Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Small Business Server / SBS 2000 / August 2003

Tip: Looking for answers? Try searching our database.

User Rights

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Scott - 14 Jul 2003 19:53 GMT
Hello,

I have been exploring the rights of system users in SBS2k.  By default, each user is to be setup as the administrator of their local machine.  This is done to allow the SBS client installer to push software and settings out to the client computers.

Well, in a few organizations that I work with, local administrative rights are too much for their users.  Is there a way to ensure server driven software pushes without the users being part of the administrator group on the local workstations?  I've tried it and the login script doesn't have the right to run.

TIA
Signature

Scott

Reply to this Message
Dave Nickason - 14 Jul 2003 20:38 GMT
You can use GPO to assign software to a computer (rather than a user), and it will install at the next login, regardless of the user's rights.  What I do instead is to make them local administrators until the computer is set up with all software installed, then back the rights off to user or power user.  It seems to me that I'm generally happier with the software installs I get that way (for example, I've had strange results installing software using "run as" while logged in with the standard user rights).

 Hello,

 I have been exploring the rights of system users in SBS2k.  By default, each user is to be setup as the administrator of their local machine.  This is done to allow the SBS client installer to push software and settings out to the client computers.

 Well, in a few organizations that I work with, local administrative rights are too much for their users.  Is there a way to ensure server driven software pushes without the users being part of the administrator group on the local workstations?  I've tried it and the login script doesn't have the right to run.

 TIA
 --
 Scott
Reply to this Message
Scott - 15 Jul 2003 20:21 GMT
Thanks, Dave.  Using the setup computer wizard in SBS2k, this runs through the login script for the computer regardless of who logs in.  If the person does not have admin rights, the script will not run completely.  I like the idea of just setting the box then change the user rights, but what about updates?

Thanks, Scott
 You can use GPO to assign software to a computer (rather than a user), and it will install at the next login, regardless of the user's rights.  What I do instead is to make them local administrators until the computer is set up with all software installed, then back the rights off to user or power user.  It seems to me that I'm generally happier with the software installs I get that way (for example, I've had strange results installing software using "run as" while logged in with the standard user rights).

   "Scott" <sgrubb@(NOSPAM)aircooled.net> wrote in message news:OBt34mjSDHA.1804@TK2MSFTNGP11.phx.gbl...
   Hello,

   I have been exploring the rights of system users in SBS2k.  By default, each user is to be setup as the administrator of their local machine.  This is done to allow the SBS client installer to push software and settings out to the client computers.

   Well, in a few organizations that I work with, local administrative rights are too much for their users.  Is there a way to ensure server driven software pushes without the users being part of the administrator group on the local workstations?  I've tried it and the login script doesn't have the right to run.

   TIA
   --
   Scott
Reply to this Message
Dave Nickason - 16 Jul 2003 00:05 GMT
I always add myself to each workstation as a local admin (this seems like a good practice for troubleshooting, etc. as well as for updating).  Then if I have to run updates, I do it logged in as myself.  I just have the users log off rather than shut down at the end of the day, then log in as myself and do whatever needs doing.  I try not to do this too often since it's a pain in the neck, and I'm getting close to finding the time to install SUS to take care of most of it.  I like to do most of the install as the primary user of the computer, so I give them local admin rights until the OS is set up, joined to the domain, and the major apps installed, then I tighten up their access.

By the way, Mark makes a good point about software needing elevated rights.  I've given up on "restricted user" for most people, since it seems that many programs complain at that level.  I make almost everyone a "power user."  And, I do tell them I've tightened up the security on the computer and to let me know if they run into any issues as a result.  I don't present this as a user thing, since everyone thinks they deserve the least restrictive security, but rather as general network policy.
 Thanks, Dave.  Using the setup computer wizard in SBS2k, this runs through the login script for the computer regardless of who logs in.  If the person does not have admin rights, the script will not run completely.  I like the idea of just setting the box then change the user rights, but what about updates?

 Thanks, Scott
   "Dave Nickason" <gwdibble@frontiernet.net> wrote in message news:OtbtR%23jSDHA.1576@TK2MSFTNGP12.phx.gbl...
   You can use GPO to assign software to a computer (rather than a user), and it will install at the next login, regardless of the user's rights.  What I do instead is to make them local administrators until the computer is set up with all software installed, then back the rights off to user or power user.  It seems to me that I'm generally happier with the software installs I get that way (for example, I've had strange results installing software using "run as" while logged in with the standard user rights).

     "Scott" <sgrubb@(NOSPAM)aircooled.net> wrote in message news:OBt34mjSDHA.1804@TK2MSFTNGP11.phx.gbl...
     Hello,

     I have been exploring the rights of system users in SBS2k.  By default, each user is to be setup as the administrator of their local machine.  This is done to allow the SBS client installer to push software and settings out to the client computers.

     Well, in a few organizations that I work with, local administrative rights are too much for their users.  Is there a way to ensure server driven software pushes without the users being part of the administrator group on the local workstations?  I've tried it and the login script doesn't have the right to run.

     TIA
     --
     Scott
Reply to this Message
Len Geeve - 01 Sep 2003 00:55 GMT
Hello,

I read your replies and I have encountered the same problem. I don't want
users on workstations to have local admin. rights but when I change the
rights to power user. Every next time they login they get a message when the
login script is run about not being a member of the admin group. Is there a
way to get rid of this message ? or can I give users full rights to run only
the script (I need to block settings on the workstations because some people
tend to fiddle with computer settings they shouldn't fiddle with! plus
illegal software installations, etc,etc)

Thanks in advance for your help

Len Geeve
lendrix2000@hotmail.com
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.