What Really Controls The RIghts Of User Account

[Tempo3d]

I am sorry if you would find this question funny...but I really can't find the answer by myself.
As I understand the rights of user depend on member of which group the user account belongs to.
So if I create the user account and make it a member of Guest group then that user account will have the same rights (allowances and restrictions) as any user which belongs to Guest Group.
If I would create a new user account and make it a member of Administrator group then I would expect that that newly created user will have the same rights as administrator himself. It is what I did. But to my surprise that new user which belongs to Administrator account has some limitations...such as....I couldn't login to another machine using Remote Desktop Service..I can uninstall some software from my computer...by other words....It looks like even if the user if a member of Administrator group it still doesn't have the same rights as Administrator account...
Please help me figure out what exactly controls the rights and limitations of users...their membership?

Thanks!

 

[aznluvsmc]

You cannot log into the other computer using Remote Desktop because that user doesn't have permissions to login using Remote Desktop as it has its own permission setting.

By default only members of the local Admin group on the computer can log into it.

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[Tempo3d]

What should I do to grant the permission to the Domain users to login onto other computers using Remote Desktop?

 

[h5n1]

did you throw that user in where you "select remote user" box?

-------------------------------------
everything in life is a learning experience.....everything.......

 

[aznluvsmc]

To do what you want, you would have to manually add every single user into the list but why do you want users to be able to log into every computer over Remote Desktop?

IMO, Remote Desktop is more of a trouble shooting / administration feature than a work feature.

What is it exactly that you want to be able for the users to do? Maybe we can point you in the right direction.

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[Tempo3d]

The goal is to build the Server/Client network where there would be:

1. Only one Server machine which performs all of needed services such as File Service, Doman Controller, DNS server and etc. Only basic services. Nothing beyond of what a "regular TechnicalUser" like me could control without a help of proffesionals such as you guys here.

2. Two-three client workstations running regular applications such as Photoshop, After Effects and etc.
Those two-three client computers would often use a CPU processing power of 10-15 "renderfarm" computers wich are stacked on a rack. Those computers (so called renderfarm) do not have any keybards, mouses or displays connected to them. The only way to control them is to use Remote Desktop service found on Server 2003 and XP OS.
As an Domain Administrator I am able to login to those renderfarm computers remotely using Remote Desktop service.
But the users will not able to. Or I have to give the users my Domain Administrator password to be able to do it. By doing it I will give them a total control on network.
Of course I could start the renderfarm computers by myself at the morning for the users. But during rendering the renderfarm computers often crash. If one of the renderfarm computers reboots itself as a result of crash and I am not available the users will not able to start that rebooted computer....loosing processing power which could be available to them in case if they would have right privelege....I hope you are still reading this.

 

[aznluvsmc]

Ok you really have 2 choices here:

1) Create another account solely for accessing the rederfarm. Allow this user to log into each computer that you want.

2) Use a different remote control program such as RealVNC (

http://www.realvnc.com).

This works like PCanywhere if you've ever used it before. All the users need to make a connection in VNC is the name of the computer (in this case the renderfarm computers) and the VNC password for the connection.

I personally would prefer to use #2. Hope that helps!

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[Solemn]

Have you tried adding a local account "Domain Users" to your client workstations and put the account to the local group "Administrators" on the client workstations?

That should give all your domain users administrative rights on the client workstations so that they can access them via Remote Desktop. And this way the users have administrative access only to those workstation, not on the whole network.

Let me know if this helped!

-Tero K.


---
Can YOU put Finland on the map?

 

[Tempo3d]

...From what you guys said here is what I should do:

Step # 1. First, usign Active Directory I create domain User account X. It actually doesn't matter what domain previligies I apply to it.

Step # 2. I login onto one of the client/renderfarm machine and assing just created domain User account X to the local group "Administrators" of that client (renderfarm) workstation.
I repeat step #2 for every renderfarm workstation.

Please correct me if I am wrong!

 

[aznluvsmc]

That's correct!

Or you could just add the Domain Users group to the local admin group and that way, users can log on using their own account just like Solemn says.

But using a dedicated account is better if you don't want just any user logging into the renderfarm.

_______________
Doing IT Right!