Re: Group membership and rights

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/13/04 

Date: Sat, 13 Mar 2004 07:11:48 -0600

> Problem is, when I place my users in the Domain Users
> group as well as custom groups I've created that grant
> access to necessary shares, their drives dont map at
> login, certain apps dont run, and if the PC doesn't have a
> domain user profile already created, they cant even log in.
>
> As a result, I have most of my users in the Domanin Admins
> group!!!! And thats gotta change!!!
>

Follow Cary's link but consider that you likely need to
work on your understanding of permissions on shares
and NTFS volumes (file and directories.)

As long as you grant the proper permissions (based on the user's
groups) there is zero reason to put a user in Domain Admins.

AND putting someone in Domain Admins will NOT fix a problem
that could not be fixed by granting the proper access.

> Should I not have users in the Dom Users grp but maybe
> Power Users? What local group should the local user
> account on the workstation be a member of? Am I totally
> screwing something up?

Usually Users, or MAYBE Power Users too, but these MACHINE
groups won't help you at all on DOMAIN resources (network servers.)

Maybe you also have a problem with your scripts or even the GPOs
that are linked to your OUs.

Are they being applied (GPResult or RSoP will help determine this.)

Do the users have READ+ on the Logon script files? (Without this
they cannot run them.)

Do the users have at least READ+ on the shares to which you map
them? Do they also have at least READ+ on SOME of the files there,
on the file to which they need access? 

-- 
Herb Martin
"Patrick" <anonymous@discussions.microsoft.com> wrote in message
news:c08d01c40870$b9074fc0$a401280a@phx.gbl...
>
> We have a Win2003 DC (was upgraded from Win2K) and network
> is mixed with 2000 & 2003 servers and W2K and XP
> workstations.  Login scripts are of the .vbs type,
> not .bat and run at the OU level.
>
> Thanks much in advance,
> Patrick

Relevant Pages

  • Re: Cost Basis for Stock Grant
    ... "I received a stock grant and paid taxes at the ... may have given you a grossed up payment in order to cover the income ... certain number of shares and the company withheld an amount for tax ...
    (misc.taxes)
  • RE: Share Issues
    ... Where are the others shares located, in the old domain or new win2k3 ... How do you grant the permission to the "other shares", ... Microsoft Active Directory: Demo 3-Security Translation Wizard ...
    (microsoft.public.windows.server.migration)
  • Re: Rights to Authorize a DHCP Server
    ... We recently came across this issue and trying to grant Domain Admins the ... authorize DHCP servers selectively, we've just chosen the Domain Admins ... > The DHCP server container object in Active Directory refers to the ... Add the user you want to grant permission to Authorize a DHCP Server. ...
    (microsoft.public.windows.server.general)
  • Re: assigning DB-user to server role
    ... scripts are a lot easier to post here that the GUI steps. ... >> You should be able to grant object permissions to the roles only. ... >> SQL Server MVP ...
    (microsoft.public.sqlserver.security)
  • Cost Basis for Stock Grant
    ... I received a stock grant and paid taxes at the time of ... In 2004, I received 12 shares of stock, in 2006 I received an additional ...
    (misc.taxes)
Quantcast