Solved

SBS 2003:  Domain Admin is required for clients (users) to do anything...why?

Posted on 2004-08-30
3
905 Views
Last Modified: 2010-08-05
Hi All,

Can someone explain to me what the difference between Domain Admin, Domain Power User, Local Administrator, and Administrator are on a Windows 2003 SBS domain?

It seems that my users must be Domain Admins to even get the properties of a shortcut on the desktop (for example).  Confused.

Thanks,
Terry
0
Comment
Question by:colepc
3 Comments
 
LVL 20

Expert Comment

by:What90
ID: 11938673
Hello Terry,

Domain Admin = total control of network - only network admins should have these
Domain Power User = have more that standard user right to network system
Local Administrator = Total control of the local machine
Administrator = generalisation

What excatly are you trying to achive? If the users are part of the Domain Users group they should be able to create a shortcut on their desktop unless a Group Policy is blocking them.


Post back with some more details.

Chris
0
 
LVL 12

Accepted Solution

by:
Housenet earned 250 total points
ID: 11938690
Hello,
Here is the deal...
The Domain provides pre-defined groups and users as part of a security context that is central.
PC's and non-domain server have local users and groups.
-When a PC or Server (non dc) join a domain the domain's security context does not eliminate the Local security context, it merges with it. The right combination of domain groups having rights to local resources provides flexable security options based on user and or group membership.

When a PC running NT (NT4,2000 orXP) is joined to a domain, by default the domain controller adds domain administrators to local administrators on the PC and adds the domain users to the local pc users group. If you combine this restrictive set of permissions with a shortcut that also has some security settings assigned you get the results you described.  The solution is this...
1. Log in to the PC as say the domain administrator.
2. Add the group Domain Users to the LOCAL\Administrators.
3. Login as a domain user... The domain user will now have full control of the local PC.
-This is an example... Adding domain users to Power users might be sufficient for your needs and will not allow a user to add new applications that can affect the stability of windows.
0
 

Author Comment

by:colepc
ID: 12119629
Housenet, a belated thanks for your advice.  I've come back to this for a second dose.  Thanks, again!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question