Solved

SBS 2003:  Domain Admin is required for clients (users) to do anything...why?

Posted on 2004-08-30
3
865 Views
Last Modified: 2010-08-05
Hi All,

Can someone explain to me what the difference between Domain Admin, Domain Power User, Local Administrator, and Administrator are on a Windows 2003 SBS domain?

It seems that my users must be Domain Admins to even get the properties of a shortcut on the desktop (for example).  Confused.

Thanks,
Terry
0
Comment
Question by:colepc
3 Comments
 
LVL 20

Expert Comment

by:What90
ID: 11938673
Hello Terry,

Domain Admin = total control of network - only network admins should have these
Domain Power User = have more that standard user right to network system
Local Administrator = Total control of the local machine
Administrator = generalisation

What excatly are you trying to achive? If the users are part of the Domain Users group they should be able to create a shortcut on their desktop unless a Group Policy is blocking them.


Post back with some more details.

Chris
0
 
LVL 12

Accepted Solution

by:
Housenet earned 250 total points
ID: 11938690
Hello,
Here is the deal...
The Domain provides pre-defined groups and users as part of a security context that is central.
PC's and non-domain server have local users and groups.
-When a PC or Server (non dc) join a domain the domain's security context does not eliminate the Local security context, it merges with it. The right combination of domain groups having rights to local resources provides flexable security options based on user and or group membership.

When a PC running NT (NT4,2000 orXP) is joined to a domain, by default the domain controller adds domain administrators to local administrators on the PC and adds the domain users to the local pc users group. If you combine this restrictive set of permissions with a shortcut that also has some security settings assigned you get the results you described.  The solution is this...
1. Log in to the PC as say the domain administrator.
2. Add the group Domain Users to the LOCAL\Administrators.
3. Login as a domain user... The domain user will now have full control of the local PC.
-This is an example... Adding domain users to Power users might be sufficient for your needs and will not allow a user to add new applications that can affect the stability of windows.
0
 

Author Comment

by:colepc
ID: 12119629
Housenet, a belated thanks for your advice.  I've come back to this for a second dose.  Thanks, again!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Learn about cloud computing and its benefits for small business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now