• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

W2K Server User Membership & Rights

D

DukeChestnut

Senior member
Hi guys,

Heres the deal. I have a W2K server running with users created for workstation usage. I have them members of "Domain Users". The problem is that when they log on they can't open some programs b/c they don't have sufficient rights. I would NOT want to make them members of a higher class such as "Domain Admins". Is there any way around this? Is there a way to give them rights to run specific programs?
 
Are they trying to run programs on the server or workstations? Does it say fail to initialize when they try to open a program? If so, there are a couple of things you could try, not in any particular order. First, you can go to the program folder of the program on the hard driver and change Users rights. Click the box just below Full rights, and all the boxes except Full rights will be selected. Then go to the Advanced tab and click the box that propogates these rights to all files and sub-folders in the main folder. That might work. You could also run regedt32, go to Local Machine, (the last tab) and select software and drill down to the problem program folder and do the same thing for the User rights as above. As a last resort, you could go to the WinNT folder and do the same thing as above. There are some temp files and folders in WinNT that users need to be able to access and modify to run some programs. I just set up a bunch of new computers and had to do these things for about three programs. At least it is better than making them a power user.
 
You don't even have to do that. There's an easier way. What you just did was make everyone that logged on a Power User!!

First of all if you have groups called Domain Users and Domain Admins then you have a Domain running not a Workgroup. So I assume you mean they are having trouble running it from a different PC rather than the server. Keep them in the normal Domain Users group. Now go to each machine and open up Computer Management. Click on Local Users and Groups. Go to Groups and go into Power Users. Now add their domain account to this group. When they logon they should now be able to run any program they want and have Power User access to just that machine. You can also add them to the Administators group if you want and then they will have Admin access on that machine only.

You won't need to mess with any permissions this way.

 
Ultimately, this is because the applications don't follow the rules. Properly written applications won't require this. Unfortunately, the real solution is to get the vendor to rewrite the app so it'll run as a non-admin user. You're kind of SOL unless you can determine the permissions and rights that the app needs and grant those to your users.

Start with the app vendor's tech support.
 
mikecel79:

Sure, you can make them a Power User, but Duke said he did not want them to be a member of a higher group. Also, when you make them a Power User, they can then install software and change permissions and shares. Most admins don't want their regular users to do this. The regular user account to the workstation works well for most software. However, for some apps that don't work, you just give them "Power User" rights to that software. It does not make them a power user on the machine, just a power user for that particular program.
 
Gepost:

The only difference between the Power User group and the User group is that they can write to the Winnt folder, the Program Files folder, and parts of the Registry. The Power User group CANNOT set permissions on any folders anywhere. They can only set permissions on a share which doesn't mean much anyways. Only members of the Administators group can set NTFS permissions.

You told him to go to the Program Files and the Winnt folder and give everyone Read and Write access. The is the exact same access as Power User group. So in effect that would make everyone that was part of the User group have the same access as the Power User group. You didn't tighten up the security but instead weakened it for the whole machine. They can now install most programs that don't check what groups you belong too!

If we setup the system how you said so the only added right your Power User group would get would be that they can now add shares to the system. Hardly a big security problem since they can't change the NTFS permissions under them.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top