Re: User rights

From: Shawn P. Lemay (shawn_at_nospamplease.sandtent.com.remove)
Date: 12/07/04 

Date: Tue, 7 Dec 2004 09:18:19 -0500

Hi Chad,
    This issue is with SBS automatically pulling the local user account into
the local administrators group, thus giving them full access to the
workstation. So if I follow what you're saying, by not selecting a user at
the Connect Computer Wizard - it won't put that user into the local admin
group? Will it still migrate that user up to SBS? i.e.: coping their my
documents, bookmarks, profile etc... and bringing it into the domain
account? Or will not now stay behind? Thanks,
Shawn

"Chad A. Gross [SBS MVP]" <chad.gross@laytonflower.nospam.com> wrote in
message news:%23wPbR0A3EHA.3820@TK2MSFTNGP11.phx.gbl...
> Hi Shawn -
>
> What user rights are you talking about? Domain rights (server shares,
> etc.), local PC, or Sharepoint?
>
> Domain rights are set when you create the user account, and are determined
> by the user template you select. local PC rights normally match the
> domain rights set during user account creation. The only exception to
> this is when you run the ConnectComputer wizard, any users you select to
> assign to the PC are granted Local Administrator rights. (Note that you
> don't have to assign users to a PC in order for them to be able to log in
> & use the PC). Last - SBS includes the domain Power Users group as a
> member of the Sharepoint Administrators group - thus Power Users & above
> (Mobile Users, etc.) are automatically Sharepoint Administrators. If you
> don't want your Power Users to be Sharepoint Administrators, you'll need
> to remove the Power Users group from the Sharepoint Administrators group.
> Note that you'll then need to manually set permissions on your Shareoint
> site . . .
>
> --
>
> Chad A. Gross - SBS MVP
> SBS ROCKS!
>
> www.msmvps.com/cgross
> www.gosbs.org
>
>
> Shawn P. Lemay wrote:
>> This hit indirectly on a problem I'm having with this customer. I
>> realized this was occurring - but I can't seem to find a script that
>> is actually doing this. This customer does NOT want any users to be
>> granted local administrator rights - where can we change the script /
>> template that is creating this rule? I've searched long and hard
>> throughout the documentation, scripts, newsgroups and internet - all
>> I'm seeing is what you're suggesting here, to manually remove them. Is
>> there no way to automate this from the beginning? This client has
>> not yet put their new SBS Server live - so they don't want this to
>> occur when then do add users into this environment. Thanks a million,
>> Shawn
>>
>>
>>> Hi,
>>>
>>> By default they are local admins on their client computers. This
>>> seems to work okay in the 10 user or less offices, but the "larger"
>>> mid-twenty and up
>>> small businesses tend to get themselves into more trouble with
>>> installing Hotbar and the like. You can log into the client
>>> machines from the Server Management Console and move them out of
>>> their local admin group if you want.
>>>
>>> Steve
>>>
>>>
>>> Steven Banks [SBS MVP]
>>> Banks Consulting Northwest Inc.
>>> http://www.banksnw.com
>>>
>>>
>>> "RCMe" <rcme_1NOSPAM@nospam.hotmail.com> wrote in message
>>> news:OfGsotnqEHA.556@TK2MSFTNGP11.phx.gbl...
>>>> Hello,
>>>>
>>>> I have a question about user rights.
>>>>
>>>> On SBS 2003, I setup all the users to be members of the "Users"
>>>> group (the
>>>> default setting).
>>>>
>>>> However, I noticed that when I run the "connectcomputer" to setup
>>>> the desktop computers, the final status screen says something to
>>>> the affect of
>>>> "user set as local administrator"!?
>>>>
>>>> I also noticed that even though the users are setup in SBS 2003 to
>>>> be members of the Users group, when logged in as a user, one can
>>>> install software on the desktop computers.
>>>>
>>>> From reading the SBS 2003 documentation, it says that the Users
>>>> group does
>>>> not have rights to install software.
>>>>
>>>> Does anyone know what is going on here?
>>>>
>>>> TIA
>>>>
>>>> - rcme
>
>

Relevant Pages

  • Re: no users, no administrative password
    ... You can create an additional user account that has a password to use and add ... it to the local administrators group if need be. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SBS 2003 Std with a W2K pro client
    ... you have to add the users to the Administrators group on the workstation. ... Added the users to SBS as "users", ... I would prefer not to use the connectcomputer string on these machines. ...
    (microsoft.public.windows.server.sbs)
  • Re: administrator on box also on domain?
    ... > administrators group at the PC then it shows something like: ... > domain_name\Domain Admins ... so we add the user to the local Administrators ...
    (microsoft.public.windows.server.active_directory)
  • Re: Open With.. functionality doesnt fully work
    ... Windows XP Shell/User ... Administrators ... only for the user account, which has no special permissions other than ...
    (microsoft.public.windowsxp.customize)
  • Re: Open With.. functionality doesnt fully work
    ... other words, logged in as admin, everything works, but logged in as user, it does not work. ... Administrators ... only for the user account, which has no special permissions other than ...
    (microsoft.public.windowsxp.customize)