Sign in with
Sign up | Sign in
Your question

Issue in demoting users from Admin to Power Users

Last response: in Windows 2000/NT
Share
Anonymous
April 11, 2005 5:47:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have found it necessary to remove local admin rights for users on their W2K
workstations. We went through a conversion of sorts recently which required
them to be admin for that conversion. Their network user names will not be
changing so I have demoted to Power User level and made sure the existing
user profile under documents and settings is afforded full rights with this
same login name. That way, I assume they will login with the same profile
and get the same settings for desktop/office/outlook. I have tested this on
a machine I setup for this purpose and all went fine. I went to do a test
with my first real user and it says she's using the same profile but nothing
carries over. In fact, none of her network mapped drives or redirected My
Documents folder contain anything. We redirect the My Documents folder to a
folder on the net. Am I missing a step I must do? Since it says she's
logged in with the same profile (verified by typing 'set' at command prompt),
what would cause everything including her network drives to not come back?
In addition, why do her individual user settings/preferences not carry over?

Thanks in advance for your assistance
Anonymous
April 13, 2005 1:51:38 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Maybe I am missing something but what you are trying to accomplish should be
relatively simple. You remove the users domain account from the local
administrators group on their computer and add it to the power users group.
That should not affect they way they logon to their computer or access
domain resources. It will however deny them access to resources on "their"
computer that requires local administrator rights including in the all users
profile folder and subfolders. By default a user has full control or modify
permissions to their user profile regardless of their local computer group
membership. You might want to try on another computer to see what happens.
On the computer where you are having a problem, try adding the user back to
the local administrators group to see if the problem goes away. If it does
you know you have a permission problem on that computer that you need to
track down. I would look at the all users profile first is that proves to be
the case.--- Steve

"scot welker" <scotwelker@discussions.microsoft.com> wrote in message
news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
>I have found it necessary to remove local admin rights for users on their
>W2K
> workstations. We went through a conversion of sorts recently which
> required
> them to be admin for that conversion. Their network user names will not
> be
> changing so I have demoted to Power User level and made sure the existing
> user profile under documents and settings is afforded full rights with
> this
> same login name. That way, I assume they will login with the same profile
> and get the same settings for desktop/office/outlook. I have tested this
> on
> a machine I setup for this purpose and all went fine. I went to do a test
> with my first real user and it says she's using the same profile but
> nothing
> carries over. In fact, none of her network mapped drives or redirected My
> Documents folder contain anything. We redirect the My Documents folder to
> a
> folder on the net. Am I missing a step I must do? Since it says she's
> logged in with the same profile (verified by typing 'set' at command
> prompt),
> what would cause everything including her network drives to not come back?
> In addition, why do her individual user settings/preferences not carry
> over?
>
> Thanks in advance for your assistance
Anonymous
April 13, 2005 3:23:27 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:o q1yPP9PFHA.3628@TK2MSFTNGP12.phx.gbl...
> Maybe I am missing something but what you are trying to accomplish should
be
> relatively simple. You remove the users domain account from the local
> administrators group on their computer and add it to the power users
group.
> That should not affect they way they logon to their computer or access
> domain resources. It will however deny them access to resources on "their"
> computer that requires local administrator rights including in the all
users
> profile folder and subfolders. By default a user has full control or
modify
> permissions to their user profile regardless of their local computer group
> membership. You might want to try on another computer to see what happens.
> On the computer where you are having a problem, try adding the user back
to
> the local administrators group to see if the problem goes away. If it does
> you know you have a permission problem on that computer that you need to
> track down. I would look at the all users profile first is that proves to
be
> the case.--- Steve
>

Hi Steve,
The All Users profile ? That did not occur to me.
I (at a loss) am curious of your reasoning here.
--
Roger

> "scot welker" <scotwelker@discussions.microsoft.com> wrote in message
> news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
> >I have found it necessary to remove local admin rights for users on their
> >W2K
> > workstations. We went through a conversion of sorts recently which
> > required
> > them to be admin for that conversion. Their network user names will not
> > be
> > changing so I have demoted to Power User level and made sure the
existing
> > user profile under documents and settings is afforded full rights with
> > this
> > same login name. That way, I assume they will login with the same
profile
> > and get the same settings for desktop/office/outlook. I have tested
this
> > on
> > a machine I setup for this purpose and all went fine. I went to do a
test
> > with my first real user and it says she's using the same profile but
> > nothing
> > carries over. In fact, none of her network mapped drives or redirected
My
> > Documents folder contain anything. We redirect the My Documents folder
to
> > a
> > folder on the net. Am I missing a step I must do? Since it says she's
> > logged in with the same profile (verified by typing 'set' at command
> > prompt),
> > what would cause everything including her network drives to not come
back?
> > In addition, why do her individual user settings/preferences not carry
> > over?
> >
> > Thanks in advance for your assistance
>
>
Related resources
Anonymous
April 13, 2005 3:27:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have been looking at your post for a day, and am still
rather stumped, based on what is said.
The two things that have occurred to me are:
1. check the share level permissions on the network
share to which you redirect My Documents
(this would only affect the My Docs part of the issue)
2. check the ownership of the profile and its key files
(like ntuser.dat) as I am assuming Administrators will
have been set as Owner if these were first created while
the account was a local admin.
Never-the-less, I do not see how these would give what
you are reporting.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"scot welker" <scotwelker@discussions.microsoft.com> wrote in message
news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
> I have found it necessary to remove local admin rights for users on their
W2K
> workstations. We went through a conversion of sorts recently which
required
> them to be admin for that conversion. Their network user names will not
be
> changing so I have demoted to Power User level and made sure the existing
> user profile under documents and settings is afforded full rights with
this
> same login name. That way, I assume they will login with the same profile
> and get the same settings for desktop/office/outlook. I have tested this
on
> a machine I setup for this purpose and all went fine. I went to do a test
> with my first real user and it says she's using the same profile but
nothing
> carries over. In fact, none of her network mapped drives or redirected My
> Documents folder contain anything. We redirect the My Documents folder to
a
> folder on the net. Am I missing a step I must do? Since it says she's
> logged in with the same profile (verified by typing 'set' at command
prompt),
> what would cause everything including her network drives to not come back?
> In addition, why do her individual user settings/preferences not carry
over?
>
> Thanks in advance for your assistance
Anonymous
April 13, 2005 5:37:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hey Roger.

I may be shooting in the dark but since these users were working fine as
local admins it "may" be worth a look in the all users/application
data/subfolders for lack of permissions if there is a problem with a certain
application working correctly for the applications that have subfolders
there. I am not quite clear on what is going on in this situation as far as
what was done. It seems like an over complication of events. --- Steve


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uLzZZD$PFHA.3928@TK2MSFTNGP09.phx.gbl...
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:o q1yPP9PFHA.3628@TK2MSFTNGP12.phx.gbl...
>> Maybe I am missing something but what you are trying to accomplish should
> be
>> relatively simple. You remove the users domain account from the local
>> administrators group on their computer and add it to the power users
> group.
>> That should not affect they way they logon to their computer or access
>> domain resources. It will however deny them access to resources on
>> "their"
>> computer that requires local administrator rights including in the all
> users
>> profile folder and subfolders. By default a user has full control or
> modify
>> permissions to their user profile regardless of their local computer
>> group
>> membership. You might want to try on another computer to see what
>> happens.
>> On the computer where you are having a problem, try adding the user back
> to
>> the local administrators group to see if the problem goes away. If it
>> does
>> you know you have a permission problem on that computer that you need to
>> track down. I would look at the all users profile first is that proves to
> be
>> the case.--- Steve
>>
>
> Hi Steve,
> The All Users profile ? That did not occur to me.
> I (at a loss) am curious of your reasoning here.
> --
> Roger
>
>> "scot welker" <scotwelker@discussions.microsoft.com> wrote in message
>> news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
>> >I have found it necessary to remove local admin rights for users on
>> >their
>> >W2K
>> > workstations. We went through a conversion of sorts recently which
>> > required
>> > them to be admin for that conversion. Their network user names will
>> > not
>> > be
>> > changing so I have demoted to Power User level and made sure the
> existing
>> > user profile under documents and settings is afforded full rights with
>> > this
>> > same login name. That way, I assume they will login with the same
> profile
>> > and get the same settings for desktop/office/outlook. I have tested
> this
>> > on
>> > a machine I setup for this purpose and all went fine. I went to do a
> test
>> > with my first real user and it says she's using the same profile but
>> > nothing
>> > carries over. In fact, none of her network mapped drives or redirected
> My
>> > Documents folder contain anything. We redirect the My Documents folder
> to
>> > a
>> > folder on the net. Am I missing a step I must do? Since it says she's
>> > logged in with the same profile (verified by typing 'set' at command
>> > prompt),
>> > what would cause everything including her network drives to not come
> back?
>> > In addition, why do her individual user settings/preferences not carry
>> > over?
>> >
>> > Thanks in advance for your assistance
>>
>>
>
>
Anonymous
April 14, 2005 2:15:58 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uNMciN$PFHA.2932@TK2MSFTNGP09.phx.gbl...
> Hey Roger.
>
> I may be shooting in the dark but since these users were working fine as
> local admins it "may" be worth a look in the all users/application
> data/subfolders for lack of permissions if there is a problem with a
certain
> application working correctly for the applications that have subfolders
> there. I am not quite clear on what is going on in this situation as far
as
> what was done. It seems like an over complication of events. --- Steve
>

I see. Thx Steve. I was, as with rest of this post, having a hard
time seeing what could be at issue, with only group membership
changes of the account, and All Users normally ACL'd for Users.

--
Roger

>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uLzZZD$PFHA.3928@TK2MSFTNGP09.phx.gbl...
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:o q1yPP9PFHA.3628@TK2MSFTNGP12.phx.gbl...
> >> Maybe I am missing something but what you are trying to accomplish
should
> > be
> >> relatively simple. You remove the users domain account from the local
> >> administrators group on their computer and add it to the power users
> > group.
> >> That should not affect they way they logon to their computer or access
> >> domain resources. It will however deny them access to resources on
> >> "their"
> >> computer that requires local administrator rights including in the all
> > users
> >> profile folder and subfolders. By default a user has full control or
> > modify
> >> permissions to their user profile regardless of their local computer
> >> group
> >> membership. You might want to try on another computer to see what
> >> happens.
> >> On the computer where you are having a problem, try adding the user
back
> > to
> >> the local administrators group to see if the problem goes away. If it
> >> does
> >> you know you have a permission problem on that computer that you need
to
> >> track down. I would look at the all users profile first is that proves
to
> > be
> >> the case.--- Steve
> >>
> >
> > Hi Steve,
> > The All Users profile ? That did not occur to me.
> > I (at a loss) am curious of your reasoning here.
> > --
> > Roger
> >
> >> "scot welker" <scotwelker@discussions.microsoft.com> wrote in message
> >> news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
> >> >I have found it necessary to remove local admin rights for users on
> >> >their
> >> >W2K
> >> > workstations. We went through a conversion of sorts recently which
> >> > required
> >> > them to be admin for that conversion. Their network user names will
> >> > not
> >> > be
> >> > changing so I have demoted to Power User level and made sure the
> > existing
> >> > user profile under documents and settings is afforded full rights
with
> >> > this
> >> > same login name. That way, I assume they will login with the same
> > profile
> >> > and get the same settings for desktop/office/outlook. I have tested
> > this
> >> > on
> >> > a machine I setup for this purpose and all went fine. I went to do a
> > test
> >> > with my first real user and it says she's using the same profile but
> >> > nothing
> >> > carries over. In fact, none of her network mapped drives or
redirected
> > My
> >> > Documents folder contain anything. We redirect the My Documents
folder
> > to
> >> > a
> >> > folder on the net. Am I missing a step I must do? Since it says
she's
> >> > logged in with the same profile (verified by typing 'set' at command
> >> > prompt),
> >> > what would cause everything including her network drives to not come
> > back?
> >> > In addition, why do her individual user settings/preferences not
carry
> >> > over?
> >> >
> >> > Thanks in advance for your assistance
> >>
> >>
> >
> >
>
>
Anonymous
April 14, 2005 2:17:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

When you removed account from Administrators and placed
instead as member of Power Users, did you also make sure
it was member of Users, or that either Domain Users or
Authenticated Users was still member of the machine local
Users group ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"scot welker" <scotwelker@discussions.microsoft.com> wrote in message
news:0D03F372-59C9-474D-8141-8FE51AA723B7@microsoft.com...
> I have found it necessary to remove local admin rights for users on their
W2K
> workstations. We went through a conversion of sorts recently which
required
> them to be admin for that conversion. Their network user names will not
be
> changing so I have demoted to Power User level and made sure the existing
> user profile under documents and settings is afforded full rights with
this
> same login name. That way, I assume they will login with the same profile
> and get the same settings for desktop/office/outlook. I have tested this
on
> a machine I setup for this purpose and all went fine. I went to do a test
> with my first real user and it says she's using the same profile but
nothing
> carries over. In fact, none of her network mapped drives or redirected My
> Documents folder contain anything. We redirect the My Documents folder to
a
> folder on the net. Am I missing a step I must do? Since it says she's
> logged in with the same profile (verified by typing 'set' at command
prompt),
> what would cause everything including her network drives to not come back?
> In addition, why do her individual user settings/preferences not carry
over?
>
> Thanks in advance for your assistance
!