I'm having problems with user's permissions using Windows 2003 as a domain controller

starriol

Member
Jan 3, 2006
187
0
0
I just installed a Windows 2003 server replacing a Windows 2000.

I have some problems.

Normal users (everyone except the user administrator) can't change the time & date, can't install programs and some software can't run because it says it can't access to some part of the registry. All this problems do not exist while using the administrator account.

I tried setting all users to be able to change system time & date in the Windows 2003 server in both Security directive of both the domain & the domain controller and the PCs do not use this info, that is, I changed the settings and nothing.
Some guy suggested it could be a DNS & wINS conflict, which could be true since I just started to learn how to configure Windows 2003 properly.

Anyway, on a PC with Windows 2000 (actually, all of the are 2000, except 2 with Windows XP) I changed on that PC's control panel/ users the priviligies of one of the user's account to advanced users and the date & time problem was solved, I can change it now, but I want to be able to configure it just once on the server and not need to go to every PC to configure it.

So, how can I configure my server so user's permissions DO apply to the PCs? To remind you, I need the users to be able to install soft, change system date, some soft does not run ok on other accounts than administrator and users can't share folders.

Thanks for your time!
 

Genx87

Lifer
Apr 8, 2002
41,091
513
126
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.
 

netsysadmin

Senior member
Feb 17, 2002
458
0
0
Well if you want the users to adjust the time you can set that up in Group policy on the Domain Controller, though the users should have no need to change the time since it is syched to the DC. If the user changes the time past the skew limit you could have issues with kerberos. Its better to let the DC control the time. Just set the DC to synch with one of the trusted NTP servers on the internet. If you search 2003 server and NTP you should find an article detailing how to set that up. there are a bunch out there.

John
 

netsysadmin

Senior member
Feb 17, 2002
458
0
0
Oh and to give your users local admin access to the machines so they can install software you can do like what Genx87 said and create a group on the DC called workstation_admins and then rather than go to each workstation just use the script like the one below in Group policy to add the new workstation_admins group to the local administrators group on each machine. This way you dont need to go to each machine.

net localgroup administrators workstation_admins /add

John
 

starriol

Member
Jan 3, 2006
187
0
0
Originally posted by: Genx87
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.

That sounds EXACTLY like what I need done... the only problem being that I don't want this people to have the same rights the administrator user of the domain. That is, if I place them in the workstation admins group, I don't want them accesing to any file over the network.
Does this happen or local admins work differently than domain admins?

Bare with me... I just started taking a windows 2003 course.

And netsysadmin, I want them to be able to SEE the date because they use it to do their work, that's why. I doubt anyone will change the time
 

kt

Diamond Member
Apr 1, 2000
6,028
1,342
136
Originally posted by: starriol
Originally posted by: Genx87
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.

That sounds EXACTLY like what I need done... the only problem being that I don't want this people to have the same rights the administrator user of the domain. That is, if I place them in the workstation admins group, I don't want them accesing to any file over the network.
Does this happen or local admins work differently than domain admins?

Bare with me... I just started taking a windows 2003 course.

And netsysadmin, I want them to be able to SEE the date because they use it to do their work, that's why. I doubt anyone will change the time

Local admins and domain admins are different. Local admins access is limited to the local workstation.
 

Genx87

Lifer
Apr 8, 2002
41,091
513
126
Originally posted by: starriol
Originally posted by: Genx87
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.

That sounds EXACTLY like what I need done... the only problem being that I don't want this people to have the same rights the administrator user of the domain. That is, if I place them in the workstation admins group, I don't want them accesing to any file over the network.
Does this happen or local admins work differently than domain admins?

Bare with me... I just started taking a windows 2003 course.

And netsysadmin, I want them to be able to SEE the date because they use it to do their work, that's why. I doubt anyone will change the time

Local admins do not automatically have admin rights on the domain. You can create the workstation admin group and give them no rights on the domain, meaning they cant access anything network related, but still have full admin rights on the local machine.

 

netsysadmin

Senior member
Feb 17, 2002
458
0
0
starriol...in you first post you specified change system date and time.

FYI....Users can always see the date and time no matter what permissions they have. The permissions only determine if they can chage it.

John
 

starriol

Member
Jan 3, 2006
187
0
0
Originally posted by: Genx87
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.

OK, now that I tried doing it, I don't get your instructions. "Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group." Where do I do this, in the domain server or on the workstation???
 

kevnich2

Platinum Member
Apr 10, 2004
2,465
8
76
Originally posted by: starriol
Originally posted by: Genx87
Granting users permissions on the Active directory does not automatically grant them permissions on the workstations.

Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group.

Now on each workstation add the new group to the administrators group.

Now anybody who logs into the machine on a domain account within the "Workstation admins " group will have local admin rights on the workstations.

OK, now that I tried doing it, I don't get your instructions. "Create a group, name is "workstation admins", place all the people you want to give permissions to change stuff, install , general admin rights, into this group." Where do I do this, in the domain server or on the workstation???


I'm sorry but if your the admin for your WORK domain and don't get these (which happen to be the most basic active directory instructions), you shouldn't be anywhere near a domain admin account. I wouldn't let you within 10 feet of mine.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
I need the users to be able to install soft, change system date, some soft does not run ok on other accounts than administrator and users can't share folders.
No you don't. Changing the date and time in a domain environment is asking for trouble. Making users full admins on their workstations is really asking for trouble. Use tools like filemon and regmon to determine why apps are failing to run as normal users and make the appropriate modifications. Giving blanket admin rights to workstations is a Bad Idea.

Users should also not have a need to share folders on their workstations. That's what you have file servers for.
 

kevnich2

Platinum Member
Apr 10, 2004
2,465
8
76
Originally posted by: stash
I need the users to be able to install soft, change system date, some soft does not run ok on other accounts than administrator and users can't share folders.
No you don't. Changing the date and time in a domain environment is asking for trouble. Making users full admins on their workstations is really asking for trouble. Use tools like filemon and regmon to determine why apps are failing to run as normal users and make the appropriate modifications. Giving blanket admin rights to workstations is a Bad Idea.

Users should also not have a need to share folders on their workstations. That's what you have file servers for.

I totally agree with this.