Re: Power Users Lacking Privileges
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Tue, 30 May 2006 16:16:40 -0500
I don't know what specific privileges the app Quick Books require. It
sounds like it is another of a long line of apps that has been poorly
written and requires excess privleges to run. Being a local Power User has
nothing to do with Active Directory (AD). AD provides a single signon with
secure control from this set of credentials. Permissions for a user can be
defined on multiple devices specifiying the same user Id. Usually though
permissions are assigned to groups and user are made members of these
groups.
1) I don't know your environment but the more power you provide the more
opportunities the users are going to have to screw up their workstations or
get them infested with spy/spamware, etc... Find out from Quick books what
specific permissions are needed (Call them or google Quickbook permissions),
create a group and assign these permissions. This shouldn't be that
difficult and will same you a lot of effort later on.
2) I don't know why users would need other special privleges
3) Use Group Policy to remove this feature but don't apply at the domain
level, otherwise this will impact all users including administrators.
http://support.microsoft.com/default.aspx?scid=kb;en-us;313924&sd=tech
I suggest you tread slowly and understand each step before you proceed.
Handing out privleges is easy, taking them away is very difficult if not
impossible.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Rich" <Rich@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:289E5743-6A0F-4755-BB1A-5633E334D57A@xxxxxxxxxxxxxxxx
Hi all:
I'm posting here, as I expect this is an AD issue, and I am not an AD
expert by any means. My predecessor set up a Win2003 SBS server for my
organization. It contains the AD, DNS, Exchange, and handles file/print
sharing, DHCP and also is the host for our accounting package
(QuickBooks).
He indicates that when he set it up, privileges worked fine. The day I
started, I noticed that users who are members of the Power Users group on
the
server could not do simple tasks on their desktop, such as install an
application, or modify some system settings. I also noticed that
QuickBooks
keeps erroring off when a user who has established a remote console
session
to the server tries to launch the app. The error is essentially, 'you must
be
a power user or administrator to run QuickBooks'.
I had an MCSE in a few weeks ago to assist with some general tune-ups
on
the server, and he indicated that in order to install an app to a desktop,
the user had to have Power User privileges defined explicitly on the
Desktop
machine (which I find unusual, as I thought that's what AD was for). This
also does not explain why a user logged into the server via Remote Console
cannot run QuickBooks, despite the fact that they are a member of the
Power
Users group.
Here's what I need to accomplish:
1. Give all users authenticated to the domain as Power Users the
ability to install programs on their desktops.
2. Give all Power Users the ability to run apps (which require
Power
User or higher privileges) directly off the server via Remote Console.
3. Remove the [Shutdown] option from start menus of Power Users
when
connected via Remote Console.
My hope is that, through this exercise, I will be able to fix
privileges
for power users, and also begin to learn how AD works. Any help is greatly
appreciated.
:Rich
.
- Prev by Date: Re: Backup plan and upgrading procedures
- Next by Date: Re: Group Policy is trying to be applied from Demoted DC
- Previous by thread: Domain Name Dilemma
- Next by thread: Re: Power Users Lacking Privileges
- Index(es):
Relevant Pages
|
Loading
