Solved

SBS2011 Domain Profile user rights on Server and Workstation

Posted on 2014-03-19
6
854 Views
Last Modified: 2014-04-01
I have a SBS2011 and Win 7 Pro 64 bit workstations. We have a shared folder and "everyone" has full control. Is this automatically all users? Can I look at this group? I do not see it listed.

We are having an issue with timeslips 2014.  WE are being told that is has something to do with user permission levels. My questions are about user permissions, workstations rights and domain profile rights.  

Question:

If I install a new workstation and login with the existing domain profile...how does that effect the users rights on the workstation. I ask because the user was not really created as a user first and then added to the domain.  How do I ensure that user has administrative rights at the workstation?

2nd question

The client does not want the "users" to have administrative rights. Is "power user" the way to go or leave the users at just "users". I want to grant as much acess as possible with out allowing the use to delete system files. I also want the user profile to be able to install software on their workstations.

Thank you
0
Comment
Question by:Joemt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940786
1. A user's rights depends on the local administrator group settings of the workstation. E.g. if the A.D. group Domain Admins is listed in a workstation's Local Admins group, then a new user in the group, Domain Admins would automatically become a local admin.

Assuming it is a standard user and NOT a part of Domain Admins, you can add them to local admins rather easily. Login to that workstation as an admin, open Command Prompt with elevated privs and use the command:

net localgroup administrators user /add
e.g. net localgroup administrators jdoe /add  - would add user JDoe to the local admins of that workstations.

2. The closest you may be able to get is Power Users. Though I must ask why you want them to be able to install software if the client does NOT want them to be local admins?

You could also keep them as standard users and adjust UAC settings with Group Policy.
0
 

Author Comment

by:Joemt
ID: 39940855
We want the users to have limited rights on the server and admin rights on there workstations or at least able to load software if necessary.

If the user did not have admin rights on the local workstation, then I need the local workstation to prompt me for a user with administrator rights.
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 500 total points
ID: 39940862
I would advise making them a standard user and keeping UAC enabled.

With UAC enabled, when a user goes to install an application, it will prompt for account credentials with administrative rights to that workstation.

Note that rights to the workstations and rights to the server are separate.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:Joemt
ID: 39940881
Could you please explain this a little more:

"You could also keep them as standard users and adjust UAC settings with Group Policy"
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940884
You can control UAC behavior via Group Policy.
http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

However, if you want it to prompt for administrator creds when they try to install something, I would not change anything. Prompting is the default action for UAC.
0
 

Author Comment

by:Joemt
ID: 39969628
When it prompts for administrator creds...is that administrator a local admin or server admin?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question