Sign in with
Sign up | Sign in
Your question

What is the Best way to give AD domain User-x right to con..

Last response: in Windows 2000/NT
Share
Anonymous
May 1, 2005 1:04:01 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Hello,

Simple: Just wanted to give one of my users the right to configure and
examine his network properties. The "Network Configuration Operators"
group promises to do exactly this. How deceitful Microsoft features can
be.

I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
domain. I put User-X into an OU called Power and also put him into the
Administrators group AND the Network Configuration Operators group.

However, when he clicks on the network properties icon on his xp sp2
box, he always gets, "some of the controls on this property sheet
because you do not have sufficient priviledges to access or change
them."

I tried logging him on/off 3 times and tried gpupdate /force many times.

This is a new w2k3 install and nothing is configured in any GPO. I know
there are gpo administrative templates for various network property
access, but if they are all "not configured" then they should not be
prohibitive right? Shouldn't placing the user in the Network
Configuration Operators group do what I want?

Isn't there an active directory way to allow him to change his network
properties without having to create a local machine account with the
same name and give him admin rights or "network operator rights"
locally?

Anyone been there...done that?


Thanks!

Love,

Poor besotted Admin

More about : give domain user con

Anonymous
May 1, 2005 4:57:13 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Are you putting the user in the Network Config group on the server or on the
local machine? It would need to be done locally.
You should be able to use Group Policy Restricted Groups to automatically
change membership of local groups.

"Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
news:MPG.1cde663ab85228d09896df@news.easynews.com...
> Hello,
>
> Simple: Just wanted to give one of my users the right to configure and
> examine his network properties. The "Network Configuration Operators"
> group promises to do exactly this. How deceitful Microsoft features can
> be.
>
> I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
> domain. I put User-X into an OU called Power and also put him into the
> Administrators group AND the Network Configuration Operators group.
>
> However, when he clicks on the network properties icon on his xp sp2
> box, he always gets, "some of the controls on this property sheet
> because you do not have sufficient priviledges to access or change
> them."
>
> I tried logging him on/off 3 times and tried gpupdate /force many times.
>
> This is a new w2k3 install and nothing is configured in any GPO. I know
> there are gpo administrative templates for various network property
> access, but if they are all "not configured" then they should not be
> prohibitive right? Shouldn't placing the user in the Network
> Configuration Operators group do what I want?
>
> Isn't there an active directory way to allow him to change his network
> properties without having to create a local machine account with the
> same name and give him admin rights or "network operator rights"
> locally?
>
> Anyone been there...done that?
>
>
> Thanks!
>
> Love,
>
> Poor besotted Admin
Anonymous
May 4, 2005 7:12:58 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Hi Simon,

Thanks for the informative post! So...there is no way to control the
Network Configuration rights without adding the user to the local
Network Configuration Operators group?

So adding a domain user account to the Network Configuration Operators
group on the domain controller in Active Directory is so that if the
user were to log onto the domain controller he could change the network
settings there, the settings of the DC itself?

I am just trying to understand what adding a user to the Network
Configuration Operators group on the domain controller does.

Thank you very much for your input.

Sincerely,

Burt

From: Simon Geary <simon_geary@hotmail.com>
Newsgroups: microsoft.public.win2000.group_policy,
microsoft.public.windows.server.active_directory

Are you putting the user in the Network Config group on the server or on
the
local machine? It would need to be done locally.
You should be able to use Group Policy Restricted Groups to
automatically
change membership of local groups.

"Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
> Hello,
>
> Simple: Just wanted to give one of my users the right to configure and
> examine his network properties. The "Network Configuration Operators"
> group promises to do exactly this. How deceitful Microsoft features can
> be.
>
> I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
> domain. I put User-X into an OU called Power and also put him into the
> Administrators group AND the Network Configuration Operators group.
>
> However, when he clicks on the network properties icon on his xp sp2
> box, he always gets, "some of the controls on this property sheet
> because you do not have sufficient priviledges to access or change
> them."
>
> I tried logging him on/off 3 times and tried gpupdate /force many times.
>
> This is a new w2k3 install and nothing is configured in any GPO. I know
> there are gpo administrative templates for various network property
> access, but if they are all "not configured" then they should not be
> prohibitive right? Shouldn't placing the user in the Network
> Configuration Operators group do what I want?
>
> Isn't there an active directory way to allow him to change his network
> properties without having to create a local machine account with the
> same name and give him admin rights or "network operator rights"
> locally?
>
> Anyone been there...done that?
>
>
> Thanks!
>
> Love,
>
> Poor besotted Admin


Date: Sun, 1 May 2005 12:57:13 +0100
Related resources
Anonymous
May 4, 2005 2:29:07 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

A DC can't have this groups listed in Computer Management. When you do try
to go to Local Users & Groups on a DC, you get this message in the right
hand pane of the MMC.

The computer <computername> is a domain controller. This snap-in cannot be
used on a domain controller. Domain accounts are managed with the Active
Directory Users and Computers snap-in.

If you have a security group that you created in Active Directory named
Network Configuration Operators, then it will either do nothing if you
haven't configured permissions granularly for it or made it a group of
another group (i.e. Domain Admins). You could conceivably make this group,
add your users, and then create a group policy for Restricted Groups and add
a domain based security group (Network Configuration Operators) to the
Network Configuration Operators on the local pc's. But to answer your
question, it's impossible to add people to the non-existent group on the dc.

Ken

"Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
news:MPG.1ce207c1f96e50139896e0@news.easynews.com...
>
> Hi Simon,
>
> Thanks for the informative post! So...there is no way to control the
> Network Configuration rights without adding the user to the local
> Network Configuration Operators group?
>
> So adding a domain user account to the Network Configuration Operators
> group on the domain controller in Active Directory is so that if the
> user were to log onto the domain controller he could change the network
> settings there, the settings of the DC itself?
>
> I am just trying to understand what adding a user to the Network
> Configuration Operators group on the domain controller does.
>
> Thank you very much for your input.
>
> Sincerely,
>
> Burt
>
> From: Simon Geary <simon_geary@hotmail.com>
> Newsgroups: microsoft.public.win2000.group_policy,
> microsoft.public.windows.server.active_directory
>
> Are you putting the user in the Network Config group on the server or on
> the
> local machine? It would need to be done locally.
> You should be able to use Group Policy Restricted Groups to
> automatically
> change membership of local groups.
>
> "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
>> Hello,
>>
>> Simple: Just wanted to give one of my users the right to configure and
>> examine his network properties. The "Network Configuration Operators"
>> group promises to do exactly this. How deceitful Microsoft features can
>> be.
>>
>> I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
>> domain. I put User-X into an OU called Power and also put him into the
>> Administrators group AND the Network Configuration Operators group.
>>
>> However, when he clicks on the network properties icon on his xp sp2
>> box, he always gets, "some of the controls on this property sheet
>> because you do not have sufficient priviledges to access or change
>> them."
>>
>> I tried logging him on/off 3 times and tried gpupdate /force many times.
>>
>> This is a new w2k3 install and nothing is configured in any GPO. I know
>> there are gpo administrative templates for various network property
>> access, but if they are all "not configured" then they should not be
>> prohibitive right? Shouldn't placing the user in the Network
>> Configuration Operators group do what I want?
>>
>> Isn't there an active directory way to allow him to change his network
>> properties without having to create a local machine account with the
>> same name and give him admin rights or "network operator rights"
>> locally?
>>
>> Anyone been there...done that?
>>
>>
>> Thanks!
>>
>> Love,
>>
>> Poor besotted Admin
>
>
> Date: Sun, 1 May 2005 12:57:13 +0100
Anonymous
May 4, 2005 10:31:52 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Hey Ken B,

Thanks for the reply.

Yes...although groups can't be accessed via the local computer's groups
mmc snap-in, as usually found in:

\right-click my computer\manage\local users and groups

....don't the local groups still exist, even on a domain controller? And
although not accessed in the normal way, here is where I accessed
them...and I didn't create the groups - they are built in groups, as
seen in this screen shot:

http://www.geocities.com/invisiblefoxx/groups.jpg

As you can see, I added the domain user to what appear to be local
groups: administrators, domain users, and network configuration
operators.

So my question is, if the network configuration operators group is not
local, then what is it? I thought it would give domain users domain wide
access to the rights of network configuration operators, in the same way
adding someone to the administrators group would.

What exactly are the groups I'm seeing in this screenshot and how
extensive or limited are the rights bestowed when users are added to
them?

I agree...it doesn't make sense that they would be local group
priviledges - that's why I thought adding user1 to the network
configuration operators would have domain wide results instead.

Thanks again for your input!

Burt R.



you wrote:


A DC can't have this groups listed in Computer Management. When you do
try
to go to Local Users & Groups on a DC, you get this message in the right
hand pane of the MMC.

The computer <computername> is a domain controller. This snap-in cannot
be
used on a domain controller. Domain accounts are managed with the
Active
Directory Users and Computers snap-in.

If you have a security group that you created in Active Directory named
Network Configuration Operators, then it will either do nothing if you
haven't configured permissions granularly for it or made it a group of
another group (i.e. Domain Admins). You could conceivably make this
group,
add your users, and then create a group policy for Restricted Groups and
add
a domain based security group (Network Configuration Operators) to the
Network Configuration Operators on the local pc's. But to answer your
question, it's impossible to add people to the non-existent group on the
dc.

Ken
Anonymous
May 4, 2005 10:31:53 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Aha... it appears as though you are using a 2003 domain... I haven't used
one of those yet. Haven't read up on the functionality and existence of
extra groups not in a 2000 domain.

Sorry, but this is where my knowledge ends ;(

Ken

"Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
news:MPG.1ce2df261513c7999896e1@news.easynews.com...
> Hey Ken B,
>
> Thanks for the reply.
>
> Yes...although groups can't be accessed via the local computer's groups
> mmc snap-in, as usually found in:
>
> \right-click my computer\manage\local users and groups
>
> ...don't the local groups still exist, even on a domain controller? And
> although not accessed in the normal way, here is where I accessed
> them...and I didn't create the groups - they are built in groups, as
> seen in this screen shot:
>
> http://www.geocities.com/invisiblefoxx/groups.jpg
>
> As you can see, I added the domain user to what appear to be local
> groups: administrators, domain users, and network configuration
> operators.
>
> So my question is, if the network configuration operators group is not
> local, then what is it? I thought it would give domain users domain wide
> access to the rights of network configuration operators, in the same way
> adding someone to the administrators group would.
>
> What exactly are the groups I'm seeing in this screenshot and how
> extensive or limited are the rights bestowed when users are added to
> them?
>
> I agree...it doesn't make sense that they would be local group
> priviledges - that's why I thought adding user1 to the network
> configuration operators would have domain wide results instead.
>
> Thanks again for your input!
>
> Burt R.
>
>
>
> you wrote:
>
>
> A DC can't have this groups listed in Computer Management. When you do
> try
> to go to Local Users & Groups on a DC, you get this message in the right
> hand pane of the MMC.
>
> The computer <computername> is a domain controller. This snap-in cannot
> be
> used on a domain controller. Domain accounts are managed with the
> Active
> Directory Users and Computers snap-in.
>
> If you have a security group that you created in Active Directory named
> Network Configuration Operators, then it will either do nothing if you
> haven't configured permissions granularly for it or made it a group of
> another group (i.e. Domain Admins). You could conceivably make this
> group,
> add your users, and then create a group policy for Restricted Groups and
> add
> a domain based security group (Network Configuration Operators) to the
> Network Configuration Operators on the local pc's. But to answer your
> question, it's impossible to add people to the non-existent group on the
> dc.
>
> Ken
Anonymous
May 5, 2005 9:54:39 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Hey Ken,

Yeah...learn one thing...out comes a new thing :) 

So I am still trying to figure out if the groups I see in this picture
apply locally, domain wide, or both?

http://www.geocities.com/invisiblefoxx/groups.jpg

-BR



In article <e0XwrdOUFHA.3152@TK2MSFTNGP12.phx.gbl>, none@microsoft.com
says...
> Aha... it appears as though you are using a 2003 domain... I haven't used
> one of those yet. Haven't read up on the functionality and existence of
> extra groups not in a 2000 domain.
>
> Sorry, but this is where my knowledge ends ;(
>
> Ken
>
> "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
> news:MPG.1ce2df261513c7999896e1@news.easynews.com...
> > Hey Ken B,
> >
> > Thanks for the reply.
> >
> > Yes...although groups can't be accessed via the local computer's groups
> > mmc snap-in, as usually found in:
> >
> > \right-click my computer\manage\local users and groups
> >
> > ...don't the local groups still exist, even on a domain controller? And
> > although not accessed in the normal way, here is where I accessed
> > them...and I didn't create the groups - they are built in groups, as
> > seen in this screen shot:
> >
> > http://www.geocities.com/invisiblefoxx/groups.jpg
> >
> > As you can see, I added the domain user to what appear to be local
> > groups: administrators, domain users, and network configuration
> > operators.
> >
> > So my question is, if the network configuration operators group is not
> > local, then what is it? I thought it would give domain users domain wide
> > access to the rights of network configuration operators, in the same way
> > adding someone to the administrators group would.
> >
> > What exactly are the groups I'm seeing in this screenshot and how
> > extensive or limited are the rights bestowed when users are added to
> > them?
> >
> > I agree...it doesn't make sense that they would be local group
> > priviledges - that's why I thought adding user1 to the network
> > configuration operators would have domain wide results instead.
> >
> > Thanks again for your input!
> >
> > Burt R.
> >
> >
> >
> > you wrote:
Anonymous
May 5, 2005 12:20:25 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Those are all domain-wide groups.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Anonymous
May 6, 2005 9:16:09 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Yes...as I originally thought. That's why I added user1 to the domain
wide group network configuration operators, but this seemed to have zero
effect on the workstation user1 uses. (sorry...couldn't avoid the
redundancy)

What is the intended effect of putting a domain user into the group,
because it sure doesn't seem to give the user the ability to even see
the full properties of network options/properties much less change them.

Thanks!

BR


In article <OatDUzWUFHA.628@tk2msftngp13.phx.gbl>,
todd_heron_no_spam@hotmail.com says...
> Those are all domain-wide groups.
>
>
!