How to create user to install apps on Domain Controller

[Joel]

Hi,

I have a basic permissions question about Win 2k Server.

We are setting up a production server that will be delivered to our customer
soon and various people in our department require physical access to the
domain controller in order to install various applications. I'm not
particularly paranoid about them working on the DC, but I would ideally like
to set them up with a user account that will allow them to log in locally to
the DC and install and work on their application, but I don't want them to
have access to things like modifying users accounts, etc.

Is there a built in group that I can use for this purpose? I am never
really sure what the Server Operators group doesn't have that the
administrators group does have. In the past, I have created an
administrator-like account for them, but I wish to begin steering away from
that policy.

Thanks, Joel
Tech Net Plus member

 

[Joe Wu [MSFT]]

Dear Joel,

Thank you for your post.

To enable an account to log on locally, we can adjust the related group
policy's "Allow log on locally" and "Deny log on locally" settings under
/Computer Configuration/Windows Settings/Local Policies/User Rights
Assignment.

However, to answer your second question, it depends on the applications. To
be honest, many applications are designed to be installed in the context of
Administrator.

Actually, for security purposes, it is recommended that we do not directly
assign common users the permissions to logon locally to the PDC and install
applications. Instead, please have the end users inform a network
administrator if they need to install an application on PDC. Then the
network administrator can backup the PDC, make records of the changes, and
then install the application for the user.

I hope the above information helps. Thanks and have nice weekend!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Joel" <[email protected]>
|Subject: How to create user to install apps on Domain Controller
|Date: Fri, 12 Sep 2003 15:02:40 -0400
|Lines: 22
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <[email protected]>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: 198.70.207.60
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:47702
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|Hi,
|
|I have a basic permissions question about Win 2k Server.
|
|We are setting up a production server that will be delivered to our
customer
|soon and various people in our department require physical access to the
|domain controller in order to install various applications. I'm not
|particularly paranoid about them working on the DC, but I would ideally
like
|to set them up with a user account that will allow them to log in locally
to
|the DC and install and work on their application, but I don't want them to
|have access to things like modifying users accounts, etc.
|
|Is there a built in group that I can use for this purpose? I am never
|really sure what the Server Operators group doesn't have that the
|administrators group does have. In the past, I have created an
|administrator-like account for them, but I wish to begin steering away from
|that policy.
|
|Thanks, Joel
|Tech Net Plus member
|
|
|

 

[Joel]

Thank you for your reply Joe. I will heed your warning about allowing users
to log in to a DC, but I have just tried to make that change as an
experiment and I was not successful!

Please tell me what I am doing wrong. I went into
Start>Programs>administrative tools>domain controller security policy and
from there Windows settings>security settings>local policy> user rights
assignement and I added my test user the "log on locally" right.

My test user was not able to log in to the DC after that so I went to
Start>Programs>administrative tools>local security policy and did the same
thing there.

My test user is still not able to log in locally! Can you tell me what I am
missing?

Thanks, Joel

 

[Joe Wu [MSFT]]

Dear Joel,

Thank you for your update.

It should be due to the fact that the group policy object does not
immediately take effect on the domain controller. Please run the following
command to manually impose the group policy settings:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

Then please log off and log on as the user to see if the message still
appears.

If you still cannot log on locally as the corresponding user account,
please open the "Active Directory Users and Computers" snap-in, and check
all the related group policy objects (including "Default Domain Controllers
Policy" and "Default Domain Policy") to ensure that the user is not in the
"Deny logon locally" list.

Reference:

227302 Using SECEDIT to Force a Group Policy Refresh Immediately
http://support.microsoft.com/?id=227302

I hope the above information helps.

Thanks and have a great day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Joel" <[email protected]>
|References: <[email protected]>
<[email protected]>
|Subject: Re: How to create user to install apps on Domain Controller
|Date: Mon, 15 Sep 2003 09:16:28 -0400
|Lines: 106
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <#[email protected]>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: 198.70.207.60
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP10.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:47605
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|Thank you for your reply Joe. I will heed your warning about allowing
users
|to log in to a DC, but I have just tried to make that change as an
|experiment and I was not successful!
|
|Please tell me what I am doing wrong. I went into
|Start>Programs>administrative tools>domain controller security policy and
|from there Windows settings>security settings>local policy> user rights
|assignement and I added my test user the "log on locally" right.
|
|My test user was not able to log in to the DC after that so I went to
|Start>Programs>administrative tools>local security policy and did the same
|thing there.
|
|My test user is still not able to log in locally! Can you tell me what I
am
|missing?
|
|Thanks, Joel
||> Dear Joel,
|>
|> Thank you for your post.
|>
|> To enable an account to log on locally, we can adjust the related group
|> policy's "Allow log on locally" and "Deny log on locally" settings under
|> /Computer Configuration/Windows Settings/Local Policies/User Rights
|> Assignment.
|>
|> However, to answer your second question, it depends on the applications.
|To
|> be honest, many applications are designed to be installed in the context
|of
|> Administrator.
|>
|> Actually, for security purposes, it is recommended that we do not
directly
|> assign common users the permissions to logon locally to the PDC and
|install
|> applications. Instead, please have the end users inform a network
|> administrator if they need to install an application on PDC. Then the
|> network administrator can backup the PDC, make records of the changes,
and
|> then install the application for the user.
|>
|> I hope the above information helps. Thanks and have nice weekend!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! - www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Joel" <[email protected]>
|> |Subject: How to create user to install apps on Domain Controller
|> |Date: Fri, 12 Sep 2003 15:02:40 -0400
|> |Lines: 22
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <[email protected]>
|> |Newsgroups: microsoft.public.win2000.active_directory
|> |NNTP-Posting-Host: 198.70.207.60
|> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> |Xref: cpmsftngxa06.phx.gbl
|microsoft.public.win2000.active_directory:47702
|> |X-Tomcat-NG: microsoft.public.win2000.active_directory
|> |
|> |Hi,
|> |
|> |I have a basic permissions question about Win 2k Server.
|> |
|> |We are setting up a production server that will be delivered to our
|> customer
|> |soon and various people in our department require physical access to the
|> |domain controller in order to install various applications. I'm not
|> |particularly paranoid about them working on the DC, but I would ideally
|> like
|> |to set them up with a user account that will allow them to log in
locally
|> to
|> |the DC and install and work on their application, but I don't want them
|to
|> |have access to things like modifying users accounts, etc.
|> |
|> |Is there a built in group that I can use for this purpose? I am never
|> |really sure what the Server Operators group doesn't have that the
|> |administrators group does have. In the past, I have created an
|> |administrator-like account for them, but I wish to begin steering away
|from
|> |that policy.
|> |
|> |Thanks, Joel
|> |Tech Net Plus member
|> |
|> |
|> |
|>
|
|
|

 

[Joel]

I think I figured this one out--domain controller security policy>local
settings>log on locally.

And add the user in the permissions of the Term serv configuration. Thanks.
Joel

 

[Joe Wu [MSFT]]

Dear Joel,

Thank you for your updates.

Yes, terminal clients also need the "logon locally" privilege and "User
Access" permission on the RDP-Tcp connection object. You have utilized the
solution perfectly.

For your reference, I have attached a KB link below. I hope it is helpful:

246109 Error Messages Generated When Logging on with Terminal Services
Client
http://support.microsoft.com/?id=246109

Thanks!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: "Joel" <[email protected]>
|References: <[email protected]>
<[email protected]>
<#[email protected]>
<$G#GA#[email protected]>
<#[email protected]>
|Subject: Re: How to create user to install apps on Domain Controller
|Date: Wed, 17 Sep 2003 15:45:29 -0400
|Lines: 218
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <[email protected]>
|Newsgroups: microsoft.public.win2000.active_directory
|NNTP-Posting-Host: 198.70.207.60
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:48260
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|I think I figured this one out--domain controller security policy>local
|settings>log on locally.
|
|And add the user in the permissions of the Term serv configuration.
Thanks.
|Joel
||> Thank you again Joe.
|>
|> This works! Here is my final question: As this new user does not have
|> physical access to the domain controller I would like to set it up so
|that
|> he can term serv into the server. What else do I need to do to
accomplish
|> this?
|>
|> Joel
|> |> > Dear Joel,
|> >
|> > Thank you for your update.
|> >
|> > It should be due to the fact that the group policy object does not
|> > immediately take effect on the domain controller. Please run the
|following
|> > command to manually impose the group policy settings:
|> >
|> > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
|> >
|> > Then please log off and log on as the user to see if the message still
|> > appears.
|> >
|> > If you still cannot log on locally as the corresponding user account,
|> > please open the "Active Directory Users and Computers" snap-in, and
|check
|> > all the related group policy objects (including "Default Domain
|> Controllers
|> > Policy" and "Default Domain Policy") to ensure that the user is not in
|the
|> > "Deny logon locally" list.
|> >
|> > Reference:
|> >
|> > 227302 Using SECEDIT to Force a Group Policy Refresh Immediately
|> > http://support.microsoft.com/?id=227302
|> >
|> > I hope the above information helps.
|> >
|> > Thanks and have a great day!
|> >
|> > Regards,
|> > Joe Wu
|> > Product Support Services
|> > Microsoft Corporation
|> >
|> > Get Secure! - www.microsoft.com/security
|> >
|> > ====================================================
|> > When responding to posts, please "Reply to Group" via your newsreader
so
|> > that others may learn and benefit from your issue.
|> > ====================================================
|> > This posting is provided "AS IS" with no warranties, and confers no
|> rights.
|> >
|> > --------------------
|> > |From: "Joel" <[email protected]>
|> > |References: <[email protected]>
|> > <[email protected]>
|> > |Subject: Re: How to create user to install apps on Domain Controller
|> > |Date: Mon, 15 Sep 2003 09:16:28 -0400
|> > |Lines: 106
|> > |X-Priority: 3
|> > |X-MSMail-Priority: Normal
|> > |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> > |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> > |Message-ID: <#[email protected]>
|> > |Newsgroups: microsoft.public.win2000.active_directory
|> > |NNTP-Posting-Host: 198.70.207.60
|> > |Path:
|> >
|>
|cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8
|> > phx.gbl!TK2MSFTNGP10.phx.gbl
|> > |Xref: cpmsftngxa07.phx.gbl
|> microsoft.public.win2000.active_directory:47605
|> > |X-Tomcat-NG: microsoft.public.win2000.active_directory
|> > |
|> > |Thank you for your reply Joe. I will heed your warning about allowing
|> > users
|> > |to log in to a DC, but I have just tried to make that change as an
|> > |experiment and I was not successful!
|> > |
|> > |Please tell me what I am doing wrong. I went into
|> > |Start>Programs>administrative tools>domain controller security policy
|and
|> > |from there Windows settings>security settings>local policy> user
rights
|> > |assignement and I added my test user the "log on locally" right.
|> > |
|> > |My test user was not able to log in to the DC after that so I went to
|> > |Start>Programs>administrative tools>local security policy and did the
|> same
|> > |thing there.
|> > |
|> > |My test user is still not able to log in locally! Can you tell me
what
|I
|> > am
|> > |missing?
|> > |
|> > |Thanks, Joel
|> > ||> > |> Dear Joel,
|> > |>
|> > |> Thank you for your post.
|> > |>
|> > |> To enable an account to log on locally, we can adjust the related
|group
|> > |> policy's "Allow log on locally" and "Deny log on locally" settings
|> under
|> > |> /Computer Configuration/Windows Settings/Local Policies/User Rights
|> > |> Assignment.
|> > |>
|> > |> However, to answer your second question, it depends on the
|> applications.
|> > |To
|> > |> be honest, many applications are designed to be installed in the
|> context
|> > |of
|> > |> Administrator.
|> > |>
|> > |> Actually, for security purposes, it is recommended that we do not
|> > directly
|> > |> assign common users the permissions to logon locally to the PDC and
|> > |install
|> > |> applications. Instead, please have the end users inform a network
|> > |> administrator if they need to install an application on PDC. Then
the
|> > |> network administrator can backup the PDC, make records of the
|changes,
|> > and
|> > |> then install the application for the user.
|> > |>
|> > |> I hope the above information helps. Thanks and have nice weekend!
|> > |>
|> > |> Regards,
|> > |> Joe Wu
|> > |> Product Support Services
|> > |> Microsoft Corporation
|> > |>
|> > |> Get Secure! - www.microsoft.com/security
|> > |>
|> > |> ====================================================
|> > |> When responding to posts, please "Reply to Group" via your
newsreader
|> so
|> > |> that others may learn and benefit from your issue.
|> > |> ====================================================
|> > |> This posting is provided "AS IS" with no warranties, and confers no
|> > |rights.
|> > |>
|> > |> --------------------
|> > |> |From: "Joel" <[email protected]>
|> > |> |Subject: How to create user to install apps on Domain Controller
|> > |> |Date: Fri, 12 Sep 2003 15:02:40 -0400
|> > |> |Lines: 22
|> > |> |X-Priority: 3
|> > |> |X-MSMail-Priority: Normal
|> > |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> > |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> > |> |Message-ID: <[email protected]>
|> > |> |Newsgroups: microsoft.public.win2000.active_directory
|> > |> |NNTP-Posting-Host: 198.70.207.60
|> > |> |Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
|> > |> |Xref: cpmsftngxa06.phx.gbl
|> > |microsoft.public.win2000.active_directory:47702
|> > |> |X-Tomcat-NG: microsoft.public.win2000.active_directory
|> > |> |
|> > |> |Hi,
|> > |> |
|> > |> |I have a basic permissions question about Win 2k Server.
|> > |> |
|> > |> |We are setting up a production server that will be delivered to our
|> > |> customer
|> > |> |soon and various people in our department require physical access
to
|> the
|> > |> |domain controller in order to install various applications. I'm
not
|> > |> |particularly paranoid about them working on the DC, but I would
|> ideally
|> > |> like
|> > |> |to set them up with a user account that will allow them to log in
|> > locally
|> > |> to
|> > |> |the DC and install and work on their application, but I don't want
|> them
|> > |to
|> > |> |have access to things like modifying users accounts, etc.
|> > |> |
|> > |> |Is there a built in group that I can use for this purpose? I am
|never
|> > |> |really sure what the Server Operators group doesn't have that the
|> > |> |administrators group does have. In the past, I have created an
|> > |> |administrator-like account for them, but I wish to begin steering
|away
|> > |from
|> > |> |that policy.
|> > |> |
|> > |> |Thanks, Joel
|> > |> |Tech Net Plus member
|> > |> |
|> > |> |
|> > |> |
|> > |>
|> > |
|> > |
|> > |
|> >
|>
|>
|
|
|