Re: Power Users Lacking Privileges

Tech-Archive recommends: Fix windows errors by optimizing your registry

Rich,

I will chime in for a bit...

First off, if your users are creating a Terminal Session to the Server (via
the RDP Client) then that means that Terminal Server in Application Mode
(okay, I know that this is the WIN2000 terminology!!!!) is enabled. I did
not think that this was possible anymore with SBS2003. Okay, whatever!
QuickBooks is not natively TS-Aware (however, do not let that stop you).
Here are a couple of links that will help you:

http://www.quickbooks.com/support/faqs/qbw2003/124603.html
http://ts.veranoest.net/ts_applications.htm
http://www.veranoest.net/ts/ts_apps_qb.htm

Now, if QuickBooks is simply installed and run from the server and you have
the clients logging on to their workstations and running QuickBooks (like
most people have - sort of a Front End / Back End situation going on....)
then it is probably a permissions thing. But why would it stop working the
day he left? Sounds suspicious.

Secondly, there are three groups of interest on each workstation (well,
there are several more...let's just look at three of them for the moment) so
long as the workstation is either WIN2000 Pro or WINXP Pro: local Users,
local Power Users and local Administrators. By default, each domain user
account object is a member of the Domain Users group. This, in turn - by
default, is a member of the local Users group on each WIN2000/WINXP Pro
workstation. So, by default, each domain user account object is a member of
the local Users group on each system. Much in the same way that the Domain
Admins group, by-default, is a member of the local Administrators group on
each system.

The local Users group is somewhat limited in that it has restricted
'privileges' as far as the directory structure (c:\program files, for
example) and the registry are concerned. This is often the problem when it
comes to installing software. I do not remember since it has been more than
two years since I installed QuickBooks on a workstation (recently installed
Quicken at the Fire Department and that required local Administrator
'privileges' so QuickBooks is probably the same) but I am pretty sure that
it is - as Paul stated - one of those poorly written applications. Well,
poorly written from our perspective. I do not think that Power Users will
do it for you, either!

There are a few ways to make the domain user account objects a member of the
local XXXXXXXX group on the systems. Naturally, you can walk over to each
system and do this. That blows! You can use a startup script (and, yes, I
said 'startup script' - not logon script). Or, you can use GPO (look up
Restricted Groups...just be sure that you understand what the default
behavior is and what you need to do...).

As to your other questions - look into share/ntfs permissions in the
directory structure on the server(1) and look into group policy(2). If your
users are creating an RDP connection to the Server then you might want to
look into Group Policy - Loopback Processing. Just be careful not to lock
out the Administrator account.

Again, though. I am sorry. I really thought that SBS2003 did not allow
Terminal Services in Application Mode (I know! I know! This is WIN2000
terminology!!!!). In Remote Admin Mode, sure. But not in Application Mode.
I was pretty sure that you need another box running TS in an SBS2003
environment.

--
Cary W. Shultz
Roanoke, VA 24012


"Rich" <Rich@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:289E5743-6A0F-4755-BB1A-5633E334D57A@xxxxxxxxxxxxxxxx
Hi all:
I'm posting here, as I expect this is an AD issue, and I am not an AD
expert by any means. My predecessor set up a Win2003 SBS server for my
organization. It contains the AD, DNS, Exchange, and handles file/print
sharing, DHCP and also is the host for our accounting package
(QuickBooks).
He indicates that when he set it up, privileges worked fine. The day I
started, I noticed that users who are members of the Power Users group on
the
server could not do simple tasks on their desktop, such as install an
application, or modify some system settings. I also noticed that
QuickBooks
keeps erroring off when a user who has established a remote console
session
to the server tries to launch the app. The error is essentially, 'you must
be
a power user or administrator to run QuickBooks'.
I had an MCSE in a few weeks ago to assist with some general tune-ups
on
the server, and he indicated that in order to install an app to a desktop,
the user had to have Power User privileges defined explicitly on the
Desktop
machine (which I find unusual, as I thought that's what AD was for). This
also does not explain why a user logged into the server via Remote Console
cannot run QuickBooks, despite the fact that they are a member of the
Power
Users group.
Here's what I need to accomplish:
1. Give all users authenticated to the domain as Power Users the
ability to install programs on their desktops.
2. Give all Power Users the ability to run apps (which require
Power
User or higher privileges) directly off the server via Remote Console.
3. Remove the [Shutdown] option from start menus of Power Users
when
connected via Remote Console.

My hope is that, through this exercise, I will be able to fix
privileges
for power users, and also begin to learn how AD works. Any help is greatly
appreciated.

:Rich


.

Quantcast