Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Permissions

Status
Not open for further replies.

aquahalo

Technical User
Aug 17, 2005
13
US
Hi I am new to setting up a Windows 2003 Domain with Active Directory. My current problem is this:

I have created a share that I want to restrict access to certain folders etc. I have created groups like Marketing, Sales, Accounting, etc... And Users that belong to certain groups. My question is I want each user to be an Admin of their local machine but a regular User on the domain. Currently I am an Admin of the Computer connected to the domain and Admin of the Domain and I have rights to do anything in the share including change permissions. How can i change this? I know I have done it before on previous networks but I am not sure how it was done. I have tried removing myself from the Administrators group in AD but I am still set up as an Admin by looking at the User Accounts on the local client computer.

Any ideas?
 
Local machine security is controlled on the local machine.

At each machine, you will after go under user accounts and add the domain user and select your preference for security.

Just to add, if you're share is located on the server, then and your trying to block access to that share, that must be done by setting permissions under the share tab and security tab of the server.

Justin
 
The local machine lists its own Administrators group. Simply add Domain Users to this group and all domain users will be admins on any workstation. If you want specific users to be admins on a specific PC then add their domain login instead of Domain Users. You can access the users Applet via Control Panel, or right click My Computer and choose Manage.

As for the domain, unless you have added users to the Domain Admins group they should not have extended rights. Of course any share or file permissions that have already been granted to the users will still exist and need to be locked down.

I would caution you that giving users admin rights on a local PC is a VERY bad idea unless they are laptops. If you have a software application that says it requires such rights, investigate it further. Many such programs simply need write rights to the program folder, registry keys and/or an INI file.

I hope you find this post helpful.

Regards,

Mark
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top