Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Permissions for Groups

Posted on 2006-10-28
9
Medium Priority
?
267 Views
Last Modified: 2010-04-18
I have 6 computers that logon to a server.   With the computers/users that logon to the server, I have noticed that the computer/user is unable to download updates from MS or is unable to install programs... they also don't have permission to change network settings and have no access to a variety of places in their respective desktops... unless I assign the user as a Enterprise Admin.  Then they can do all they want with the workstation.  How can I change it so that the group USERS can have auto updates from MS and be able to install apps on their workstation?

Thank you!
Dave
0
Comment
Question by:Roger_Doger
  • 4
  • 3
9 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 17825711
You can add the users to the *local* Administrators group on the desktops; either the respective domain user accounts, or the Domain Users group. The latter is a bad idea for security reasons, though. In general, it's a security risk to let users install software on their machines, unless they know exactly what to do. Otherwise, you'll soon find your network crawling with worm, virus and trojan that's living out there.
As far as the MS updates are concerned, you can configure auto updates to download and install automatically, so the users don't need to be admins just to keep the machines updated.
0
 

Author Comment

by:Roger_Doger
ID: 17825730
Would I beable to edit the defaul group policy where I can edit system services to auto start and select the level of permission?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17825751
To achieve what exactly? If your users need to be able to install software, they need to be local administrators; the main question is whether they in fact *do* need to be able to install software.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Roger_Doger
ID: 17825795
Look, I am learning to use Server 2003, and I have 5 good friends and family members that are using the machines.  Some need to be able to install software for whatever reason... of which I don't care.  I just want to know if I can allow or disallow the installation of software, auto updates, etc through editing the default policy so that these permissions can be granted when someone logs onto the server as a member of the "USERS' group.

Also, the users are members of the local administrators group on their repsective machines.  On each machine they are members of "Administrators"
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17825816
Okay, if the users are members of the local Administrators group, they should be able to do everything they want on the machine. Just make sure that the domain user accounts you've given them are members of the Administrators group, not maybe local accounts of the same name.
0
 

Author Comment

by:Roger_Doger
ID: 17825874
Just to verify... when my brother logins into his account he always logins into the domain as bjacobs and the domain is HazardCo.  The computer name is FrontOffice.  How do I know if his domain user account is a member of the administrator group?  
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 17825908
Right-click "My Computer" on his machine, choose "Manage", go to User Management\Local Groups, and check if the "HazardCo\bjacobs" is listed as member of this group. There should be a little globe behind the head icon, too (instead of a little computer, like the Administrator account).
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Integration Management Part 2
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question