Re: Installing New Work Stations
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 22 Aug 2008 12:03:58 -0400
mcp6453 <mcp6453@xxxxxxxxx> wrote:
Lanwench [MVP - Exchange] wrote:
mcp6453 <mcp6453@xxxxxxxxx> wrote:
I do computer support for a non-profit organization. They just had
10 new Pentium 4 computers donated. The machines have fresh
installations of XP SP2. It takes a long time to install SP3 and
the updates. Plus, there are several other applications that need
to be installed on each computer.
Hopefully I can save some time by building one machine and then
imaging the drive to the others. (All software is properly
licensed.)
If you don't have fairly identical hardware, this won't work well -
Acronis software, such as SnapDeploy or TrueImage Workstation with
Universal Restore may be able to do it for you, though. SnapDeploy
is a bit complex but is designed to do what you're trying to do and
includes a SID changing tool.
So, I will use this occasion to try to understand a perpetual
problem that I have: Giving administrator rights to the local
machine after the work station joins the domain of the Windows 2003
Server.
Why is that a problem? "You don't want to do it, really. But if you
do want to, it's not hard to do.
I have
tried a number of ways, and something always seems to go wrong.
There are two parts to this question. The first part is, if I build
one machine to spec, join the domain,
No - don't join the domain first. Image first. Then join the domain
(using the SBS wizards!)
and then image the drive to
another (identical) computer, what do I have to change on the second
machine to enable it to log into the network? The machine name? Or,
do I have to go through the same routine to join the domain?
You have to change the SID (most cloning software gives you the
option to do that). Then join the domain.
The second part of the question is, after a machine joins the domain
using the Administrator account, how do I give any authenticated
users administrator rights on the local machine?
You really shouldn't be doing that, actually.
Do I add "Domain Users" or
"Authenticated Users" to the local machine Administrators group?
You can, but I'd use a custom AD group and a startup script (I don't
really like Restricted Groups much). I tend to set up AD groups
called LocalAdmin, LocalPowerUser, to make this easier. You can also
create one for Remote Desktop access, too - (SBS has this built in).
The batch file would have this:
........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\Web Workplace Users /add
........
When I set up a new user, I often find I need to add their domain
account to LocalAdmin before I log in as them the first time to
customize their profile/install any sw that must be installed by the
user him/herself ...then remove them from the domain LocalAdmin
group on the domain when done.
You can create/link a new GPO at the appropriate OU where your
computers live (if you haven't created custom ones, you'll need to -
unless you're using SBS, which creates its own hierarchy).
Edit the GPO - go to Computer Configuration \ Windows Settings \
Scripts (startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in
the window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied
when they restart, and you can now control all this at the server.
THAT SAID - it's not good practice to let users have local admin
rights - so if you have software that won't behave properly without
admin rights, try to correct it. First, I'd holler at the software
developer, because this is sloppy code, but then you can try
downloading Process Explorer from Microsoft (a sysinternals utility)
to see what the app is trying to do. You can then modify permissions
in the file system/registry appropriately, to let ordinary users
have the access the software needs.
This
part is the one that I always have problems with. As you can tell, I
am not a server guy. If you would give me a detailed procedure to
give the local machine administrator rights (even though some people
don't think it's a good idea),
Anyone who manages networks should think it's a bad idea!
I would be most grateful.
It's been a while since I added a computer, but here is what I did:
1. Log into the work station as an administrator of the local
machine. 2. Click on "Network ID" or "Change..." to join the domain.
(Which
one should I use? What's the difference between the two methods?)
Don't use either. If you're using SBS, you really need to use the
wizards. Go to Server Management on the SBS box, Computers, and add
your client computers there- then join the domain using
http://servername/connectcomputer.
3. After joining the domain, Run "control userpasswords2", Advanced,
Advanced, Groups, Administrators, Add... and then add Domain Users.
(Sometimes "Domain Users" verifies, sometimes it doesn't.)
4. Okay all the way out.
5. Log out as Administrator and log in as with a server user
account. Thanks.
Local admin rights & machine imaging don't really have much to do
with each other, note.
LW, there is no doubt in my mind that the procedures you are
recommending are the best practices to follow. Your reputation
precedes you.
<blush> I thought they said it would STAY in Vegas!
However, much of what you suggest is way over my head,
and I am not willing to take an in depth course on Windows Server to
volunteer for this non-profit organization. Most of what I do for
them is work station maintenance, at which I am close to being a pro.
However, the server issues do arise, and I do the best I can with
what I know.
The server is not SBS, it's Windows Server 2003.
Sorry, I subscribe to a lot of newsgroups and forgot where I was. Forget the
setup wizard junk I mentioned.
That said, for an office such as this, SBS would've been a very good fit -
it's a lot easier to manage if you don't have a lot of experience (and is a
lot cheaper considering what it includes). Check techsoup.org.
The workstations are
identical hardware. I don't know what SID is, but I will learn.
Security identifier. Every object in AD has one - and they're all unique.
You don't want to join the domain until you know the machine has a unique
SID. It's not a big deal to change it.
I've printed your post and will spend some time plodding through it.
Thanks for taking the time. Hopefully with your recommendations I can
find out what I'm missing along the way.
No prob - hope it gets you started. Post back if you need more help.
.
- References:
- Installing New Work Stations
- From: mcp6453
- Installing New Work Stations
- Prev by Date: Windows 2003 crash
- Next by Date: Re: Licenses
- Previous by thread: Installing New Work Stations
- Next by thread: Trying to Figure Out Volume Label for Windows 2003 Web Edition
- Index(es):
Relevant Pages
|
