Installing Software and Permissions

Hey Guys,

Looking for some pointers by the more experienced. I would like to allow
certain users the ability to administer a TS Server and also install software
etc etc on my TS Server. Now, the good way to do this, I believe is by
grouping all these users into a AD Global Security Group and then adding that
security group to the Local Administrators group. Then anytime someone new
needs to be added as an administrator, simply add them to that very Global
Security group and they'll have TS admin permissions... So here is what I
have done:

1) Creating an AD group called TS_Admins - Populated with Users
2) Created an AD group called TS_Users - Populated with Users
3) Added TS_Admins to TS_Users (this has been done so I can treat the
TS_Users group as all possible TS users and security filter GPOs to them if
required)
4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users
5) Added TS_Admins to the Local group on the TS Server - Administrators
6) All in all the Local Administrators Group on the TS Server is now
populated with Administrator, Domain Admins and TS_Admins

So far so good... I hope.

So here is the issue.... I log into the TS Server as a User (user1) who is a
member of the TS_Admins group and try and install a piece of software.... Put
the server in Install mode and During installation an error message is
received saying this User does not have admin rights!!!... confused.

So here is what I have noticed.
- If I log on as myself (member of Domain Admins group) it installs.
Implying the nested group structure and permissions are working (?)
- To troubleshoot whether the user1 really is an admin on the TS Server, I
have added more users to the Local Administrators group using the user1
account. This applies fine... Is there any other tests I can do to ensure
this user is being treated as an administrator?
- If I put user1 in directly under the Local administrators group (so trying
to avoid the nested group structure) - it installs fine under the user1
account.

My questions would be.. is this a quirky TS issue? and what can I do to
troubleshoot this further? Are my group structures wrong?

I'd to be able to grant admin rights to my users via the TS_Admins AD
Group... If any other info is required, please feel free to ask...

Help appreciated
Lozza....

.

Relevant Pages

  • Re: Windows 2003 - User Logins vs Software
    ... > We have recently installed a Windows 2003 domain server. ... admin, open "Active Directory Users and Computers", locate the workstation ... "Administrators" group under "Local users and Groups". ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Installing Software and Permissions
    ... I even rebooted the TS Server. ... member of Domain Admins... ... the software would refuse to install for user1 ... Server - Administrators 6) All in all the Local Administrators ...
    (microsoft.public.windows.terminal_services)
  • Re: Dumping full information about users.
    ... When I try to the connect computer as the install admin (i.e. the dude i'd ... You should not use a local install of Outlook. ... > from the server to get a proper setup. ...
    (microsoft.public.windows.server.sbs)
  • Re: Demoting administrator to reader does not work!
    ... Local Administrators on the server also get admin rights ... Microsoft MVP - Sharepoint Portal Server ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Limit administrators permissions
    ... Remove the administrators group from the documents and settings folder ... >> local admin, otherwise it does not install the Office ...
    (microsoft.public.windowsxp.security_admin)