January 18th, 2002, 11:56 AM
Windows 2000 Server 'user' help
I've recently put Win2k Pro on my pop's machine, He is always installing stuff and he is not setup as an admin on the domain.
In Win98 he never had the problem of installing stuff as the privligages didn't extend to Win98.
I ain't giving his account Admin rights but cannot get him to be an admin on his local machine, but only a Domain User (deafult). Only way is to log in locally and then log out and back in for the domain. This ain't really acceptable.
Any ideas on a single login to make a user Local Admin but only Domain User onthe domain?
January 20th, 2002, 09:16 AM
1) on local machine right click "my computer" select manage
2) find "local Users and Groups" tab expand it
3) go to groups subsection
4) right click on administrators and select "add to group"
5) add domain account to local administrators
voila pop has local admin rights but is not a domain admin
(u'll need to be logged on as an admin to do this)
January 24th, 2002, 01:29 PM
If i log on as Admin and add the user to the administrators group it still gives the user full access to the domain.
On the Adminitrator Group in the groups folder the description does say Admin rights to computer/domain, there seems to be no Local/Computer Admin group.
January 24th, 2002, 02:49 PM
What type of domain access are you trying to prevent?
by definition a local administrator group has no domain permissions. Just to make sure you did the proceedure I outlined on your dads pc not on the dc?
Sorry to doubt but we use the method descriped above in the win2k domain at work and it works wonderfully. users have very little domain access, and in general have their local machine access tied down so they can only save to my documents etc. Developers and other users who require more access have their domain accounts set up as any other user so they cant cause problems in the domain but, are made members of the local administrators group which gives them the ability to change the config on their machine save where they want etc. This still prevents them from doing anything that requires domain admin rights (eg connecting to \\servername\c$ for example)
If local admin doesn't have enough restrictions and domain user is to restrictive try the local "power users" group or create your own local group and add him to that. There's also the ability to add more control using group policy and if your really stuck there is a resource kit utility that will allow elevated privaliges for certain tasks.
for referance here is the MS knowledge base article that describes creating workstation only admins. Its written for nt4/2k but gives the same info as i initially suggested.
January 24th, 2002, 04:51 PM
I just want his login to the Domain give him permission to install programs, and administer printers.
I'm also having the same problem on another machine, with win2k too, It's got a USB HP Printer and if I print using a Domain User account it doesn't print anything, but log in as a Domain Admin and it prints fine.
When I gave the Domain User the Admin rights it could see all other Domain machines, even Admin directories on the server.
I tried the Power Users group that also gave them access to all areas.
I'll have a read through the stuff you posted, cheers
January 24th, 2002, 05:26 PM
In windows 2000 printers can be assigned permissions just like files and folders check you've given domain users permissions to use that printer.
search the windows help using "printer permissions" to find out how to add/change permissions on your printers