AlecEriksson
asked on
iTunes and XP Pro Permissions
I've recently setup a couple of different XP Pro SP2 systems. These systems are connected through a network to a Win2k3 domain (SBS). The problem is that unless a domain user is set as "administrator" locally they are unable to use iTunes to play CD audio.
Symptoms: Insert CD, iTunes starts, nothing plays or displays in library. If domain user is added to local administrator group, insert CD, iTunes starts, detects tracks and plays.
Thoughts: Domain users on this network are set via group policy on the server to be standard "user" class on workstations so there is no need to add each user to each workstation so they can log in. Usually the only local accounts that exist on the workstations are administrator account and that's it. I'm thinking the solution is somewhere in Group Policy on the server but damned if I can find the setting (among the bazillion in there).
Thanks for any insight!
Symptoms: Insert CD, iTunes starts, nothing plays or displays in library. If domain user is added to local administrator group, insert CD, iTunes starts, detects tracks and plays.
Thoughts: Domain users on this network are set via group policy on the server to be standard "user" class on workstations so there is no need to add each user to each workstation so they can log in. Usually the only local accounts that exist on the workstations are administrator account and that's it. I'm thinking the solution is somewhere in Group Policy on the server but damned if I can find the setting (among the bazillion in there).
Thanks for any insight!
oh if it's the CD drive thing, under domain security policy, under local policy, under security options make sure the setting for "Restrict CD-ROM access to locally logged-in users only" is not diabled for domain users.
cheers,
reid
cheers,
reid
ASKER
My goal is to _not_ give users administrator privs. Guess I should have made that clear. Ultimately I think the users should all be kept as "user" priveleged and I will add this ability (to play CDs via iTunes) to their security settings. Nor do I want to add each user to each workstation (what a hassle even with a script and more to maintain). So I'll poke around in the group policy and let ya know what I find. Will have to wait until Monday at work though.
sounds good. as a test i've treid running itunes on a domain connected workstation as a power user and it seems to be okay, you might try that, the rights are as high as an admin, but are slighly higher than a standard domain user with default GP settings.
ASKER
Weird. I tried it as a local power user Friday and it still wouldn't play.
The plot thickens.
The plot thickens.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wasn't able to get this problem squared away, but because of rpalmeira22 put in the effort to help me out I've given him the points.
Many thanks, and sorry about the semi-abandoned topic.
Many thanks, and sorry about the semi-abandoned topic.
sorry to hear you never got it going. rather disappointing.
just a random thought, one last thing to try is temporarily bump the user up to admin on that local machine run itunes once, see if it's trying to create some system/hidden files for the user. then demote the user back to power user/user and try it again.
just a random thought, one last thing to try is temporarily bump the user up to admin on that local machine run itunes once, see if it's trying to create some system/hidden files for the user. then demote the user back to power user/user and try it again.
ASKER
Yeah I tried that too actually, so we're thinking along the same lines.
I'm sure there's something in teh group policy editor that I could tweak to make it work, but damned if I can figure out which of the million settings it is. Guess I could contact Apple or Microsoft. But it's not a very serious problem really, in the grand scheme of things.
I'm sure there's something in teh group policy editor that I could tweak to make it work, but damned if I can figure out which of the million settings it is. Guess I could contact Apple or Microsoft. But it's not a very serious problem really, in the grand scheme of things.
bummer. if i get any other ideas i'll drop another line here. at least it's not something of absolute importance.
otherwise the quick and dirty is to make them domain admins as the domain admins are also local admins on a machine as well unless explicitly removed or prevented by GPO.
alternatively you can go about making the user(s) local admins on those machines w/out becoming domain admins. neat reference and short vb script here: http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1065698,00.html?bucket=NEWS
I would take some of the initial advice and setup the AD so that you can just delegate control.