Windows 200 server

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a network with domain usig Win 2k server.
I have anew workstation using XP pro sp2. I have created a user account on
the server and the workstation locally for the same user giveing them Admin
rights. However when I login under the domain, it will not allow the user to
install software, only when they are logged in locally.
I need this user to have admin rights for a special sofwtare install, that
the 'Install as Admin.." function does not suffice.
What would be blocking this user for full admin rights on the machine whn
logged in under the domain, even though they are an administrator of the
domain..
7 answers Last reply
More about windows server
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    >I have created a user account on
    >the server

    This is the domain account. It takes affect when this user logs onto the
    domain instead of the local computer.


    >and the workstation locally for the same user giveing them Admin
    >rights.

    This is the users local account. It takes affect when the users selects "log
    on to this computer" from the drop down list where the domain is listed when
    you go to enter a username and password.


    You want the user to log onto the domain and be administrator on this PC,
    add their domain account to the local admin group. From their computer when
    you go to "add" their account to the admin group change the "location" to
    point to your domain and you will get a list of the domain accounts. Find
    and add their account from the domain.


    hth
    DDS W 2k MVP MCSE

    "Scott" <Scott@discussions.microsoft.com> wrote in message
    news:14CE3C21-AD80-4DFD-BB61-8EE286183C76@microsoft.com...
    >I have a network with domain usig Win 2k server.
    > I have anew workstation using XP pro sp2. I have created a user account on
    > the server and the workstation locally for the same user giveing them
    > Admin
    > rights. However when I login under the domain, it will not allow the user
    > to
    > install software, only when they are logged in locally.
    > I need this user to have admin rights for a special sofwtare install, that
    > the 'Install as Admin.." function does not suffice.
    > What would be blocking this user for full admin rights on the machine whn
    > logged in under the domain, even though they are an administrator of the
    > domain..
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Scott" <Scott@discussions.microsoft.com>

    | I have a network with domain usig Win 2k server.
    | I have anew workstation using XP pro sp2. I have created a user account on
    | the server and the workstation locally for the same user giveing them Admin
    | rights. However when I login under the domain, it will not allow the user to
    | install software, only when they are logged in locally.
    | I need this user to have admin rights for a special sofwtare install, that
    | the 'Install as Admin.." function does not suffice.
    | What would be blocking this user for full admin rights on the machine whn
    | logged in under the domain, even though they are an administrator of the
    | domain..

    Are tou sure the Domain User group is a member of the local Adnministrators group, rather
    than the specific user ?

    If you create a user on the PC it is ONLY a local user account. When you participate in a
    Domain it is a separate account on that PC.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks Dave,

    Are you saying you can make the Domain user group, in this case
    Administrators on the domain, a member of the local Administrators group? on
    the local machine.
    If so how do I do this.

    Regards.
    Scott


    "David H. Lipman" wrote:

    > From: "Scott" <Scott@discussions.microsoft.com>
    >
    > | I have a network with domain usig Win 2k server.
    > | I have anew workstation using XP pro sp2. I have created a user account on
    > | the server and the workstation locally for the same user giveing them Admin
    > | rights. However when I login under the domain, it will not allow the user to
    > | install software, only when they are logged in locally.
    > | I need this user to have admin rights for a special sofwtare install, that
    > | the 'Install as Admin.." function does not suffice.
    > | What would be blocking this user for full admin rights on the machine whn
    > | logged in under the domain, even though they are an administrator of the
    > | domain..
    >
    > Are tou sure the Domain User group is a member of the local Adnministrators group, rather
    > than the specific user ?
    >
    > If you create a user on the PC it is ONLY a local user account. When you participate in a
    > Domain it is a separate account on that PC.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    From: "Scott" <Scott@discussions.microsoft.com>

    | Thanks Dave,
    |
    | Are you saying you can make the Domain user group, in this case
    | Administrators on the domain, a member of the local Administrators group? on
    | the local machine.
    | If so how do I do this.
    |
    | Regards.
    | Scott

    Throuogh the Control Panel Users and Passwords applet or scripted using NET.EXE

    The sub command; net localgroup

    to get the syntax execute in a command prompt; net localgroup /?

    Example:
    net localgroup administrators "Domain_Name\Domain_Group" /add

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    In article <652D68FF-D8D7-4F30-B2C3-7DD2534F7998@microsoft.com>,
    Scott@discussions.microsoft.com says...
    > Thanks Dave,
    >
    > Are you saying you can make the Domain user group, in this case
    > Administrators on the domain, a member of the local Administrators group? on
    > the local machine.
    > If so how do I do this.

    Open the LOCAL administrators group on the workstation, add the domain
    users account to it - this is a very bad idea, it means that users can
    do anything they want to the local computers - this is a change of last
    resort and should be avoided at all costs - it violates most security
    norms.


    --

    spam999free@rrohio.com
    remove 999 in order to email me
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks Leythos,

    This is for a special install for this user only.

    I could then remove this doamin users group from the local workstation again
    after I have completed the installl couldn't I?

    Scott


    "Leythos" wrote:

    > In article <652D68FF-D8D7-4F30-B2C3-7DD2534F7998@microsoft.com>,
    > Scott@discussions.microsoft.com says...
    > > Thanks Dave,
    > >
    > > Are you saying you can make the Domain user group, in this case
    > > Administrators on the domain, a member of the local Administrators group? on
    > > the local machine.
    > > If so how do I do this.
    >
    > Open the LOCAL administrators group on the workstation, add the domain
    > users account to it - this is a very bad idea, it means that users can
    > do anything they want to the local computers - this is a change of last
    > resort and should be avoided at all costs - it violates most security
    > norms.
    >
    >
    >
    > --
    >
    > spam999free@rrohio.com
    > remove 999 in order to email me
    >
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    In article <A0BF13A3-2B87-4211-98BC-1C832D03734A@microsoft.com>,
    Scott@discussions.microsoft.com says...
    > Thanks Leythos,
    >
    > This is for a special install for this user only.
    >
    > I could then remove this doamin users group from the local workstation again
    > after I have completed the installl couldn't I?

    Why not just add that DOMAIN users name as in domain\john smith and then
    you can leave it for John, but none of the others will have that
    permission.

    We do this with a single account we create just for allowing a single
    user account to logon and install updates - we create an INSTALLER user
    that is a domain user, make it a member of the LOCAL ADMINISTRATORS
    group, change the password between updates. This means we can tell
    select people the INSTALLER password when they need to do updates, but
    they can't log onto the server (as a domain user account) with it - they
    can install the updates and then we change the password so they can't
    use it again. We also set the domain policy so that the locally cached
    profiles are deleted when they log off.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
Ask a new question

Read More

Domain Workstations Servers Windows XP