Windows Server 2008 R2 - Help with permissions

Izi · 25 Nov 2010 at 07:27

I have set up a domain with DNS and a few other services. Its all working great, I was surprised how easy it was, however I need a little help setting up permissions.

I want to set up up the DC to let users login to their own computer as an Administrators - I don't want them to come to me to be able to install a program for example, however I do not want to give them a group of 'Administrators' as this will enable them to login to the main server and change settings there. I want to lock down the server, but give users admin rights to their computers.

Can some one point me in the right direction?

brainchylde · 25 Nov 2010 at 08:39

It's the client machines you need to set up, not the DC.

You need to add the "domain\authenticated users" group to the local administrator group on the clients.

You can do this through group policy - it's called "restricted groups" - please read -

http://myitforum.com/cs2/blogs/rdix...-to-local-administrators-group-using-gpo.aspx

Let me know if you have any probs.

On a side note - you should be aware of the security risks of this. I hope your company has strict policies regarding security and installing software. For example, how are you going to ensure you adhere to license agreements? Be careful!

howler · 25 Nov 2010 at 08:39

You could make Domain Users local administrators on those PC's

Sounds like you have only a few people so not that much of a security risk

Izi · 25 Nov 2010 at 10:37

There are only 6 of us here, i trust them, mostly

thanks, i will give this a go.

howler - how do you do what you just said there? Would I need to login as administrator on their machines and assign the role?

howler · 25 Nov 2010 at 11:05

You can do it from Active Directory by loading up computer management so no need to go to each machine

Its basically the same as the GPO suggestion without using a GPO, up to you which method you use

Izi · 25 Nov 2010 at 22:30

OK so I have gone to Computer - > PC1 - > Properties. A window pops up, is it the 'Managed By' tab?

Ev0 · 25 Nov 2010 at 22:52

Personally I'd at least create a new seperate AD group with the user accounts in, then drop this group into the administrators group on each of the pcs.

Just don't like the idea of every account getting admin rights by default.

Well, if it were me I wouldn't be giving everyone admin rights anyway

To do it all on from the server open up an mmc with the computer management snap in, and connect to each pc from there in turn.

Then go to the local users and groups section and you can add stuff to the administrators group there.

Izi · 26 Nov 2010 at 00:25

Ev0 said:
Personally I'd at least create a new seperate AD group with the user accounts in, then drop this group into the administrators group on each of the pcs.

Just don't like the idea of every account getting admin rights by default.

Well, if it were me I wouldn't be giving everyone admin rights anyway

To do it all on from the server open up an mmc with the computer management snap in, and connect to each pc from there in turn.

Then go to the local users and groups section and you can add stuff to the administrators group there.

thanks for the reply.

Although the location resolves to the right IP I get an error as shown above. the computer is on - in order to manage the computer do I have to turn on network sharing etc from the dev04 machine?

howler · 26 Nov 2010 at 08:59

Might be the firewall on the remote PC preventing you accessing that

Izi · 26 Nov 2010 at 09:21

howler said:
Might be the firewall on the remote PC preventing you accessing that

Do you know what port this connection is made on?

scrub that i'm in, however I dont see where I can add users. In the system tools -> users and groups the only users listed are local user accounts, I.E not my domain accounts.

iaind · 26 Nov 2010 at 09:36

Izi said:
Do you know what port this connection is made on?

scrub that i'm in, however I dont see where I can add users. In the system tools -> users and groups the only users listed are local user accounts, I.E not my domain accounts.

Because it's listing local users

If you open the groups tab, open the administrators group, you'll be able to add domain groups to it.

Izi · 26 Nov 2010 at 10:22

iaind said:
Because it's listing local users

If you open the groups tab, open the administrators group, you'll be able to add domain groups to it.

AH HA! Thanks!

Izi · 26 Nov 2010 at 12:07

Sorry one other question.

Is there any easy way to migrate Documents/settings to the new domain accounts?

Each user currently logins to their computer using a username/password. When I join their computers to the domain, I would like to migrate documents/settings if possible.

Knubje · 26 Nov 2010 at 13:01

By migration you mean user profiles from a workstation to another or to the DC?

Easy Migration tool does that. If you are looking for more enterprise level tool then the User State Migration tool does that job.

That might be what you are looking for?

Izi · 26 Nov 2010 at 13:31

Knubje said:
By migration you mean user profiles from a workstation to another or to the DC?

Easy Migration tool does that. If you are looking for more enterprise level tool then the User State Migration tool does that job.

That might be what you are looking for?

So currently there is no domain. We now have one and everyone will login to their PC via the DC. The problem with this all settings/files are stored in the computer user profile.

I suppose what I could do is copy files to the public folder then copy back to my documents. I was kind of hoping for something better than that thought, something which could migrate FF/Chrome profiles as well as files and other settings.

This is not a migration from 1 pc to another, its a simple migration from Workgroup user to DC user on the same machines.

Izi · 26 Nov 2010 at 13:35

ah, i think the easy transfer will do it. Just save the img to external then restore it. will give it a go.

Toughnoodle · 26 Nov 2010 at 13:57

Sounds like you should be running Small Business Server. It includes an add computer to domain wizard that allows easy migration of local user profiles to your new domain users.

iaind · 26 Nov 2010 at 15:25

The documents will still be on the local PC, unless you redirect them to a file share.

A domain users profile will be c:\users\username.domain (on vista upwards, documents and settings formxp) but a local user will be c:\users\username

For only a few users, manually copying them would be simple enough, just log into any machine as a domain admin and access the PCs with \\machine name\c$

I'd seriously consider redirecting them to the server though, means they will be accessible from any machine and easier to back up

Izi · 26 Nov 2010 at 16:08

iaind said:
The documents will still be on the local PC, unless you redirect them to a file share.

A domain users profile will be c:\users\username.domain (on vista upwards, documents and settings formxp) but a local user will be c:\users\username

For only a few users, manually copying them would be simple enough, just log into any machine as a domain admin and access the PCs with \\machine name\c$

I'd seriously consider redirecting them to the server though, means they will be accessible from any machine and easier to back up

I dont mind them being on the local PC, much faster that way, is it not?

iaind · 26 Nov 2010 at 16:28

Izi said:
I dont mind them being on the local PC, much faster that way, is it not?

Unless you're dealing with huge files or have a very slow network, there's no noticeable difference in practice.