howto: Grant User administrator abilities.

[Justin Dickon]

Hiya,

Haveing a lot of trouble trying to give a domain user (from a Win2k native
mode AD domain) administrative ability on a HP T5700 thin client running
XPe.

First tried with the default user id... added to the local administrators
group. No good.

Essentially, if I logon as "user" and try anything (specifically, double
clicking the My Doc's folder!), the error ""this operation has been
cancelled due to restrictions in effect on this computer. Please contact
ssytem administration".

At first i thought it was a group policy from the domain, so moved the thin
client to its own OU and stopped inheritance of all policy. No good.

Even if I logon as the domain administrator (Dom admins is part of the local
Administrator group), i get the same thing...

Tried to find local security policies but could not find the MMC or any
indication that it is available on the client.

Is it possible that "there can be only one" (The Highlander! )
administrator?

Help.........

Thanks
Justin Dickon

 

[Justin Dickon]

Hi Tony,

Thanks for the idea... and the web site is interesting.

Not quite what I was after tho... I tried your suggestion but it didn't
work. I changed the registry (for both default and user just to be sure),
wrote the changes to memory and rebooted but same error.

I am after being able to open the user accounts "My Doc's" folder but only
so I can access the PocketPC folder which is created after installing
ActiveSync... and then make this folder avialable to the user after they
logon to a terminal server... means that they can save data files to a
mapped drive and have these automatically sent to the PocketPc for later
use.

Have worked around this for now by using the admin account to share the
specific PocketPC folder but should be able to access the My Doc's folder
when logged on as a client and redirect it to a network location which means
not having to have a mapped drive...

It looks like some domain policy (or local policy?) is restricting access to
everything rather than just the hard disk (although i haven't confirmed
this). Have looked at all our group policies and none bar access in the way
i get from this thin client.

I have downloaded the XPe image from HP so am about to try reapplying the
factory image to see if it is a domain policy or specific to the HP build -
if the latter I will have to contact HP...

Note that when logged on as local admin, I can browse the Documents and
settings fodler and see that the local profile has my doc's folder. Also
checked NTFS permissions (from C: down) and ownership just in case but all
looks fine.

Thanks
Justin

If all you are interested in is allowing a domain user to
see the "my documents" folder, modify the following reg
key for the necessary user's profile (and the default
user profile, if necessary):

[Software\Microsoft\Windows\CurrentVersion\Policies\Explor
er]

NoViewOnDrive=DWORD

Possible values:

0x03FFFFFFFF Restrict all drives.
0x3 Restrict A and B drives only.
0x4 Restrict C drive only.
0x8 Restrict D drive only.
0x7 Restrict A, B, and C drives only.
0xF Restrict A, B, C, and D drives only.
0x0 Do not restrict drives. All drives appear.

For a list of group policy related registry settings, see
the Win2k resource kit or the following website (very
useful): http://www.tburke.net/info/regentry/GPRef.htm

HTH,
Tony

-----Original Message-----
Hiya,

Haveing a lot of trouble trying to give a domain user (from a Win2k native
mode AD domain) administrative ability on a HP T5700 thin client running
XPe.

First tried with the default user id... added to the local administrators
group. No good.

Essentially, if I logon as "user" and try anything (specifically, double
clicking the My Doc's folder!), the error ""this operation has been
cancelled due to restrictions in effect on this computer. Please contact
ssytem administration".

At first i thought it was a group policy from the domain, so moved the thin
client to its own OU and stopped inheritance of all policy. No good.

Even if I logon as the domain administrator (Dom admins is part of the local
Administrator group), i get the same thing...

Tried to find local security policies but could not find the MMC or any
indication that it is available on the client.

Is it possible that "there can be only one" (The Highlander! )
administrator?

Help.........

Thanks
Justin Dickon


.

 

[Tony Camilli]

Justin,

Try the following, it worked for me...

Set these to values in HKEY_LOCAL_MACHINE, they will
override the per-user settings:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer]
NoViewOnDrive=dword:0x0 (will allow you view my docs
folder)
NoDrives=dword:0x0 (will allow you to browse entire c:
drive)

HTH,
Tony

-----Original Message-----
Hi Tony,

Thanks for the idea... and the web site is interesting.

Not quite what I was after tho... I tried your suggestion but it didn't
work. I changed the registry (for both default and user just to be sure),
wrote the changes to memory and rebooted but same error.

I am after being able to open the user accounts "My Doc's" folder but only
so I can access the PocketPC folder which is created after installing
ActiveSync... and then make this folder avialable to the user after they
logon to a terminal server... means that they can save data files to a
mapped drive and have these automatically sent to the PocketPc for later
use.

Have worked around this for now by using the admin account to share the
specific PocketPC folder but should be able to access the My Doc's folder
when logged on as a client and redirect it to a network location which means
not having to have a mapped drive...

It looks like some domain policy (or local policy?) is restricting access to
everything rather than just the hard disk (although i haven't confirmed
this). Have looked at all our group policies and none bar access in the way
i get from this thin client.

I have downloaded the XPe image from HP so am about to try reapplying the
factory image to see if it is a domain policy or specific to the HP build -
if the latter I will have to contact HP...

Note that when logged on as local admin, I can browse the Documents and
settings fodler and see that the local profile has my doc's folder. Also
checked NTFS permissions (from C: down) and ownership just in case but all
looks fine.

Thanks
Justin

If all you are interested in is allowing a domain user to
see the "my documents" folder, modify the following reg
key for the necessary user's profile (and the default
user profile, if necessary):

[Software\Microsoft\Windows\CurrentVersion\Policies\Explor
er]

NoViewOnDrive=DWORD

Possible values:

0x03FFFFFFFF Restrict all drives.
0x3 Restrict A and B drives only.
0x4 Restrict C drive only.
0x8 Restrict D drive only.
0x7 Restrict A, B, and C drives only.
0xF Restrict A, B, C, and D drives only.
0x0 Do not restrict drives. All drives appear.

For a list of group policy related registry settings, see
the Win2k resource kit or the following website (very
useful): http://www.tburke.net/info/regentry/GPRef.htm

HTH,
Tony

-----Original Message-----
Hiya,

Haveing a lot of trouble trying to give a domain user (from a Win2k native
mode AD domain) administrative ability on a HP T5700 thin client running
XPe.

First tried with the default user id... added to the local administrators
group. No good.

Essentially, if I logon as "user" and try anything (specifically, double
clicking the My Doc's folder!), the error ""this operation has been
cancelled due to restrictions in effect on this computer. Please contact
ssytem administration".

At first i thought it was a group policy from the domain, so moved the thin
client to its own OU and stopped inheritance of all policy. No good.

Even if I logon as the domain administrator (Dom

admins
is part of the local

Administrator group), i get the same thing...

Tried to find local security policies but could not

find
the MMC or any

indication that it is available on the client.

Is it possible that "there can be only one" (The Highlander! )
administrator?

Help.........

Thanks
Justin Dickon


.

.