Change an account's default group

[Chris]

Hello,

How do you change the default group for an account? From
the account properties page, there is a button that has
that option to change the default group of any given user,
but it is greyed out. There is a note saying that
normally there's no need to change the default group.

Our group is running W2K server on many machines (to take
advantage of some terminal services applications that we
have written to support our customer's requirements). We
have to comply with some pretty specific requirements
based upon what types of accounts can do what things.
Also, I'm not allowed to use any of the builtin accounts.
So, across the domain, we've created three types of
administrators. domadmin, dbadmin. and winadmin.

Now, when these admins are created, they can be added to
any group but the default group (presumably assigned when
the new account was created) cannot be edited and
remains "users". W2K server's default setting does not
permit interactive logons of "users". I can go into
the "log on locally" permission setting and add permission
for each account to logon as a fix. That solution
requires someone to change the permission on every
computer and add every applicable account (Perhaps this
can be scripted, I don't know just yet). It would just be
better to change the default group instead.

Thanks,

--Chris

 

[Steven L Umbach]

I am not quite sure what your problem is, but you can add or remove any domain
security group you want to the log on locally user right. --- Steve

 

[corn29]

Here's the problem...

If I go to ADUC and:
-- right click on a user and select "Properties"
-- Select the "Member Of" tab
-- Go to the "Primary group:" section

The "Set Primary Group" button is greyed out. It is this way for all
users. Is there a way to make this button active so the primary group
of these accounts can be changed?

Thanks,

--Chris

 

[Steven L Umbach]

Hi Chris. The way to activate it escapes me right now. I know I read about
it recently too which bugs me that I can't recall or find it. I will post
back if I figure it out. ---Steve

 

[Lanwench [MVP - Exchange]]

The question is, why do you need to change it? I understand it's only there
for legacy purposes - POSIX or something, right?

 

[corn29]

Steve, thanks for the follow-up... I've been looking (but I guess not
hard enough) for info on how to activate it for a while now. Hope you
can find that resource you're looking for!

 

[corn29]

The question is, why do you need to change it? I understand it's only there
for legacy purposes - POSIX or something, right?

POSIX does not necessarily equate to legacy but that is not in the
scope of this thread... here's why I would like it changed, we have
some applications that were written to work with terminal services.
We can only use these applications on servers (terminal service
limitation). W2K server out of the box does not allow interactive
logons with non-administrators. I don't want to change policies
(e.g., "Log on Locally") and start opening the box up. A more elegant
solution would be to create a custom group that can logon to a server
but cannot change server settings. Then that group would be assigned
as the user's default.

At the very minimum, it's a poor design on MS' part -- and very poorly
documented as well. Why would you put a button on a pane that is
never active? Let's say, for argument's sake, that I do have the
reason to change it that you mentioned in your post. The POSIX files
for W2K exist on my server and the box is still greyed out.

But as I mentioned earlier, talking POSIX in the context of this
thread is mixing apples and oranges.

 

[Carrie Garth \(MVP\)]

"corn29@ no_spam excite.com" <corn29 AT excite DOT com> wrote in message
Sent: Monday, October 13, 2003 09:35 AM

<SNIP> ADUC and: -- right click on a user and select "Properties"
-- Select the "Member Of" tab -- Go to the "Primary group:" section

The "Set Primary Group" button is greyed out. It is this way for all
users. Is there a way to make this button active so the primary group
of these accounts can be changed?

The following has a brief explanation as to why the button can be inactive:

TechNet Home | Security | Product and Technology Security Centers | Windows
Security | Windows 2000 Security Hardening Guide: Chapter 5 - Security Configuration
Section: Change the Primary Group Membership of an Account
http://www.microsoft.com/technet/security/prodtech/windows/win2khg/05sconfg.asp

"Observe that when clicking any of the groups in the Member of: window, the Set
Primary Group button will be either active or inactive. The Set Primary Group button
will be active for groups which can be set as primary groups and will be inactive for
groups [that] either cannot be set as primary groups or which are already the primary
group."

 

[corn29]

Carrie,

Thanks for the reply. That link only identifies how to change the
group provided the button is active. It does not idetify why it
becomes inactive nor how to activate it.

--Chris

"corn29@ no_spam excite.com" <corn29 AT excite DOT com> wrote in message
Sent: Monday, October 13, 2003 09:35 AM

<SNIP> ADUC and: -- right click on a user and select "Properties"
-- Select the "Member Of" tab -- Go to the "Primary group:" section

The "Set Primary Group" button is greyed out. It is this way for all
users. Is there a way to make this button active so the primary group
of these accounts can be changed?

The following has a brief explanation as to why the button can be inactive:

TechNet Home | Security | Product and Technology Security Centers | Windows
Security | Windows 2000 Security Hardening Guide: Chapter 5 - Security Configuration
Section: Change the Primary Group Membership of an Account
http://www.microsoft.com/technet/security/prodtech/windows/win2khg/05sconfg.asp

"Observe that when clicking any of the groups in the Member of: window, the Set
Primary Group button will be either active or inactive. The Set Primary Group button
will be active for groups which can be set as primary groups and will be inactive for
groups [that] either cannot be set as primary groups or which are already the primary
group."