Greetings,
I am experimenting with a Win2k3 server installation as a DC for a small
home net work of 4 or 5 WinXPpro clients. I have the DC up and running with
DHCP, DNS, Print Server, and File Server responsibilities. I have
established Redirected Folders (My documents, App Data, etc.). I have two
unrelated questions.
First: What are the added benefits of implementing Roaming Profiles? It
seems as if Folder Redirection achieves 90% of what I need (the ability for
all users to access their documents from any computer on the LAN).
Second: Is there an "easy" way to assign a canned set of access privileges
to a group such that my users can actually perform meaningful tasks once
they log onto a domain computer? The default user group "Domain Users"
seems to lack the functionality to allow my users to run/install many
programs. As a work around, I have assigned each of my domain users to a
local user group (WinXP's "super user") on the individual client PCs. While
this seems to work, I suspect that this could easily become a management
nightmare even on my small network.
Thanks,
Dave
You can make them members of the Local Power Users group.
If you need more, you can make them member of the local Administrators group.
Additionally, you can use the Delegation of Control Wizard:
http://support.microsoft.com?kbid=174419 "How to configure a subnetted reverse
lookup zone on Windows NT"
http://support.microsoft.com?kbid=197054 "Active Directory Database Size and
Delegation Access Rights"
http://support.microsoft.com?kbid=201341 "Delegation of Administration Using
Microsoft Management Console"
http://support.microsoft.com?kbid=214739 "Administrative Tool Menu Is Sensitive
to User's Permissions"
http://support.microsoft.com?kbid=221577 "HOW TO Delegate Authority for Editing
a Group Policy Object [GPO]"
http://support.microsoft.com?kbid=229873 "Delegate Control Wizard Cannot Be Used
to Remove Groups or Users"
http://support.microsoft.com?kbid=230263 "How To Create Custom MMC Snap-in Tools
Using Microsoft Management Console"
http://support.microsoft.com?kbid=230669 "Windows 2000 Kerberos 5 Ticket Flags
and KDC Options for AS_REQ and TGS_REQ Messages"
http://support.microsoft.com?kbid=231273 "Group Type and Scope Usage in Windows"
http://support.microsoft.com?kbid=233548 "Organizational Unit Controller Cannot
Edit Group Policy Objects"
http://support.microsoft.com?kbid=235531 "Default Security Concerns in Active
Directory Delegation"
http://support.microsoft.com?kbid=235689 "How to Troubleshoot 7062 Errors Logged
in DNS Event Log"
http://support.microsoft.com?kbid=239004 "HOW TO Allow Non-Root or Enterprise
Administrators to Authorize RIS Servers in Active Directory"
http://support.microsoft.com?kbid=240267 "Administrators Cannot Be Restricted in
Windows 2000"
http://support.microsoft.com?kbid=246721 "Permissions Necessary for Monitoring
Servers Using Active Directory Replication Monitor [Replmon.exe]"
http://support.microsoft.com?kbid=255248 "How To Create a Child Domain in
Active Directory and Delegate the DNS Namespace to the Child Domain"
http://support.microsoft.com?kbid=255913 "Integrating Windows 2000 DNS into an
existing BIND or Windows NT 4.0-based DNS namespace"
http://support.microsoft.com?kbid=256643 "Unable to Prevent DNS Zone
Administrator from Creating New Zones"
http://support.microsoft.com?kbid=258992 "How to Configure Delegate
Administration Permissions For DFS in Windows 2000 Server"
http://support.microsoft.com?kbid=266080 "Answers to frequently asked Kerberos
questions"
http://support.microsoft.com?kbid=271876 "Large Numbers of ACEs in ACLs Impair
Directory Service Performance"
http://support.microsoft.com?kbid=273461 "Network and Dial-Up Connection Icons
Disappear When You Use Dcomcnfg.exe to Set the Default Impersonation Level to
Anonymous"
http://support.microsoft.com?kbid=274062 "Windows 2000-Based Clients Cannot Use
GSSAPI to Delegate to Kerberos Servers"
http://support.microsoft.com?kbid=275715 "HOW TO Delegate Administration of
Group Policies"
http://support.microsoft.com?kbid=279723 "How to Grant Help Desk Personnel the
Specific Right to Unlock Locked User Accounts"
http://support.microsoft.com?kbid=281271 "Windows 2000 Certification Authority
Configuration to Publish Certificates in Active Directory of Trusted Domain"
http://support.microsoft.com?kbid=282524 "List of Bugs Fixed in Windows 2000
Service Pack 2 [2 of 4]"
http://support.microsoft.com?kbid=283904 "How to Add Third-Party Services to the
System Services in Group Policy"
http://support.microsoft.com?kbid=284464 "Account Operators Cannot Modify
FPNW-Enabled Users"
http://support.microsoft.com?kbid=291382 "Frequently Asked Questions About
Windows 2000 DNS and Windows Server 2003 DNS"
http://support.microsoft.com?kbid=294777 "How to Delegate Group Policy Control
to users in Trusted Domain"
http://support.microsoft.com?kbid=294952 "How To Delegate the Unlock Account
Right"
http://support.microsoft.com?kbid=296999 "Minimum Permissions Are Needed for a
Delegated Administrator to Force Password Change at Next Logon Procedure"
http://support.microsoft.com?kbid=298750 "How To Set Up and Configure Remote
Installation Services in Windows 2000"
http://support.microsoft.com?kbid=300483 "How To Use Remote Installation Service
to Install Windows 2000 Professional on Remote Computers"
http://support.microsoft.com?kbid=300549 "How To Enable and Apply Security
Auditing in Windows 2000"
http://support.microsoft.com?kbid=301190 "How To Integrate Windows 2000 DNS with
an Existing DNS Infrastructure in Windows 2000"
http://support.microsoft.com?kbid=301191 "How To Integrate DNS with Existing
DNS Infrastructure If Active Directory Is Enabled in Windows 2000"
http://support.microsoft.com?kbid=308404 "How to customize the task list in the
Delegation Wizard"
http://support.microsoft.com?kbid=310997 "Active Directory Services and Windows
2000 or Windows Server 2003 Domains [Part 2]"
http://support.microsoft.com?kbid=311465 "You Cannot Delegate Trusted Domain
Object Creation"
http://support.microsoft.com?kbid=315676 "HOW TO Delegate Administrative
Authority in Windows 2000"
http://support.microsoft.com?kbid=318480 "HOW TO Create and Configure an Active
Directory Site in Windows 2000"
http://support.microsoft.com?kbid=320054 "HOW TO Manage Groups in Active
Directory in Windows 2000"
http://support.microsoft.com?kbid=811172 "Lsass.exe Spikes at 100 Percent CPU
Usage and Then Shows a Typical Load for 60 Minutes Before Spiking Again"
http://support.microsoft.com?kbid=816818 "'Picker cannot open because it cannot
determine whether ltNetwork Name Resourcegt is joined to a domain' error
message"
http://support.microsoft.com?kbid=817433 "Delegated permissions are not
available and inheritance is automatically disabled"
http://support.microsoft.com?kbid=818091 "How to Grant Permission to Move
Computer Accounts to a User or Group"
http://support.microsoft.com?kbid=822377 "Failure audit event ID 628 occurs when
the domain local group member changes the password of another account"
http://support.microsoft.com?kbid=833323 "The user is not prompted to change the
password when the 'User must change password at next logon' check box is
selected in Windows 2000 Server"
http://support.microsoft.com?kbid=837513 "Domain controller is not functioning
correctly"
Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com