Solved

Creating Roaming Profiles and Administrative permissions Windows 2003 Server

Posted on 2004-09-29
6
238 Views
Last Modified: 2010-04-19
I've set up a couple of machines on my 2000 domain.
I've copied the user's local profiles over to the roaming profile on the server.
Although it doesn't happen on all of the machines I've done. It has happenned on a couple
where the roaming profile does not have Administrative permissions and I haven't found out where to
give the domain account administrative rights over the machine (the local machine - to install software, etc....)

Is there a setting for this, or do I have to set up a group policy. Or do I have to write a script?
And if I do have to write a script where can I get a script from?
Also I'm still puzzled as to why some accounts on XP machines have administrative rights eventhough they are domain accounts and why some are not.
I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?

The same goes for some 2000 machines.

The server is a Windows 2003 server and 2000 and XP machines log onto it.

SJ
0
Comment
Question by:AccessMaster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186386
You can control the local Admin group on client computers via a GPO with the Restricted Groups setting.  Basically, you create a domain security group and add all the domain users whom you wish to have local admin rights on clients to that group, then you use the GPO to specify that domain group as a member of the administrators group.  When that GPO is applied to clients, that group is added to the local administrators group and all users in it have local admin rights.  That can be dangerous though, ensure that you don't apply this GPO to sensitive systems (Exchange boxes, various servers, etc).  

As to why some accounts have local admin rights while others do not, I don't know enuogh about your configuration to make much of a guess.  What domain groups do these accounts belong to?  

What do you mean by "I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?" ??  Profiles don't determine a user's permissions, that is done through security group membership.

-BR
0
 

Author Comment

by:AccessMaster
ID: 12188691
I don't have any Exchange servers all I have is a 2000 server and 2003 server on my domain.
The 2000 server is the PDC.
And I've put all the data on the 2003 server.

Do you know of a quick article that will show me how to set up this GPO?
Or can tell me the steps.

Not to confuse you, I used the wrong terminology above when I saisd the roaming proiles arent' stored in the user profiles listing, I meant to say the "user accounts that has the roaming profile isn't stored in the User Profiles listing in the sytem properties in control panel of the local computer".
Actually I think I've found out why some accounts have local admin rights while others don't.
Those accounts that do - are really still local because they are listed on the local machine in the User Accounts as Domainname\useraccount - whereas the useraccounts that don't have admin rights are not listed in the User Accounts listing in Control Panel or on the Advanced tab setting for User Profiles in the System Properties in control panel.

With me clarifying that - do I still need to make a GPO to make this happen?

0
 
LVL 10

Accepted Solution

by:
BloodRed earned 100 total points
ID: 12189313
You can still control the local admin groups via a GPO, here is some info on using the Restricted Groups setting:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045

Those articles explain how to configure a GPO and how Restricted Groups works, let me know if that helps.

-BR
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:AccessMaster
ID: 12193184
O.K. I'm just getting to work on this now.
I'll let you know how it's going before 5:00PM
0
 

Author Comment

by:AccessMaster
ID: 12311101
Blood Red or anybody,

I am still having an ordeal with these roaming profiles.
For one thing they cause the machine to take a long time to finally get to the logon screen
and I'm still not clear on how to give a domain user local administrative rights and not domain administrator rights.

I'm specifically having problems getting a 2000 machine to keep the type of a domain user's account as local administrator. Everytime she turns it on the next day it looses all mapped network drives and she doesn't have
local administrative rights at all - even after I give her domain account administrative rights logged on as the local administrator.

SOmebody please help this is an SOS.
0
 

Author Comment

by:AccessMaster
ID: 12569311
It's fixed now, eventhough I've done several steps in addition to the one Blood Mentioned above.
It's not to straight forward at all - for a person that's totally new to this.

Thanks Blood Red for your help - you got me going in the right direction.
Regards...
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question