• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

Group Permissions

This is probably a silly question, but I cant find the answer anywhere.

I would like a list off all the groups that are available and what permissions they are granted, before I move users into groups.

I thought Administrators, would be able to install applications on their workstations, but apparrently not, I have had to assign them to Domain Admins, to allow this. Which I am not overly enthusiatic about?

But I would just like some info on Group Permissions please, and possibly the difference between Local Groups and Domain Groups?
  • 4
  • 2
1 Solution
Hi alanheaton,
What groups exist will depend on how you've set your domain up - the same applies for permissions I'm afraid!

I'll see what I can dig out with regards default groups.

I can see where your confusion is coming from with the "Administrators" group though.

A "local" group exists just for that individual PC or server.  This group is held on and managed by the individual PC concerned.
Each machine will have it's own local "Administrators" group.
Users who are a member of this group have permission to administrate that specific machine.

A "domain" group exists within the entire domain, and not on specific machines.  It's managed by the domain controllers.
"Domain Admins" is a good example of a domain group.

Local groups (such as "Administrators") can contain domain groups (such as "Domain Admins") - but not the other way round.

So, when a PC is added into the domain, the machine will automatically add the domain "Domain Admins" group into it's own local "Adminstrators" group.
This is what allows users in the Domain Admins group to administrate the PC.

Does that make sense?

You're rightt, setting up your users as Domain Admins is a bad idea.
If you need your users to be administrators of their own local PC, you can add their domain account into the local Administrators group on that PC.
This will then allow them to log in with their domain account, and have administrative access to that PC.  They won't have administrative access to anything else though.

That's a (very!) brief overview of how it works - does that help?

I've just found an article at http://www.brienposey.com/kb/understanding_group_security_1.asp which explains a little about the different types of domain groups.
alanheatonAuthor Commented:
Thanx for that,

But prior to me installing a domain, The user was an Administrator on that PC.

When I added the PC to the domain, I created him as a user, and added him to the Administrators group but he couldn't install anything on his PC. I had to add the doamin Admins group to his user to enable him to do this.

My main concern is that if he is a Domain Admin he will be able to log on to the server ...I THINK?

So I just want to nail him down to installing on that PC
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

If he is a domain admin, he'll have access to the server - and pretty much anything else on your network.

Just to be clear on how this is set up:

You have a PC, called PC01
You have a domain, called MYDOMAIN

Your user (Fred) was set up as a local user on PC01, before the machine was added to the domain.  At this point he was a local administrator on the machine.
This would mean that you'd added the user PC01\FRED to the local Administrators group on PC01

Note the prefix of the username (PC01\) is the name of the PC on which the account resides.

Now, you created your domain (MYDOMAIN), and created a user in that domain for Fred.
Fred's domain account is now MYDOMAIN\FRED  - once again, his username is prefixed with the name of the machine (or in this case, the domain) in which the account resides.

So - your user is logging in as MYDOMAIN\FRED, and you have PC01\FRED set up as an Administrator on PC01.
Although these may look the same, they are completely different accounts - and the PC knows this.

You therefore need to add MYDOMAIN\FRED to the local Administrators group on PC01.
Fred will then be able to administrate the machine when he logs in with his domain account.

Does that make more sense?
alanheatonAuthor Commented:
Yes Thanks Very Much.

I have got it now

I have had to go into the user Acccounts of PC01 and create him as a Power User, which should do the job

Thank You
Glad I could help :-)


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now