Solved

Creating Roaming Profiles and Administrative permissions Windows 2003 Server

Posted on 2004-09-29
6
236 Views
Last Modified: 2010-04-19
I've set up a couple of machines on my 2000 domain.
I've copied the user's local profiles over to the roaming profile on the server.
Although it doesn't happen on all of the machines I've done. It has happenned on a couple
where the roaming profile does not have Administrative permissions and I haven't found out where to
give the domain account administrative rights over the machine (the local machine - to install software, etc....)

Is there a setting for this, or do I have to set up a group policy. Or do I have to write a script?
And if I do have to write a script where can I get a script from?
Also I'm still puzzled as to why some accounts on XP machines have administrative rights eventhough they are domain accounts and why some are not.
I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?

The same goes for some 2000 machines.

The server is a Windows 2003 server and 2000 and XP machines log onto it.

SJ
0
Comment
Question by:AccessMaster
  • 4
  • 2
6 Comments
 
LVL 10

Expert Comment

by:BloodRed
ID: 12186386
You can control the local Admin group on client computers via a GPO with the Restricted Groups setting.  Basically, you create a domain security group and add all the domain users whom you wish to have local admin rights on clients to that group, then you use the GPO to specify that domain group as a member of the administrators group.  When that GPO is applied to clients, that group is added to the local administrators group and all users in it have local admin rights.  That can be dangerous though, ensure that you don't apply this GPO to sensitive systems (Exchange boxes, various servers, etc).  

As to why some accounts have local admin rights while others do not, I don't know enuogh about your configuration to make much of a guess.  What domain groups do these accounts belong to?  

What do you mean by "I noticed that the roaming profiles arent' stored in the User Profiles listing in the System Properties in Control Panel - so how do I manipulate the domain user's permissions?" ??  Profiles don't determine a user's permissions, that is done through security group membership.

-BR
0
 

Author Comment

by:AccessMaster
ID: 12188691
I don't have any Exchange servers all I have is a 2000 server and 2003 server on my domain.
The 2000 server is the PDC.
And I've put all the data on the 2003 server.

Do you know of a quick article that will show me how to set up this GPO?
Or can tell me the steps.

Not to confuse you, I used the wrong terminology above when I saisd the roaming proiles arent' stored in the user profiles listing, I meant to say the "user accounts that has the roaming profile isn't stored in the User Profiles listing in the sytem properties in control panel of the local computer".
Actually I think I've found out why some accounts have local admin rights while others don't.
Those accounts that do - are really still local because they are listed on the local machine in the User Accounts as Domainname\useraccount - whereas the useraccounts that don't have admin rights are not listed in the User Accounts listing in Control Panel or on the Advanced tab setting for User Profiles in the System Properties in control panel.

With me clarifying that - do I still need to make a GPO to make this happen?

0
 
LVL 10

Accepted Solution

by:
BloodRed earned 100 total points
ID: 12189313
You can still control the local admin groups via a GPO, here is some info on using the Restricted Groups setting:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;320045

Those articles explain how to configure a GPO and how Restricted Groups works, let me know if that helps.

-BR
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:AccessMaster
ID: 12193184
O.K. I'm just getting to work on this now.
I'll let you know how it's going before 5:00PM
0
 

Author Comment

by:AccessMaster
ID: 12311101
Blood Red or anybody,

I am still having an ordeal with these roaming profiles.
For one thing they cause the machine to take a long time to finally get to the logon screen
and I'm still not clear on how to give a domain user local administrative rights and not domain administrator rights.

I'm specifically having problems getting a 2000 machine to keep the type of a domain user's account as local administrator. Everytime she turns it on the next day it looses all mapped network drives and she doesn't have
local administrative rights at all - even after I give her domain account administrative rights logged on as the local administrator.

SOmebody please help this is an SOS.
0
 

Author Comment

by:AccessMaster
ID: 12569311
It's fixed now, eventhough I've done several steps in addition to the one Blood Mentioned above.
It's not to straight forward at all - for a person that's totally new to this.

Thanks Blood Red for your help - you got me going in the right direction.
Regards...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question