Separate computer admins from server admins

Discussion in 'Windows Small Business Server' started by Will, Feb 21, 2007.

  1. Will

    Will Guest

    We have a vanilla install of SBS 2003 R1. We are not network admin gurus!

    We want users to be admins on their PCs but 'users' on the server (rather
    than admins) - but can't find a way of separating the two, meaning that
    currently all users have to be admins... clearly not ideal as we move
    forwards.

    How do we give users full admin rights to their PCs, but only 'user' rights
    on the server (so that they can't see other people's files etc.)?
     
    Will, Feb 21, 2007
    #1
    1. Advertisements

  2. Will

    OneInTen Guest

    When you create a new user in the domain, you have to specify in which group
    they belong. Let's say that you want assign them the "Mobile User
    template". After completing the user configurations, these users will have
    the rights and restrictions assigned to the the 'Mobile User template".

    When you setup a computer and you join it in the domain, you can specify
    which users will work on that computers. These users will be added to the
    local Administrator group.

    In other words, there is a distinction between the two, domain and local
    computer. You don't have to make a user a domain admin in order to be a
    workstation admin.
     
    OneInTen, Feb 21, 2007
    #2
    1. Advertisements

  3. In
    On the server, they will just be users by default, and won't be able to see
    other peoples' stuff unless you've mucked with permissions.

    For the workstations, if you insist on doing this:

    Create two universal security groups: LocalAdmin and LocalPowerUser
    Add those two groups to the workstations' Administrators and Power Users
    groups, respectively
    You can do this manually at the workstations, or via remote management of
    the workstations, or via restricted groups, or via a computer startup script
    using the "net user" command to add them.

    Then add the domain users you wish to the appropriate groups on the server,
    and the users will have those permissions.

    This presumes you want all users to be admins on all machines.

    HOWEVER: This is not recommended in general. Users should not have admin
    rights; there's jiust no reason they should need to, 99.99% of the time, and
    it's asking for trouble, even if you have highly trustworthy users. You want
    to keep your workstations stable and consistent, and free of malware as much
    as possible, and there's simply no way to ensure that if they don't have a
    locked down environment.

    I like creating the AD groups as mentioned above, for those times when an
    app install requires it (any software that must be installed by the user who
    will be using it). Then I remove the user from the group when I'm done.

    If you have software running on those PCs that won't run right under a
    limited user account, the best approach is to fix the permissions in the
    file system & registry so the users can write to those areas as they need
    to. FileMon and RegMon may help you out here. Oh, and complain to the
    software developers...they need to fix their stuff.

    Regmon:
    http://www.microsoft.com/technet/sysinternals/utilities/Regmon.mspx

    Filemon:
    http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx

    OR Process Monitor
    http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
     
    Lanwench [MVP - Exchange], Feb 21, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.