Solved

SBS2011 Domain Profile user rights on Server and Workstation

Posted on 2014-03-19
6
813 Views
Last Modified: 2014-04-01
I have a SBS2011 and Win 7 Pro 64 bit workstations. We have a shared folder and "everyone" has full control. Is this automatically all users? Can I look at this group? I do not see it listed.

We are having an issue with timeslips 2014.  WE are being told that is has something to do with user permission levels. My questions are about user permissions, workstations rights and domain profile rights.  

Question:

If I install a new workstation and login with the existing domain profile...how does that effect the users rights on the workstation. I ask because the user was not really created as a user first and then added to the domain.  How do I ensure that user has administrative rights at the workstation?

2nd question

The client does not want the "users" to have administrative rights. Is "power user" the way to go or leave the users at just "users". I want to grant as much acess as possible with out allowing the use to delete system files. I also want the user profile to be able to install software on their workstations.

Thank you
0
Comment
Question by:Joemt
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940786
1. A user's rights depends on the local administrator group settings of the workstation. E.g. if the A.D. group Domain Admins is listed in a workstation's Local Admins group, then a new user in the group, Domain Admins would automatically become a local admin.

Assuming it is a standard user and NOT a part of Domain Admins, you can add them to local admins rather easily. Login to that workstation as an admin, open Command Prompt with elevated privs and use the command:

net localgroup administrators user /add
e.g. net localgroup administrators jdoe /add  - would add user JDoe to the local admins of that workstations.

2. The closest you may be able to get is Power Users. Though I must ask why you want them to be able to install software if the client does NOT want them to be local admins?

You could also keep them as standard users and adjust UAC settings with Group Policy.
0
 

Author Comment

by:Joemt
ID: 39940855
We want the users to have limited rights on the server and admin rights on there workstations or at least able to load software if necessary.

If the user did not have admin rights on the local workstation, then I need the local workstation to prompt me for a user with administrator rights.
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 500 total points
ID: 39940862
I would advise making them a standard user and keeping UAC enabled.

With UAC enabled, when a user goes to install an application, it will prompt for account credentials with administrative rights to that workstation.

Note that rights to the workstations and rights to the server are separate.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:Joemt
ID: 39940881
Could you please explain this a little more:

"You could also keep them as standard users and adjust UAC settings with Group Policy"
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39940884
You can control UAC behavior via Group Policy.
http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

However, if you want it to prompt for administrator creds when they try to install something, I would not change anything. Prompting is the default action for UAC.
0
 

Author Comment

by:Joemt
ID: 39969628
When it prompts for administrator creds...is that administrator a local admin or server admin?
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
new year deals on hware.. 4 42
CPU at 100% usage, why? 27 133
set url:tel to a website 3 49
Windows 7 and Windows 10 offline sync 3 18
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question