Problems with Group Policy

[Steven Hodgen]

Hello,

I'm pretty new to Group Policies and Active Directory in general. I would
greatly appreciate some assistance.

I cannot figure out how to create an account on our LAN domain where the
user has some of the permissions available as a "normal" power-user. For
instance, I cannot install software from the user account. Depending on
the software, this can prevent the software from running right. I've
tried playing the the Group Policy permissions, but I cannot seem to find
the right permissions.

Also, I have a few machines that I want to have VERY low permissions, but
there are times when I need to make changes to that systems configuration,
but it's not possible, since those machines don't have the permissions to
make those changes. So, I wind up having to reset the permissions to some
much higher state, log on and make my changes, then set the permissions
low again. Is there a better way? Can I log into a specific account and
temporarily give that account Admin privs for the duration of that login?

Is there an excellent book or resource which covers these sorts of issues?

Thanks!

 

[David Fisher [MSFT]]

Hello Steve.

There are a number of options available to meet your needs within Active
Directory and user privileges.

First, group policies can be applied to both users and computers. Policies
applied to computers will apply settings that all users of the system will
experience. Alternately, user policies are applied to specific users,
regardless of the computer they logon to.

The Windows 2000 Server Resource kit is an excellent place to start to learn
about Active Directory and Group Policies:
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/distrib/dsca_pt3_stbp.asp?frame=true
or
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/distrib/dsca_pt3_stbp.asp?frame=true

A second component to your questions is that you are dealing with
authorization...
Only Administrators are able to install applications and make system-wide
changes to client systems. If you need to run a setup program as an
administrator to install an application, you can use the 'run as' capability
of Windows 2000/XP:
301634 HOW TO: Use the RUN AS Command to Start a Program as an Administrator
in
http://support.microsoft.com/?id=301634

If you are having application issues to due the additional security present
in Windows 2000/XP, you may want to investigate the workstation
compatibility security template:
269259 After Upgrade, Some Programs Do Not Run When You Are Logged In as a
http://support.microsoft.com/?id=269259

David Fisher
Enterprise Platform Support


Hello,

I'm pretty new to Group Policies and Active Directory in general. I would
greatly appreciate some assistance.

I cannot figure out how to create an account on our LAN domain where the
user has some of the permissions available as a "normal" power-user. For
instance, I cannot install software from the user account. Depending on
the software, this can prevent the software from running right. I've
tried playing the the Group Policy permissions, but I cannot seem to find
the right permissions.

Also, I have a few machines that I want to have VERY low permissions, but
there are times when I need to make changes to that systems configuration,
but it's not possible, since those machines don't have the permissions to
make those changes. So, I wind up having to reset the permissions to some
much higher state, log on and make my changes, then set the permissions
low again. Is there a better way? Can I log into a specific account and
temporarily give that account Admin privs for the duration of that login?

Is there an excellent book or resource which covers these sorts of issues?

Thanks!