onto domain from workstation as Administrator. Navigated to
users and gave the user administrative rights.
Logged out and logged back in under the users account in which I just
gave full administrative rights.
Attempt to install program and the install will fail while copying
files etc with a permissions error. If the user has full
administrative rights, then why does this error occur?

Thank you and I hope I was clear on my description.
Kell Jemison

Firstly, if you have a domain - here's an easier way to control local
permissions for domain users. It's not the only way (there are also
Restricted Groups) but I find this very easy to manage.

------------
Set up AD security groups (universal) called LocalAdmins, LocalPowerUsers,
RDUsers (for Remote Desktop access)

On your DC, create a batch file with the following commands:

.........
net localgroup administrators DOMAIN\localadmins /add
net localgroup power users DOMAIN\localpowerusers /add
net localgroup remote desktop users DOMAIN\rdusers /add
.........

In Group Policy, create a GPO & link it at the appropriate level in AD (a
custom OU where your computers live, not the built-in Computers OU. You
should have your own OU hierarchy anyway).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server by adding /
removing the domain users from the domain groups. Users shouldn't have any
admin or power user rights, but sometimes when I set up a new user, I often
find I need to add their domain account to LocalAdmins before I log in as
them the first time, in order to install any sw that insists it be installed
by the user him/herself ...then remove them from the domain LocalAdmins
group on the domain when done. However, most software can be installed by
any admin-equivalent account, and then *run* by user accounts.

THAT SAID - if your domain user is in the local administrators group, it
can't be a permissions error. Double check...have the logged in user
right-click on the Start button,and see whether "Explore All Users" is in
the context menu. That's the quickest way to test, in my opinion. If they
don't see Explore All Users, they don't have admin rights.

Some software may insist on being installed by an account called
Administrator, although that's rare.

 

[Guest]

Thank you Lanwench for your help. I am impressed with your knowledge and
would like to get to your level of expertise. I would like to know if you
learned this information from the MVP program or just in day to dayworking on
systems? I was certified as MCSE on NT4 many years ago. I understand the AD
and DNS setups for all my clients. However, I did not continue my certs into
the W2K series... maybe I should!
Anyway, your thoughts and comments would be appreciated.
Thank you again!

Sincerely,
Kell Jemison - MCSE NT4

 

[Lanwench [MVP - Exchange]]

Thank you Lanwench for your help. I am impressed with your knowledge
and would like to get to your level of expertise.

Aw, heck. That's very nice of you. I just spend way too much time with this
stuff.

I would like to
know if you learned this information from the MVP program or just in
day to dayworking on systems?

As they say, I just picked it up on the streets. You have to do something
when you have a liberal arts degree and don't want to flip burgers.

I was certified as MCSE on NT4 many
years ago. I understand the AD and DNS setups for all my clients.
However, I did not continue my certs into the W2K series... maybe I
should!

Naw, just get eval copies & set up virtual environments to play with. If
you're a consultant, get into the MS Partner program and look at the
ActionPack....it's a nice deal. Or there's MSDN.

Anyway, your thoughts and comments would be appreciated.
Thank you again!

I never did complete my MCSE back in the NT4 days - did the core tests but
got bored & skipped the rest. Maybe *I* should've proceeded & kept up, but
it hasn't seemed to hurt me so far.

Anyway, thank you for your kind words ...nice to know I've bamboozled you
all into thinking I know what I'm doing!