Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

DC User 500pt

I have users on my dc.

I loged in 1st time with a user and on his local machine I tried to install software it wouldn't let me install it.

what persmission does this user have to have on the DC?
0
intellie_ex
Asked:
intellie_ex
  • 4
  • 3
1 Solution
 
oBdACommented:
On the DC? NONE!
If anything, the user needs *LOCAL* administrator rights on "his" workstation (by joining his domain account to the Administrators group on the workstation).
But you should avoid it to give a user these permissions; it's a security hole, unless there is a good reason for the user to have administrative rights.
You usuall can install software when logged on as (domain) administrator, then the user should be able to use the software as well.
0
 
intellie_exAuthor Commented:
So if I log on to the clients machine as dc admin. Install, ms office and any other software I want that user to use. Then I log in as that user, and I'll be able to use ms office, configure outlook and run all the software I just installed as the DC admin?
0
 
intellie_exAuthor Commented:
But you see the problem is that the company uses a program that the local client machines connect to . This program gets updated. So if the server was updated and the user tries to login, it will tell him to update. they click ok and it will auto install the update localy. But with no right it will not. so how do i go around thaT?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
oBdACommented:
Yes, that's how it should be, and is in most cases (Office is no problem at all).
You might stumble over some ancient software or something written by someone still unaware of the fact that operating systems with restricted permissions do exist, which might throw some problems when started by a regular user. These are usually permission problems that can be fixed in most cases.
In a case like that, to find out which permissions are missing where, get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on as a regular user without additional rights. Start FileMon and RegMon using runas and an administrative account. Filter both to log only the application.
Start the application, check for errors. Adjust NTFS or registry (using regedt32) permissions until you can run the software as user.
But as I said, most software works okay under a user account.

As for your special program, you need to find out which permissions are needed; either through the company that wrote the software, or through the mechanism described above.
Otherwise, if the program can be updated manually (without the user logging on, by executing a program), you can use a *startup* (not logon) script in a GPO to run the command; this will run with system permissions.
Another possibility is to try to give the user Power User permissions; this should be (more than) enough for an update.

0
 
intellie_exAuthor Commented:
That's another thing. I don't have Power User in my DC.
0
 
oBdACommented:
As before: your user do NOT need any additional permissions on the DC; Power Users is a local group on the workstations.
0
 
intellie_exAuthor Commented:
Ok I think i got it. will play around... also if you can help me here

http://www.experts-exchange.com/Databases/Microsoft_SQL_Server/Q_21892599.html
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now