alanheaton
asked on
Group Permissions
This is probably a silly question, but I cant find the answer anywhere.
I would like a list off all the groups that are available and what permissions they are granted, before I move users into groups.
I thought Administrators, would be able to install applications on their workstations, but apparrently not, I have had to assign them to Domain Admins, to allow this. Which I am not overly enthusiatic about?
But I would just like some info on Group Permissions please, and possibly the difference between Local Groups and Domain Groups?
I would like a list off all the groups that are available and what permissions they are granted, before I move users into groups.
I thought Administrators, would be able to install applications on their workstations, but apparrently not, I have had to assign them to Domain Admins, to allow this. Which I am not overly enthusiatic about?
But I would just like some info on Group Permissions please, and possibly the difference between Local Groups and Domain Groups?
I've just found an article at http://www.brienposey.com/kb/understanding_group_security_1.asp which explains a little about the different types of domain groups.
ASKER
Thanx for that,
But prior to me installing a domain, The user was an Administrator on that PC.
When I added the PC to the domain, I created him as a user, and added him to the Administrators group but he couldn't install anything on his PC. I had to add the doamin Admins group to his user to enable him to do this.
My main concern is that if he is a Domain Admin he will be able to log on to the server ...I THINK?
So I just want to nail him down to installing on that PC
But prior to me installing a domain, The user was an Administrator on that PC.
When I added the PC to the domain, I created him as a user, and added him to the Administrators group but he couldn't install anything on his PC. I had to add the doamin Admins group to his user to enable him to do this.
My main concern is that if he is a Domain Admin he will be able to log on to the server ...I THINK?
So I just want to nail him down to installing on that PC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes Thanks Very Much.
I have got it now
I have had to go into the user Acccounts of PC01 and create him as a Power User, which should do the job
Thank You
I have got it now
I have had to go into the user Acccounts of PC01 and create him as a Power User, which should do the job
Thank You
Glad I could help :-)
What groups exist will depend on how you've set your domain up - the same applies for permissions I'm afraid!
I'll see what I can dig out with regards default groups.
I can see where your confusion is coming from with the "Administrators" group though.
A "local" group exists just for that individual PC or server. This group is held on and managed by the individual PC concerned.
Each machine will have it's own local "Administrators" group.
Users who are a member of this group have permission to administrate that specific machine.
A "domain" group exists within the entire domain, and not on specific machines. It's managed by the domain controllers.
"Domain Admins" is a good example of a domain group.
Local groups (such as "Administrators") can contain domain groups (such as "Domain Admins") - but not the other way round.
So, when a PC is added into the domain, the machine will automatically add the domain "Domain Admins" group into it's own local "Adminstrators" group.
This is what allows users in the Domain Admins group to administrate the PC.
Does that make sense?
You're rightt, setting up your users as Domain Admins is a bad idea.
If you need your users to be administrators of their own local PC, you can add their domain account into the local Administrators group on that PC.
This will then allow them to log in with their domain account, and have administrative access to that PC. They won't have administrative access to anything else though.
That's a (very!) brief overview of how it works - does that help?