RE: Installing Software and Permissions

---

• From: lozza <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 15 Apr 2008 13:15:00 -0700

---

a small update that may help as well... the user user1 is also a member of
Domain Admins... but this will eventually be locked down. But again, the
software would refuse to install for user1 until user1 was added directly to
the TS Servers Local Admins group


"lozza" wrote:

Hey Guys,

Looking for some pointers by the more experienced. I would like to allow
certain users the ability to administer a TS Server and also install software
etc etc on my TS Server. Now, the good way to do this, I believe is by
grouping all these users into a AD Global Security Group and then adding that
security group to the Local Administrators group. Then anytime someone new
needs to be added as an administrator, simply add them to that very Global
Security group and they'll have TS admin permissions... So here is what I
have done:

1) Creating an AD group called TS_Admins - Populated with Users
2) Created an AD group called TS_Users - Populated with Users
3) Added TS_Admins to TS_Users (this has been done so I can treat the
TS_Users group as all possible TS users and security filter GPOs to them if
required)
4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users
5) Added TS_Admins to the Local group on the TS Server - Administrators
6) All in all the Local Administrators Group on the TS Server is now
populated with Administrator, Domain Admins and TS_Admins

So far so good... I hope.

So here is the issue.... I log into the TS Server as a User (user1) who is a
member of the TS_Admins group and try and install a piece of software.... Put
the server in Install mode and During installation an error message is
received saying this User does not have admin rights!!!... confused.

So here is what I have noticed.
- If I log on as myself (member of Domain Admins group) it installs.
Implying the nested group structure and permissions are working (?)
- To troubleshoot whether the user1 really is an admin on the TS Server, I
have added more users to the Local Administrators group using the user1
account. This applies fine... Is there any other tests I can do to ensure
this user is being treated as an administrator?
- If I put user1 in directly under the Local administrators group (so trying
to avoid the nested group structure) - it installs fine under the user1
account.

My questions would be.. is this a quirky TS issue? and what can I do to
troubleshoot this further? Are my group structures wrong?

I'd to be able to grant admin rights to my users via the TS_Admins AD
Group... If any other info is required, please feel free to ask...

Help appreciated
Lozza....

.

---

• Follow-Ups:
  • RE: Installing Software and Permissions
    • From: Vera Noest [MVP]

• References:
  • Installing Software and Permissions
    • From: lozza

• Prev by Date: TS local printing woes
• Next by Date: can not play on the TS server
• Previous by thread: Installing Software and Permissions
• Next by thread: RE: Installing Software and Permissions
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Fedora Desktop future- RedHat moves ... in marketing and they still manage only 30% of the server market. ... I don't as yet know what Ubuntu's niche is - windows malcontents? ... servers due to the desktop support as well as gui management tools. ... Part of the issue in the past has been many admins that new Unix found ... (Fedora) Re: How to restrict DC privileges for Site Admins? ... By allowing those admins to log on into to the DCs you're granting them the necessary rights so that they can do whatever they want, even if they're members of backup operators or any other lowlevel group. ... You said that they need to perform maintenance tasks on the DCs, Like Backups and shutdown/restart the server, create user accounts, well to perform these tasks these admins don't need to logon the server, they can do that remotely with mmc console, etc... ... My problem, however, is the domain controller: ... (microsoft.public.windows.server.active_directory) Re: How to restrict DC privileges for Site Admins? ... By allowing those admins to log on into to the DCs you're granting them the ... members of backup operators or any other lowlevel group. ... Backups and shutdown/restart the server, create user accounts, well to ... his/her "own" domain controller in order to perform relatively simple ... (microsoft.public.windows.server.active_directory) Re: Migration EXC 2003 to 2007 ... I'am trying to remove E2K7 sp1 and reinstall it but i'am stuck on the last public folder, E2K7 asks me to move the last public folder to an other server before uninstall all roles. ... the OU has been created and the exchange organisations admins were empty and exchange servers only contained the 2K7 server. ... exchange 2007 there was new OU created called MSExchange Security Group and it has the following in there: ... (microsoft.public.exchange.setup) Re: Security Event 676 - Kerberos Failure Code 6 ... > was a Proxy Server who had the Internal DNS server, as well as the ISP DNS ... > Under the domain admins, and Enterprise Admins, the apply group policy was ... Run netdiag and dcdiag on the domain controller to check its ... (microsoft.public.win2000.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.terminal_services  > 2008-04