RE: User Templates

Tech-Archive recommends: Fix windows errors by optimizing your registry

Yes, users are added to the LOCAL administrators group by default. Simply
navigate to computer management on the local computer, then to local users
and groups, then to groups, and then remove the user's domain account from
the "Administrators" group.

"cmjkeegan" wrote:

> Hi Thanks for your reply.
>
> Just to clarify, are you saying that to change the users permissions I
> should log on to the local workstation and change the user from Local Admin
> to Local Users?
>
> If so, is it worth changing the default permissions for the user template so
> by default a new user is not given full admin rights?
>
> Thanks
>
> Chris
> --
> IT & Network Coordinator
>
>
> ""Nathan Liu [MSFT]"" wrote:
>
> > Hello Chris,
> >
> > Thank you for posting in the SBS newsgroup.
> >
> > According to your description, I understand that you found out that users
> > seem to have unrestricted access i.e. they can install anything and do
> > anything even though their template user profile is "user". If I have
> > misunderstood the problem, please don¡¯t hesitate to let me know.
> >
> > Please kindly note this behavior is expected, when we use "Add User Wizard"
> > to create a new user account, and apply it with one of default User
> > Templates, then create a appropriate computer account, then use
> > http://SBSServerName/connectcomputer link to join the computer into SBS
> > Domain by using the new user account, it will automatically add the user
> > account into computer's built-in Local Administrators Group, so users seem
> > to have unrestricted access.
> >
> > Based on the above information, if we would like to restrict the users'
> > permission, we can manually change the user account from computer's
> > built-in Local Administrators Group to Local User Group.
> >
> >
> > Please kindly check the following information about User Templates:
> >
> > Templates
> > Description
> >
> >
> > Administrator Template Has
> > unrestricted access to the server and the domain.
> >
> >
> > Mobile User Template Has
> > all permissions from the user template, also can connect to the server over
> > dial-up or VPN connections.
> >
> >
> > Power User Template Has all
> > permissions from the mobile user template, also can manage users, groups,
> > printers, shared folders, and faxes, and can log on remotely to the server.
> >
> >
> > User Template Has
> > access to network printers, shared folders, fax devices, e-mail, and the
> > Internet.
> >
> >
> > I appreciate your time and cooperation. If anything is unclear, please feel
> > free to let me know. I am looking forward to hearing from you.
> >
> > Have a nice day!
> >
> > Best regards,
> >
> > Nathan Liu (MSFT)
> > Microsoft CSS Online Newsgroup Support
> >
> > Get Secure! - www.microsoft.com/security
> > ======================================================
> > This newsgroup only focuses on SBS technical issues. If you have issues
> > regarding other Microsoft products, you'd better post in the corresponding
> > newsgroups so that they can be resolved in an efficient and timely manner.
> > You can locate the newsgroup here:
> > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> >
> > When opening a new thread via the web interface, we recommend you check the
> > "Notify me of replies" box to receive e-mail notifications when there are
> > any updates in your thread. When responding to posts via your newsreader,
> > please "Reply to Group" so that others may learn and benefit from your
> > issue.
> >
> > Microsoft engineers can only focus on one issue per thread. Although we
> > provide other information for your reference, we recommend you post
> > different incidents in different threads to keep the thread clean. In doing
> > so, it will ensure your issues are resolved in a timely manner.
> >
> > For urgent issues, you may want to contact Microsoft CSS directly. Please
> > check http://support.microsoft.com for regional support phone numbers.
> >
> > Any input or comments in this thread are highly appreciated.
> > ======================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> >
> >
> > --------------------
> > >Thread-Topic: User Templates
> > >thread-index: AcYVPZI6JnlHsxpaThiFhKVbduM+Vw==
> > >X-WBNR-Posting-Host: 81.137.39.206
> > >From: =?Utf-8?B?Y21qa2VlZ2Fu?= <cmjkeegan@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > >Subject: User Templates
> > >Date: Mon, 9 Jan 2006 08:56:01 -0800
> > >Lines: 53
> > >Message-ID: <6CE9EF8A-792E-4F77-9B6C-4737C9D29F98@xxxxxxxxxxxxx>
> > >MIME-Version: 1.0
> > >Content-Type: text/plain;
> > > charset="Utf-8"
> > >Content-Transfer-Encoding: 7bit
> > >X-Newsreader: Microsoft CDO for Windows 2000
> > >Content-Class: urn:content-classes:message
> > >Importance: normal
> > >Priority: normal
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> > >Newsgroups: microsoft.public.windows.server.sbs
> > >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> > >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> > >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:235187
> > >X-Tomcat-NG: microsoft.public.windows.server.sbs
> > >
> > >Hello,
> > >
> > >I have been trying to find out why users seem to have unrestricted access
> > >i.e. they can install anything and do anything even though their template
> > >user profile is "user".
> > >
> > >I think this is because in the user template properites all the templates
> > >seem to be a member of eachother....
> > >
> > >I have put below the list of what each template is a member of:
> > >
> > >Administrator Template...
> > > - Administrator Templates
> > > - Domain Admins
> > > - Domain Users
> > > - Mobile Users
> > > - Remote Web Workplace users
> > >
> > >Mobile User Template...
> > > - Administrator Template
> > > - Domain Users
> > > - Mobile Users
> > > - Power User Templates
> > > - Remote Web Workplace Users
> > >
> > >Power User Templates...
> > > - Administrator Templates
> > > - Domain Power Users
> > > - Domain Users
> > > - Mobile Users
> > > - Remote Web Workplace Users
> > >
> > >User Templates...
> > > - Administrator Templates
> > > - Domain Users
> > > - Power User Templates
> > > - Remote Web Workplace Users
> > >
> > >Now I am guessing that the guy who set this up has given all the templates
> > >admin rights? Am I right and if so which groups should be under which
> > >template.
> > >
> > >Ideally I want the users unable to install any programs or change any
> > system
> > >settings.
> > >
> > >Many Thanks
> > >
> > >Chris
> > >
> > >
> > >
> > >--
> > >IT & Network Coordinator
> > >
> >
> >
.

Relevant Pages

  • Re: RWW - configure visable servers
    ... When adding users I use the "User Template". ... test account and a legitimate user account. ... Domain Users and RWW Users. ... I agree that by default users can not access the SBS desktop. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS setup program not able to run under a normal user account
    ... by default, it works perfectly, no matter which user template you select. ... properly to the sbs box? ... in "You must be a member of the local Administrators security group on ... Is there a way to run it with a normal user account during login ie. ...
    (microsoft.public.windows.server.sbs)
  • Re: Changing the Default Location of User Folders using Add User W
    ... based on a user template reduces the need to manually enter account ... When creating a new user account, the new account inherits ... configurations without using user template wizard, ...
    (microsoft.public.windows.server.sbs)