HELP!! AD Issues

  • Thread starter Thread starter Sabir Ahmedi
  • Start date Start date
S

Sabir Ahmedi

Hi all,
I need some help with my lab install. Its a long story and extremely
technically complicated. Users need to be part of a local windows group called "Debugger Users"
in order to debug programs they write in Visual Studio.NET while logged
in as a restricted user. This group is created when Visual Studio
(referred to herein as VS) is installed.

In the past, this was no problem to do. Since everyone logged into
Novell as their primary authenticative network, they all shared a
generic local account called "Lab_User". In this setup, granting the
rights was easy because I could just grant rights to "Lab_User" in the
image.Now the problem is more complex, because a local account is created on
the local machine depending on the username they log into the domain
with. If I login to the domain as A218a01, for example, a local account
called A218a01 gets created on login, but they won't be a part of the
"Debugger Users" group because the account will have just been created. I could change it manually, but that is over 500 machines.

It gets worse. Since I cannot upload the image while configured for a
domain because of trust issues when the SID is changed, I cannot add
these rights to the DOMAIN USERS group of the domain. I tried
configuring to login to a domain, added the rights to DOMAIN USERS,
rebooted, and reconfigured the machine to use a workgroup, but then when
I check to see if the rights are still there, the object is, but it just
has the SID of the rights for DOMAIN USERS and that scares me. I'm
pretty sure this approach won't work, when it gets re-configured for the
domain, especially since all the workstation SID are changed after cloning.
I tried adding this group to the EVERYONE group on the local machine,
but for some reason that did not work.

I spoke with someone at Microsoft and they seem to indicate it can be done
through a script. Can anyone help me since I am not sure where I need to go from here.
Thanks in Advance,

Sabir.
 
What precisely do you want to happen now?
(Ignore more of the history and reasons as you
are making it complicated.)

Sounds like you want a new user (machine or domain)
to be part of some group which has some right (Debugging?)
that is not the default, right?
Hi all,
I need some help with my lab install. Its a long story and extremely
technically complicated. Users need to be part of a local windows group called "Debugger Users"
in order to debug programs they write in Visual Studio.NET while logged
in as a restricted user. This group is created when Visual Studio
(referred to herein as VS) is installed.

In the past, this was no problem to do. Since everyone logged into
Novell as their primary authenticative network, they all shared a
generic local account called "Lab_User". In this setup, granting the
rights was easy because I could just grant rights to "Lab_User" in the
image.Now the problem is more complex, because a local account is created on
the local machine depending on the username they log into the domain
with. If I login to the domain as A218a01, for example, a local account
called A218a01 gets created on login, but they won't be a part of the
"Debugger Users" group because the account will have just been created. I could change it manually, but that is over 500 machines.

It gets worse. Since I cannot upload the image while configured for a
domain because of trust issues when the SID is changed, I cannot add
these rights to the DOMAIN USERS group of the domain. I tried
configuring to login to a domain, added the rights to DOMAIN USERS,
rebooted, and reconfigured the machine to use a workgroup, but then when
I check to see if the rights are still there, the object is, but it just
has the SID of the rights for DOMAIN USERS and that scares me. I'm
pretty sure this approach won't work, when it gets re-configured for the
domain, especially since all the workstation SID are changed after cloning.
I tried adding this group to the EVERYONE group on the local machine,
but for some reason that did not work.

I spoke with someone at Microsoft and they seem to indicate it can be done
through a script. Can anyone help me since I am not sure where I need to go from here.
Thanks in Advance,

Sabir.
 
If you have a particular group of users you need in the Debuggers group you
can do this via GPO. In ad i would put all of them in a debbugers group and
then have GPO put the group in to the local group on each workstation. If
they are local admins would this not work??

HTH

Paul McGuire
Sorry about that,
If I login to the domain as A218a01, for example, a local account
called A218a01 gets created on login, but they won't be a part of the
"Debugger Users" group because the account will have just been created. I
could change it manually, but that is over 500 machines.
I want that local account to be added to the Debugger Users group via script
or some other mechanism. Thanks,

Sabir.
What precisely do you want to happen now?
(Ignore more of the history and reasons as you
are making it complicated.)

Sounds like you want a new user (machine or domain)
to be part of some group which has some right (Debugging?)
that is not the default, right?
Hi all,
I need some help with my lab install. Its a long story and extremely
technically complicated. Users need to be part of a local windows group
called "Debugger Users"
in order to debug programs they write in Visual Studio.NET while logged
in as a restricted user. This group is created when Visual Studio
(referred to herein as VS) is installed.

In the past, this was no problem to do. Since everyone logged into
Novell as their primary authenticative network, they all shared a
generic local account called "Lab_User". In this setup, granting the
rights was easy because I could just grant rights to "Lab_User" in the
image.Now the problem is more complex, because a local account is created on
the local machine depending on the username they log into the domain
with. If I login to the domain as A218a01, for example, a local account
called A218a01 gets created on login, but they won't be a part of the
"Debugger Users" group because the account will have just been created. I
could change it manually, but that is over 500 machines.

It gets worse. Since I cannot upload the image while configured for a
domain because of trust issues when the SID is changed, I cannot add
these rights to the DOMAIN USERS group of the domain. I tried
configuring to login to a domain, added the rights to DOMAIN USERS,
rebooted, and reconfigured the machine to use a workgroup, but then when
I check to see if the rights are still there, the object is, but it just
has the SID of the rights for DOMAIN USERS and that scares me. I'm
pretty sure this approach won't work, when it gets re-configured for the
domain, especially since all the workstation SID are changed after cloning.
I tried adding this group to the EVERYONE group on the local machine,
but for some reason that did not work.

I spoke with someone at Microsoft and they seem to indicate it can be done
through a script. Can anyone help me since I am not sure where I need to go
from here.
Thanks in Advance,
Sabir.
 
Paul,
Thanks for the reply. They are not local admins. Also how would I do
this??
In ad i would put all of them in a debbugers group and
then have GPO put the group in to the local group on each workstation.
Click to expand...

Sabir.
 
Herb,
I tried playing around with the restricted groups but I dont see any local
machine specific groups listed in AD when I go to add the group.

SAbir.
 
Try this approach -- on the domain create a Global
group for these users -- on each machine create a
local group and add the Global to it.

Now any permissions you give to either the Global or
the Local will affect anyone you place within the Global;
and you can use the global for the Template user account.
 
Back
Top