Help needed setting up roaming administrator

Archived from groups: microsoft.public.win2000.security (More info?)

I hope someone can help me. I'm having a hard time setting up a
roaming profile for a user with Administrative privileges. I have no
trouble setting up roaming profiles in general, but for some reason
they lose their Admin privileges after I set them up as a roaming
profile.

I'm running W2K Pro & Server, w/SP4. I create a local user (i.e.,
JOE_ADMIN) on a W2k Pro machine and make the account a member of the
Admins group. I log in as JOE_ADMIN to create a local profile, then
log out. I've verified that JOE_ADMIN has admin privileges on the
local machine.

In ADUC, I create a user and configure the user properties to save the
roaming profile in a shared PROFILES subdirectory, e.g.,
\\SRV_NAME\PROFILES\JOE_ADMIN. I make JOE a member of the
Administrators group.

Then, back at the workstation, I log in as Administrator and use the
(System Properties->User Profiles) COPY TO command to copy JOE_ADMIN's
local profile from the workstation up to
\\SRV_NAME\PROFILES\JOE_ADMIN. I configure "Permitted to use" so
DOMAIN\JOE_ADMIN can access the profile. Then I log off as
Administrator on the workstation.

When I log in as JOE_ADMIN@DOMAIN at the workstation, JOE's profile
gets downloaded successfully. I can make changes to JOE's desktop and
they get saved in the roaming profile. If I log into another
workstation, the desktop changes are still there. However, JOE is no
longer a member of the local Admin's group, even on the original
machine I used to set up the local profile, before promoting it to
being a roaming profile.

Am I missing something, or is there some trick to assigning local
Admin priviliges to a user with a roaming profile? There are some
programs I want to run on the local machine that require local admin
priviliges, and I'd like to run them even though I'm logged in as a
roaming user. I've run into problems using RUN AS that are a subject
for another day.

I'd appreciate any advice.

Thanks,

- Steve
10 answers Last reply
More about help needed setting roaming administrator
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <8nnsi09g91d0qit7uh89uni7k38mgp8hm8@4ax.com>, in the
    microsoft.public.win2000.security news group, Steve Hull
    <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

    > Am I missing something, or is there some trick to assigning local
    > Admin priviliges to a user with a roaming profile? There are some
    > programs I want to run on the local machine that require local admin
    > priviliges, and I'd like to run them even though I'm logged in as a
    > roaming user. I've run into problems using RUN AS that are a subject
    > for another day.
    >

    You're totally misunderstanding the subject. You've never made the
    domain\joe_admin account a member of the local administrators group.
    Simply assigning the domain\joe_admin account a profile that has been
    used by a local admin does not make that account a local admin on the
    box.
    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    OK, I'm confused. I get your point that LOCAL\JOE is not the same
    user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
    I'm logged in as DOMAIN\JOE, I can't access any of the local user
    accounts . On the other hand, if I'm logged in as a local admin, I
    can't access any of the DOMAIN user accounts. If I can't access
    DOMAIN\JOE from a local admin's account, I don't know how I can make
    him a member of a local group.

    Thanks,

    - Steve


    On Thu, 26 Aug 2004 18:25:06 -0400, Paul Adare - MVP - Microsoft
    Virtual PC <padare@newsguy.com> wrote:

    >In article <8nnsi09g91d0qit7uh89uni7k38mgp8hm8@4ax.com>, in the
    >microsoft.public.win2000.security news group, Steve Hull
    ><msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
    >
    >> Am I missing something, or is there some trick to assigning local
    >> Admin priviliges to a user with a roaming profile? There are some
    >> programs I want to run on the local machine that require local admin
    >> priviliges, and I'd like to run them even though I'm logged in as a
    >> roaming user. I've run into problems using RUN AS that are a subject
    >> for another day.
    >>
    >
    >You're totally misunderstanding the subject. You've never made the
    >domain\joe_admin account a member of the local administrators group.
    >Simply assigning the domain\joe_admin account a profile that has been
    >used by a local admin does not make that account a local admin on the
    >box.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <idssi012jq6pe167d0fkvk9dapmchar3ek@4ax.com>, in the
    microsoft.public.win2000.security news group, Steve Hull
    <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

    > OK, I'm confused. I get your point that LOCAL\JOE is not the same
    > user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
    > I'm logged in as DOMAIN\JOE, I can't access any of the local user
    > accounts . On the other hand, if I'm logged in as a local admin, I
    > can't access any of the DOMAIN user accounts. If I can't access
    > DOMAIN\JOE from a local admin's account, I don't know how I can make
    > him a member of a local group.
    >

    Log on as the local admin. Try to add domain\joe_admin to the local
    administrators group. You'll be prompted for credentials that have
    permissions to read the AD accounts. Provide the domain\joe_admin
    credentials when prompted and add the account to the local
    administrators account.

    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks, Paul. I was able to get DOMAIN\JOE added to the local
    Administrators on one workstation. And, DOMAIN\JOE is set up to use a
    roaming profile.

    This leads to another question. I really don't want to walk around to
    each workstation and manually add DOMAIN\JOE to the local admins
    group. Is there any way to automate this (e.g., GPO, Script, etc.) ??

    Thanks again,

    - Steve


    On Thu, 26 Aug 2004 20:11:30 -0400, Paul Adare - MVP - Microsoft
    Virtual PC <padare@newsguy.com> wrote:

    >In article <idssi012jq6pe167d0fkvk9dapmchar3ek@4ax.com>, in the
    >microsoft.public.win2000.security news group, Steve Hull
    ><msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
    >
    >> OK, I'm confused. I get your point that LOCAL\JOE is not the same
    >> user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
    >> I'm logged in as DOMAIN\JOE, I can't access any of the local user
    >> accounts . On the other hand, if I'm logged in as a local admin, I
    >> can't access any of the DOMAIN user accounts. If I can't access
    >> DOMAIN\JOE from a local admin's account, I don't know how I can make
    >> him a member of a local group.
    >>
    >
    >Log on as the local admin. Try to add domain\joe_admin to the local
    >administrators group. You'll be prompted for credentials that have
    >permissions to read the AD accounts. Provide the domain\joe_admin
    >credentials when prompted and add the account to the local
    >administrators account.
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <dq5ti0pgulb811ce1c12h2vgotj1967bdv@4ax.com>, in the
    microsoft.public.win2000.security news group, Steve Hull
    <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

    > This leads to another question. I really don't want to walk around to
    > each workstation and manually add DOMAIN\JOE to the local admins
    > group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
    >

    You can do this with the Restricted Groups option in Group Policy. You
    really should read up on the feature (in help, and on the Microsoft web
    site) before doing this however. You need to make sure that you set the
    policy at the right place (for example, if you do this at the domain
    level, you're going to wind up adding the account to the Administrators
    group on your Domain Controllers as well as the workstations, which you
    might not want to do). You also want to make sure that you keep the
    default users and groups in the local Administrators group.

    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    As Paul mentions Restricted Groups is one option but it probably will remove existing
    members of the local administrators group from computers on the container where it is
    implemented. Another option is a "startup" script implemented via Group Policy to
    computers within the scope of influence of the policy such as the Organizational Unit
    level. You can use the net localgroup command. Use net help localgroup for more
    information at the command prompt. For instance to add domain user Bubba to the Local
    Administrators group use [ net localgroup administrators mydomain\Bubba /add ]. The
    command line tool cusrmgr can also do the same with a batchfile. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241 --- Group Policy
    scripts and how to configure

    "Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in message
    news:MPG.1b98bc09e8ded3d0989a36@msnews.microsoft.com...
    > In article <dq5ti0pgulb811ce1c12h2vgotj1967bdv@4ax.com>, in the
    > microsoft.public.win2000.security news group, Steve Hull
    > <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
    >
    >> This leads to another question. I really don't want to walk around to
    >> each workstation and manually add DOMAIN\JOE to the local admins
    >> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
    >>
    >
    > You can do this with the Restricted Groups option in Group Policy. You
    > really should read up on the feature (in help, and on the Microsoft web
    > site) before doing this however. You need to make sure that you set the
    > policy at the right place (for example, if you do this at the domain
    > level, you're going to wind up adding the account to the Administrators
    > group on your Domain Controllers as well as the workstations, which you
    > might not want to do). You also want to make sure that you keep the
    > default users and groups in the local Administrators group.
    >
    > --
    > Paul Adare
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks, Steve (and Paul).

    I tried the Restricted Groups approach: created a security group
    called "Roaming Local Admins" and added several user accounts. I also
    created an OU and put the computers in it that I want to use my
    Roaming Local Admins group. Then I added a GPO to the OU and created
    an entry in Restricted Groups for the "Roaming Local Admins" security
    group.

    However, in looking at all the options available in the GPO, I don't
    see how to make the Roaming Local Admins group a member of the local
    Administrators group on the computers in my OU. Although there are
    many options that let me assign most of the functionality of a local
    admin to my Restricted Group, I don't see any option that lets me add
    members to a computer's local Administrators group.

    Next, I set up a startup script with the "net localgroup
    administrators mydomain\Roaming Local Admins /add" command.
    (Actually, I had to put quotes around the domain name\group name.)
    That did the trick!

    Thanks to both of you. I learned a lot.

    - Steve


    On Fri, 27 Aug 2004 15:13:56 GMT, "Steven L Umbach"
    <n9rou@n0-spam-for-me-comcast.net> wrote:

    >As Paul mentions Restricted Groups is one option but it probably will remove existing
    >members of the local administrators group from computers on the container where it is
    >implemented. Another option is a "startup" script implemented via Group Policy to
    >computers within the scope of influence of the policy such as the Organizational Unit
    >level. You can use the net localgroup command. Use net help localgroup for more
    >information at the command prompt. For instance to add domain user Bubba to the Local
    >Administrators group use [ net localgroup administrators mydomain\Bubba /add ]. The
    >command line tool cusrmgr can also do the same with a batchfile. --- Steve
    >
    >http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241 --- Group Policy
    >scripts and how to configure
    >
    >"Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in message
    >news:MPG.1b98bc09e8ded3d0989a36@msnews.microsoft.com...
    >> In article <dq5ti0pgulb811ce1c12h2vgotj1967bdv@4ax.com>, in the
    >> microsoft.public.win2000.security news group, Steve Hull
    >> <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
    >>
    >>> This leads to another question. I really don't want to walk around to
    >>> each workstation and manually add DOMAIN\JOE to the local admins
    >>> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
    >>>
    >>
    >> You can do this with the Restricted Groups option in Group Policy. You
    >> really should read up on the feature (in help, and on the Microsoft web
    >> site) before doing this however. You need to make sure that you set the
    >> policy at the right place (for example, if you do this at the domain
    >> level, you're going to wind up adding the account to the Administrators
    >> group on your Domain Controllers as well as the workstations, which you
    >> might not want to do). You also want to make sure that you keep the
    >> default users and groups in the local Administrators group.
    >>
    >> --
    >> Paul Adare
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <cg01j0dvurfnv68e2aimppvj63es5tbf9l@4ax.com>, in the
    microsoft.public.win2000.security news group, Steve Hull
    <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

    > Then I added a GPO to the OU and created
    > an entry in Restricted Groups for the "Roaming Local Admins" security
    > group.

    This is where you made your error. You want to create an entry for the
    Administrators group (just type in Administrators, don't browse for it,
    the workstation will figure it out when the policy is applied), and then
    add your Roaming Local Admins group to the Members of this group section
    in the Administrators group Properties.

    > Next, I set up a startup script with the "net localgroup
    > administrators mydomain\Roaming Local Admins /add" command.
    > (Actually, I had to put quotes around the domain name\group name.)
    > That did the trick!

    The reason I don't like this method is that membership is only
    controlled when the computer boots. Once the system is up and running,
    anyone with sufficient privileges can now change the membership of the
    group and it will stay changed until the next time you reboot. With
    Restricited Groups, your settings will be reapplied every time Group
    Policy is refreshed.


    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    On Sat, 28 Aug 2004 12:41:41 -0400, Paul Adare - MVP - Microsoft
    Virtual PC <padare@newsguy.com> wrote:

    >In article <cg01j0dvurfnv68e2aimppvj63es5tbf9l@4ax.com>, in the
    >microsoft.public.win2000.security news group, Steve Hull
    ><msnnews.REMOVE_TO_REPLY@steve-hull.com> says...
    >
    >> Then I added a GPO to the OU and created
    >> an entry in Restricted Groups for the "Roaming Local Admins" security
    >> group.
    >
    >This is where you made your error. You want to create an entry for the
    >Administrators group (just type in Administrators, don't browse for it,
    >the workstation will figure it out when the policy is applied), and then
    >add your Roaming Local Admins group to the Members of this group section
    >in the Administrators group Properties.

    I can't figure out how to implement your suggestions. I modified the
    GPO associated with the OU that contains the computers I want to use
    with my Roaming Local Admins group. In that GPO, in the Restricted
    Groups section, I ran "Add Group" and added the Roaming Local Admins
    group. Then I double-clicked on the group name (Roaming Local Admins)
    and it brought up a dialog box that lets me add members to the
    restricted group and to define the groups the restricted group will
    belong to. In the top half of the dialog box, I added 2 domain users
    (Adam and Bob) to the Roaming Local Admins group. In the bottom half
    of the dialog box, I typed in "Administrators" to indicate that we
    want the Restricted Group to be a member of the Administrators group.

    When I log into one of the designated workstation as Adam (or Bob), I
    do not have local Admin privileges.

    ------ Chapter 2 -----
    Ok, so maybe I didn't interpret your instructions correctly. I
    deleted all my entries in the GPO and started again. In the GPO, I
    right-click on "Restricted Groups" and select "Add Group". For a
    group name, I used "Administrators". I right-click on the new,
    "Administrators" Restricted Group and don't get a Properties
    selection, per se. But there is a Security Option that lets me add
    members to the group, and to define which groups my new,
    "Administrators" group will belong. In fact, this is the same screen
    I got to with my first attempt. Once again, I add Adam and Bob to the
    list of members, and also enter "Administrators" in the bottom half of
    the screen to indicate that this Restricted Group should be a member
    of the Administrators group after we log on.

    When I log on at the workstation, I get the following error message:
    "Windows cannot create profile directory
    \\MyServerName\Users\Adam.pds. You will be logged on with a local
    profile only. Changes to the profile will not be propagated to the
    server...."


    >
    >> Next, I set up a startup script with the "net localgroup
    >> administrators mydomain\Roaming Local Admins /add" command.
    >> (Actually, I had to put quotes around the domain name\group name.)
    >> That did the trick!
    >
    >The reason I don't like this method is that membership is only
    >controlled when the computer boots. Once the system is up and running,
    >anyone with sufficient privileges can now change the membership of the
    >group and it will stay changed until the next time you reboot. With
    >Restricited Groups, your settings will be reapplied every time Group
    >Policy is refreshed.
    >

    Anyone with sufficient privileges can change the GPO :)

    Thanks,

    - Steve
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <cbi1j0p67c2qts5elppdffjnk8onqaftjm@4ax.com>, in the
    microsoft.public.win2000.security news group, Steve Hull
    <msnnews.REMOVE_TO_REPLY@steve-hull.com> says...

    > Anyone with sufficient privileges can change the GPO :)
    >

    Only at the domain level.

    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
Ask a new question

Read More

Windows