-----Original Message-----
Tom,
Further to what Lanwench stated -
I would indeed use WIN2000 Active Directory in a 15 user environment. We
support many clients who have as few as six users and we make use of Small
Business Server in those environments. On the other side of the coin, we
have a couple of clients who have some 30 WIN98 computers in a workgroup
environment. They just do not want to spend the money on a Server....
Guess where we are constantly having problems ( not a bad thing for us:
billable hours )?
Not sure why you would want to install WINNT 4.0 - if that is what you
meant. I would consider all of the things that you can do with WIN2000 and
Active Directory ( group policy just being one of the many things ). You
can also make use of Terminal Server in Remote Admin mode so that you can
remotely connect to their DC from your office ( or just about anywhere for
that matter ). I do a lot of stuff for our clients this way. It is a very
nice feature.
Is deploying the required software via GPO not a possibility? Lanwench
suggested installing the software for them - which might be a solution. It
might not take that long if you have only 15 users. In my experience,
making the domain user accounts a member of the local Power Users group will
allow them to install a limited number of software applications. On the
good side - AOL IM and Hotbar and most of those type of applications do
require that they be members of the local Administrators group. The Power
User group would not suffice for these applications ( a good thing ).
Lanwench asks a very good question: how often do they need to install
software? We take care of several insurance brokerage companies which
receive updates every month from the various Insurance Companies. So, we
know that around the 25th of each month the software needs to be updated and
we take care of it...
HTH,
Cary
"Lanwench [MVP - Exchange]"
<
[email protected]
wrote in message
Inline -
Tom wrote:
Hi Cary,
There are about 15 users on this network. I inherited this
network and would never have setup AD on a network this
size. Would reinstalling the server as a normal NT domain
solve this problem?
No - the issue is with the local workstation permissions - the domain
version/type is irrelevant. Personally, I don't find AD
too grandiose for
15
users....I'd be more frightened if you had a 15-PC workgroup. ;-)
The restricted group wouldn't help because this is an
ongoing problem and I am there as an independent
contractor.
How often do they need to install software? Is there any reason you can't
just install it for them and leave the permissions alone? Or, if they do
need local admin rights, read them the riot act to make
sure they know
what
is and is not permissible?
I tried the local users power group, but logging on to the
domain seems to override the local permissions.
You can add the domain users group to the power users group on each PC
locally and see if this works. It may not. A lot of software requires full
admin access.
Thanks
-----Original Message-----
Tom,
You find yourself in a common 'situation'. You are very smart to
not want to allow your domain user account objects to be made
members of the computer's local Administrators group. You can try
adding them to the local
Power Users group but this will not solve your situation with most
software.
You can try deploying all of your software via GPO or you can run
filemon from sysinternals and try to determine what registry entries
are giving you the 'access denied' errors and give your users the
necessary permissions to those registry keys.
You can also try to make use of Restricted Groups for a short period
of time ( say, two days ) and then remove it. Just tell your users
that they have to install this software within 24 hours from your e-
mail. This is not the best solution but it is a possible solution
none the less.
How many users are we talking about? 20? 200? 2000?
HTH,
Cary
.
