Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SBS 2003:  Domain Admin is required for clients (users) to do anything...why?

Posted on 2004-08-30
3
Medium Priority
?
919 Views
Last Modified: 2010-08-05
Hi All,

Can someone explain to me what the difference between Domain Admin, Domain Power User, Local Administrator, and Administrator are on a Windows 2003 SBS domain?

It seems that my users must be Domain Admins to even get the properties of a shortcut on the desktop (for example).  Confused.

Thanks,
Terry
0
Comment
Question by:colepc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Expert Comment

by:What90
ID: 11938673
Hello Terry,

Domain Admin = total control of network - only network admins should have these
Domain Power User = have more that standard user right to network system
Local Administrator = Total control of the local machine
Administrator = generalisation

What excatly are you trying to achive? If the users are part of the Domain Users group they should be able to create a shortcut on their desktop unless a Group Policy is blocking them.


Post back with some more details.

Chris
0
 
LVL 12

Accepted Solution

by:
Housenet earned 1000 total points
ID: 11938690
Hello,
Here is the deal...
The Domain provides pre-defined groups and users as part of a security context that is central.
PC's and non-domain server have local users and groups.
-When a PC or Server (non dc) join a domain the domain's security context does not eliminate the Local security context, it merges with it. The right combination of domain groups having rights to local resources provides flexable security options based on user and or group membership.

When a PC running NT (NT4,2000 orXP) is joined to a domain, by default the domain controller adds domain administrators to local administrators on the PC and adds the domain users to the local pc users group. If you combine this restrictive set of permissions with a shortcut that also has some security settings assigned you get the results you described.  The solution is this...
1. Log in to the PC as say the domain administrator.
2. Add the group Domain Users to the LOCAL\Administrators.
3. Login as a domain user... The domain user will now have full control of the local PC.
-This is an example... Adding domain users to Power users might be sufficient for your needs and will not allow a user to add new applications that can affect the stability of windows.
0
 

Author Comment

by:colepc
ID: 12119629
Housenet, a belated thanks for your advice.  I've come back to this for a second dose.  Thanks, again!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question