Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Creating Roaming Profiles and Administrative permissions Windows 2003 Server

Posted on 2004-09-29
6
Medium Priority
?
240 Views
Last Modified: 2010-04-19
I've set up a couple of machines on my 2000 domain.
I've copied the user's local profiles over to the roaming profile on the server.
Although it doesn't happen on all of the machines I've done. It has happenned on a couple
where the roaming profile does not have Administrative permissions and I haven't found out where to
give the domain account administrative rights over the machine (the local machine - to install software, etc....)

Is there a setting for this, or do I have to set up a group policy. Or do I have to write a script?
And if I do have to write a script where can I get a script from?
Also I'm still puzzled as to why some accounts on XP machines have administrative rights eventhough they are domain accounts and why some are not.
I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?

The same goes for some 2000 machines.

The server is a Windows 2003 server and 2000 and XP machines log onto it.

SJ
0
Comment
Question by:AccessMaster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186386
You can control the local Admin group on client computers via a GPO with the Restricted Groups setting.  Basically, you create a domain security group and add all the domain users whom you wish to have local admin rights on clients to that group, then you use the GPO to specify that domain group as a member of the administrators group.  When that GPO is applied to clients, that group is added to the local administrators group and all users in it have local admin rights.  That can be dangerous though, ensure that you don't apply this GPO to sensitive systems (Exchange boxes, various servers, etc).  

As to why some accounts have local admin rights while others do not, I don't know enuogh about your configuration to make much of a guess.  What domain groups do these accounts belong to?  

What do you mean by "I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?" ??  Profiles don't determine a user's permissions, that is done through security group membership.

-BR
0
 

Author Comment

by:AccessMaster
ID: 12188691
I don't have any Exchange servers all I have is a 2000 server and 2003 server on my domain.
The 2000 server is the PDC.
And I've put all the data on the 2003 server.

Do you know of a quick article that will show me how to set up this GPO?
Or can tell me the steps.

Not to confuse you, I used the wrong terminology above when I saisd the roaming proiles arent' stored in the user profiles listing, I meant to say the "user accounts that has the roaming profile isn't stored in the User Profiles listing in the sytem properties in control panel of the local computer".
Actually I think I've found out why some accounts have local admin rights while others don't.
Those accounts that do - are really still local because they are listed on the local machine in the User Accounts as Domainname\useraccount - whereas the useraccounts that don't have admin rights are not listed in the User Accounts listing in Control Panel or on the Advanced tab setting for User Profiles in the System Properties in control panel.

With me clarifying that - do I still need to make a GPO to make this happen?

0
 
LVL 10

Accepted Solution

by:
BloodRed earned 400 total points
ID: 12189313
You can still control the local admin groups via a GPO, here is some info on using the Restricted Groups setting:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045

Those articles explain how to configure a GPO and how Restricted Groups works, let me know if that helps.

-BR
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:AccessMaster
ID: 12193184
O.K. I'm just getting to work on this now.
I'll let you know how it's going before 5:00PM
0
 

Author Comment

by:AccessMaster
ID: 12311101
Blood Red or anybody,

I am still having an ordeal with these roaming profiles.
For one thing they cause the machine to take a long time to finally get to the logon screen
and I'm still not clear on how to give a domain user local administrative rights and not domain administrator rights.

I'm specifically having problems getting a 2000 machine to keep the type of a domain user's account as local administrator. Everytime she turns it on the next day it looses all mapped network drives and she doesn't have
local administrative rights at all - even after I give her domain account administrative rights logged on as the local administrator.

SOmebody please help this is an SOS.
0
 

Author Comment

by:AccessMaster
ID: 12569311
It's fixed now, eventhough I've done several steps in addition to the one Blood Mentioned above.
It's not to straight forward at all - for a person that's totally new to this.

Thanks Blood Red for your help - you got me going in the right direction.
Regards...
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question