Creating Roaming Profiles and Administrative permissions Windows 2003 Server

I've set up a couple of machines on my 2000 domain.
I've copied the user's local profiles over to the roaming profile on the server.
Although it doesn't happen on all of the machines I've done. It has happenned on a couple
where the roaming profile does not have Administrative permissions and I haven't found out where to
give the domain account administrative rights over the machine (the local machine - to install software, etc....)

Is there a setting for this, or do I have to set up a group policy. Or do I have to write a script?
And if I do have to write a script where can I get a script from?
Also I'm still puzzled as to why some accounts on XP machines have administrative rights eventhough they are domain accounts and why some are not.
I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?

The same goes for some 2000 machines.

The server is a Windows 2003 server and 2000 and XP machines log onto it.

SJ
AccessMasterAsked:
Who is Participating?
 
Justin CAWS Solutions ArchitectCommented:
You can still control the local admin groups via a GPO, here is some info on using the Restricted Groups setting:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045

Those articles explain how to configure a GPO and how Restricted Groups works, let me know if that helps.

-BR
0
 
Justin CAWS Solutions ArchitectCommented:
You can control the local Admin group on client computers via a GPO with the Restricted Groups setting.  Basically, you create a domain security group and add all the domain users whom you wish to have local admin rights on clients to that group, then you use the GPO to specify that domain group as a member of the administrators group.  When that GPO is applied to clients, that group is added to the local administrators group and all users in it have local admin rights.  That can be dangerous though, ensure that you don't apply this GPO to sensitive systems (Exchange boxes, various servers, etc).  

As to why some accounts have local admin rights while others do not, I don't know enuogh about your configuration to make much of a guess.  What domain groups do these accounts belong to?  

What do you mean by "I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?" ??  Profiles don't determine a user's permissions, that is done through security group membership.

-BR
0
 
AccessMasterAuthor Commented:
I don't have any Exchange servers all I have is a 2000 server and 2003 server on my domain.
The 2000 server is the PDC.
And I've put all the data on the 2003 server.

Do you know of a quick article that will show me how to set up this GPO?
Or can tell me the steps.

Not to confuse you, I used the wrong terminology above when I saisd the roaming proiles arent' stored in the user profiles listing, I meant to say the "user accounts that has the roaming profile isn't stored in the User Profiles listing in the sytem properties in control panel of the local computer".
Actually I think I've found out why some accounts have local admin rights while others don't.
Those accounts that do - are really still local because they are listed on the local machine in the User Accounts as Domainname\useraccount - whereas the useraccounts that don't have admin rights are not listed in the User Accounts listing in Control Panel or on the Advanced tab setting for User Profiles in the System Properties in control panel.

With me clarifying that - do I still need to make a GPO to make this happen?

0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
AccessMasterAuthor Commented:
O.K. I'm just getting to work on this now.
I'll let you know how it's going before 5:00PM
0
 
AccessMasterAuthor Commented:
Blood Red or anybody,

I am still having an ordeal with these roaming profiles.
For one thing they cause the machine to take a long time to finally get to the logon screen
and I'm still not clear on how to give a domain user local administrative rights and not domain administrator rights.

I'm specifically having problems getting a 2000 machine to keep the type of a domain user's account as local administrator. Everytime she turns it on the next day it looses all mapped network drives and she doesn't have
local administrative rights at all - even after I give her domain account administrative rights logged on as the local administrator.

SOmebody please help this is an SOS.
0
 
AccessMasterAuthor Commented:
It's fixed now, eventhough I've done several steps in addition to the one Blood Mentioned above.
It's not to straight forward at all - for a person that's totally new to this.

Thanks Blood Red for your help - you got me going in the right direction.
Regards...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.