Adding a domain user to the local Users group
05-21-2008, 12:28 PM
|
|
Registered User
|
|
Join Date: May 2008
Location: Minneapolis
Posts: 3
|
|
|
Adding a domain user to the local Users group
Okay, this might take a little explaining. I've done a fair amount of research and endless days of experimenting to no avail, so finally it's come to this, I'll begin this novel and hope someone can help me out.
I am currently administering a network of about 75 clients (all xp pro 32-bit sp2 windows machines). We are an AD environment with 3 DC's all running Server 2003, two of those are 32-bit and one 64-bit. All users run as local administrators on their own machines and users on the domain.
Here is my issue. I am trying to add a user to a new machine and add them to the Users Group instead of the Administrators Group. I have tried multiple ways, all not working.
What happens is this:
1. I log in as a domain admin
2. I add the user into the Users Group
3. I log out, then log in as the User (We can call him Max)
4. He is effectively added to the Users Group and cannot make system changes.
5. I log Max out and then log him back in and a new temporary profile is created. The new profile comes up as Mac.domain001
6. Every successive log out/in creates another temporary profile, but non will stick.
I have found other threads explaining a problem with domain vs. local profiles, although following the steps of editing the registry key in profile list hasn't worked as the only profiles I see listed there are the admin profiles and system, network, etc..
So essentially I can't add the user as a member of Users and have the profile stick upon logout/login, but I can add them as a local admininstrator and the account will stick.
I'm sure I missed some things, so let me know if you have any ideas and I'll answer any questions as you have them.
Much thanks,
Steven.
|
05-21-2008, 12:57 PM
|
 |
Registered User
|
|
Join Date: Jun 2003
Location: Canada
Posts: 3,355
|
|
Quote:
|
Originally Posted by scmds
Okay, this might take a little explaining. I've done a fair amount of research and endless days of experimenting to no avail, so finally it's come to this, I'll begin this novel and hope someone can help me out.
I am currently administering a network of about 75 clients (all xp pro 32-bit sp2 windows machines). We are an AD environment with 3 DC's all running Server 2003, two of those are 32-bit and one 64-bit. All users run as local administrators on their own machines and users on the domain.
Here is my issue. I am trying to add a user to a new machine and add them to the Users Group instead of the Administrators Group. I have tried multiple ways, all not working.
What happens is this:
1. I log in as a domain admin
2. I add the user into the Users Group
3. I log out, then log in as the User (We can call him Max)
4. He is effectively added to the Users Group and cannot make system changes.
5. I log Max out and then log him back in and a new temporary profile is created. The new profile comes up as Mac.domain001
6. Every successive log out/in creates another temporary profile, but non will stick.
I have found other threads explaining a problem with domain vs. local profiles, although following the steps of editing the registry key in profile list hasn't worked as the only profiles I see listed there are the admin profiles and system, network, etc..
So essentially I can't add the user as a member of Users and have the profile stick upon logout/login, but I can add them as a local admininstrator and the account will stick.
I'm sure I missed some things, so let me know if you have any ideas and I'll answer any questions as you have them.
Much thanks,
Steven.
|
Steven,
let me understand you correctly, you log into the new system for max as domain admin ? Why
You first login to the PC as local admin, then join the computer to the domain.....[this will requires you to use your admin credential to add any PC do AD].....when PC has joined the domain..it will ask you to reboot the system, you shouldn't, go to Control panel and add "max.domain.com" as local user and then reboot...on reboot you PC will create a new profile for
Max.....also, you could enforce any kind of policy you want via AD GP.
Hope this helps.
Cheers
|
05-21-2008, 01:10 PM
|
|
Registered User
|
|
Join Date: May 2008
Location: Minneapolis
Posts: 3
|
|
Quote:
|
Originally Posted by snowmonkey
Steven,
let me understand you correctly, you log into the new system for max as domain admin ? Why
You first login to the PC as local admin, then join the computer to the domain.....[this will requires you to use your admin credential to add any PC do AD].....when PC has joined the domain..it will ask you to reboot the system, you shouldn't, go to Control panel and add "max.domain.com" as local user and then reboot...on reboot you PC will create a new profile for
Max.....also, you could enforce any kind of policy you want via AD GP.
Hope this helps.
Cheers
|
Thanks for the quick response. I should have been more clear. the machine has already been added to the domain and the user Max created intitially as a local administrator. I then at a later time removed him from the Administrator group and added him the Users group, effectively demoting him.
I could definitely pull the machine off the domain and start over? Maybe I'll try that following your instructions and let you know what happens. Is there a reason you cannot promote or demote users on the fly? Everything I've read suggests that you can?
As for AD Group Policy, I'm still learning, actually an English Major, but I have fallen into the role of administration. I was hoping to just give all new users (and eventually migrate the existing) Users Group priviliges. This would, if nothing else, keep themn from installing apps, which is my main concern.
Again, thanks for the quick response and I'll repost in a few minutes after trying your method.
Thanks,
Steven
|
05-21-2008, 01:13 PM
|
|
Registered User
|
|
Join Date: Jun 2003
Location: Canada
Posts: 3,355
|
|
|
If there is anything I could do, do hesitate to ask.....or PM me.
Cheers
|
05-21-2008, 02:29 PM
|
|
Registered User
|
|
Join Date: May 2008
Location: Minneapolis
Posts: 3
|
|
Quote:
|
Originally Posted by scmds
Thanks for the quick response. I should have been more clear. the machine has already been added to the domain and the user Max created intitially as a local administrator. I then at a later time removed him from the Administrator group and added him the Users group, effectively demoting him.
I could definitely pull the machine off the domain and start over? Maybe I'll try that following your instructions and let you know what happens. Is there a reason you cannot promote or demote users on the fly? Everything I've read suggests that you can?
As for AD Group Policy, I'm still learning, actually an English Major, but I have fallen into the role of administration. I was hoping to just give all new users (and eventually migrate the existing) Users Group priviliges. This would, if nothing else, keep themn from installing apps, which is my main concern.
Again, thanks for the quick response and I'll repost in a few minutes after trying your method.
Thanks,
Steven
|
Okay, nope. same thing. I pulled the computer off the domain, deleted the comp out of AD, re-added as admin, didn't retsart, Control Panel, Users, added Max.domain, added to Users Group, logged out, logged in as Max, got Users priviledges, logged back out, logged in again and presto... another profile.
the quest continues...
Because this is happening with any user and on any machine I have to believe it's either a user account setup error or something domain-wide that needs to be changed at the AD level?
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
All times are GMT -5. The time now is 11:15 PM. |
|
|
|
