Solved

SBS 2003:  Domain Admin is required for clients (users) to do anything...why?

Posted on 2004-08-30
3
915 Views
Last Modified: 2010-08-05
Hi All,

Can someone explain to me what the difference between Domain Admin, Domain Power User, Local Administrator, and Administrator are on a Windows 2003 SBS domain?

It seems that my users must be Domain Admins to even get the properties of a shortcut on the desktop (for example).  Confused.

Thanks,
Terry
0
Comment
Question by:colepc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Expert Comment

by:What90
ID: 11938673
Hello Terry,

Domain Admin = total control of network - only network admins should have these
Domain Power User = have more that standard user right to network system
Local Administrator = Total control of the local machine
Administrator = generalisation

What excatly are you trying to achive? If the users are part of the Domain Users group they should be able to create a shortcut on their desktop unless a Group Policy is blocking them.


Post back with some more details.

Chris
0
 
LVL 12

Accepted Solution

by:
Housenet earned 250 total points
ID: 11938690
Hello,
Here is the deal...
The Domain provides pre-defined groups and users as part of a security context that is central.
PC's and non-domain server have local users and groups.
-When a PC or Server (non dc) join a domain the domain's security context does not eliminate the Local security context, it merges with it. The right combination of domain groups having rights to local resources provides flexable security options based on user and or group membership.

When a PC running NT (NT4,2000 orXP) is joined to a domain, by default the domain controller adds domain administrators to local administrators on the PC and adds the domain users to the local pc users group. If you combine this restrictive set of permissions with a shortcut that also has some security settings assigned you get the results you described.  The solution is this...
1. Log in to the PC as say the domain administrator.
2. Add the group Domain Users to the LOCAL\Administrators.
3. Login as a domain user... The domain user will now have full control of the local PC.
-This is an example... Adding domain users to Power users might be sufficient for your needs and will not allow a user to add new applications that can affect the stability of windows.
0
 

Author Comment

by:colepc
ID: 12119629
Housenet, a belated thanks for your advice.  I've come back to this for a second dose.  Thanks, again!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question