Scott

Distinguished
Apr 1, 2004
1,356
0
19,280
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a network with domain usig Win 2k server.
I have anew workstation using XP pro sp2. I have created a user account on
the server and the workstation locally for the same user giveing them Admin
rights. However when I login under the domain, it will not allow the user to
install software, only when they are logged in locally.
I need this user to have admin rights for a special sofwtare install, that
the 'Install as Admin.." function does not suffice.
What would be blocking this user for full admin rights on the machine whn
logged in under the domain, even though they are an administrator of the
domain..
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

>I have created a user account on
>the server

This is the domain account. It takes affect when this user logs onto the
domain instead of the local computer.


>and the workstation locally for the same user giveing them Admin
>rights.

This is the users local account. It takes affect when the users selects "log
on to this computer" from the drop down list where the domain is listed when
you go to enter a username and password.


You want the user to log onto the domain and be administrator on this PC,
add their domain account to the local admin group. From their computer when
you go to "add" their account to the admin group change the "location" to
point to your domain and you will get a list of the domain accounts. Find
and add their account from the domain.


hth
DDS W 2k MVP MCSE

"Scott" <Scott@discussions.microsoft.com> wrote in message
news:14CE3C21-AD80-4DFD-BB61-8EE286183C76@microsoft.com...
>I have a network with domain usig Win 2k server.
> I have anew workstation using XP pro sp2. I have created a user account on
> the server and the workstation locally for the same user giveing them
> Admin
> rights. However when I login under the domain, it will not allow the user
> to
> install software, only when they are logged in locally.
> I need this user to have admin rights for a special sofwtare install, that
> the 'Install as Admin.." function does not suffice.
> What would be blocking this user for full admin rights on the machine whn
> logged in under the domain, even though they are an administrator of the
> domain..
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Scott" <Scott@discussions.microsoft.com>

| I have a network with domain usig Win 2k server.
| I have anew workstation using XP pro sp2. I have created a user account on
| the server and the workstation locally for the same user giveing them Admin
| rights. However when I login under the domain, it will not allow the user to
| install software, only when they are logged in locally.
| I need this user to have admin rights for a special sofwtare install, that
| the 'Install as Admin.." function does not suffice.
| What would be blocking this user for full admin rights on the machine whn
| logged in under the domain, even though they are an administrator of the
| domain..

Are tou sure the Domain User group is a member of the local Adnministrators group, rather
than the specific user ?

If you create a user on the PC it is ONLY a local user account. When you participate in a
Domain it is a separate account on that PC.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 

Scott

Distinguished
Apr 1, 2004
1,356
0
19,280
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Dave,

Are you saying you can make the Domain user group, in this case
Administrators on the domain, a member of the local Administrators group? on
the local machine.
If so how do I do this.

Regards.
Scott



"David H. Lipman" wrote:

> From: "Scott" <Scott@discussions.microsoft.com>
>
> | I have a network with domain usig Win 2k server.
> | I have anew workstation using XP pro sp2. I have created a user account on
> | the server and the workstation locally for the same user giveing them Admin
> | rights. However when I login under the domain, it will not allow the user to
> | install software, only when they are logged in locally.
> | I need this user to have admin rights for a special sofwtare install, that
> | the 'Install as Admin.." function does not suffice.
> | What would be blocking this user for full admin rights on the machine whn
> | logged in under the domain, even though they are an administrator of the
> | domain..
>
> Are tou sure the Domain User group is a member of the local Adnministrators group, rather
> than the specific user ?
>
> If you create a user on the PC it is ONLY a local user account. When you participate in a
> Domain it is a separate account on that PC.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Scott" <Scott@discussions.microsoft.com>

| Thanks Dave,
|
| Are you saying you can make the Domain user group, in this case
| Administrators on the domain, a member of the local Administrators group? on
| the local machine.
| If so how do I do this.
|
| Regards.
| Scott

Throuogh the Control Panel Users and Passwords applet or scripted using NET.EXE

The sub command; net localgroup

to get the syntax execute in a command prompt; net localgroup /?

Example:
net localgroup administrators "Domain_Name\Domain_Group" /add

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <652D68FF-D8D7-4F30-B2C3-7DD2534F7998@microsoft.com>,
Scott@discussions.microsoft.com says...
> Thanks Dave,
>
> Are you saying you can make the Domain user group, in this case
> Administrators on the domain, a member of the local Administrators group? on
> the local machine.
> If so how do I do this.

Open the LOCAL administrators group on the workstation, add the domain
users account to it - this is a very bad idea, it means that users can
do anything they want to the local computers - this is a change of last
resort and should be avoided at all costs - it violates most security
norms.



--

spam999free@rrohio.com
remove 999 in order to email me
 

Scott

Distinguished
Apr 1, 2004
1,356
0
19,280
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Leythos,

This is for a special install for this user only.

I could then remove this doamin users group from the local workstation again
after I have completed the installl couldn't I?

Scott




"Leythos" wrote:

> In article <652D68FF-D8D7-4F30-B2C3-7DD2534F7998@microsoft.com>,
> Scott@discussions.microsoft.com says...
> > Thanks Dave,
> >
> > Are you saying you can make the Domain user group, in this case
> > Administrators on the domain, a member of the local Administrators group? on
> > the local machine.
> > If so how do I do this.
>
> Open the LOCAL administrators group on the workstation, add the domain
> users account to it - this is a very bad idea, it means that users can
> do anything they want to the local computers - this is a change of last
> resort and should be avoided at all costs - it violates most security
> norms.
>
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <A0BF13A3-2B87-4211-98BC-1C832D03734A@microsoft.com>,
Scott@discussions.microsoft.com says...
> Thanks Leythos,
>
> This is for a special install for this user only.
>
> I could then remove this doamin users group from the local workstation again
> after I have completed the installl couldn't I?

Why not just add that DOMAIN users name as in domain\john smith and then
you can leave it for John, but none of the others will have that
permission.

We do this with a single account we create just for allowing a single
user account to logon and install updates - we create an INSTALLER user
that is a domain user, make it a member of the LOCAL ADMINISTRATORS
group, change the password between updates. This means we can tell
select people the INSTALLER password when they need to do updates, but
they can't log onto the server (as a domain user account) with it - they
can install the updates and then we change the password so they can't
use it again. We also set the domain policy so that the locally cached
profiles are deleted when they log off.

--

spam999free@rrohio.com
remove 999 in order to email me