RIS Permissions?

[Keith Latimer]

Hello!

I have an authorized RIS server running in my small 300
user environment that works just fine if I use a domain
admin account to login when the PXE boot takes place. In
this instance everything works great and I can push an
image down to a workstation in about 7 minutes. However,
if I try to use anything other than a domain admin
account, I get an error message stating "Unable to display
operating system (OS) choices" and the image process stops
at this point. I know I have a permissions problem but
I'm not sure what it is. I've made my help desk users
administrators of this server and have given them "Log on
Locally", "Act as part of the Operating System", and "Log
on as a service" user rights via a GPO, still without any
luck. I also setup the RIS volume so that the group
Everyone has rights to it, so I can't see this as being a
problem.

Does anyone have any idea of all the permissions that RIS
requires? Also, this was working fine initally when we
set RIS up about 18 months ago. I get the feeling some
sort of errant GPO setting might be causing the problem.

Thanks for your help!

Keith Latimer
Network Specialist
Idaho State Insurance Fund
Boise, Idaho 83720
1-208-332-2562
(e-mail address removed)

 

[Cary Shultz]

-----Original Message-----
Keith -

Hello fellow Idahoan! I live in Coeur d'Alene.

The SIF file flocated in the:

\\<ris server>\reminst\Setup\English\Images\<image>\i386 \Templates

must have ntfs rights for users to read or the image will not be available
to RIS users. Be aware that images with different hals may not appear to
users who want to use certain images:

Valid RIS Image Is Not Displayed in Installation Choices
http://support.microsoft.com/default.aspx?scid=kb;en- us;289638

You can create a group for some users to use for RISing their own machines
if you wish. Personally, this scares the crap out of me - I like users to
do their work and leave IT to IT. Here are the steps

You need to create a group and add the users to the group membership when
you want them to install and remove them when you don't. You can select
which users can see which images by using ntfs permissions on the SIF files.
(Thanks to M. Minasi for his help on this):

1. Make a group called Installers.
2. Open DSA and make sure you have advanced view turned on in DSA
3. Right-click the domain and choose properties>Security, add the Installers
group to the ACL
4. Still under the Security tab, click on
Installers>Advanced>Permissions>Edit
5. Check the boxes for: Create computer Objects, Delete Computer Objects,
change the "Apply Onto", change it to This object and all child objects.
Click OK, you should be back at the "Advanced Security for {domain}" dialog.
6. Click "Add" and add the Installers group, click OK.
7. Change "Apply Onto" to Computer Objects. Mark the box for Full Control.
Click OK.
8. Click OK, OK to close all windows.
9. Add users to the Installers group.

--
Scott Baldridge
Windows Server MVP, MCSE




.

Scott,

Also, remember that "Authenticated Users" can - by
default - join 10 computer accounts to the domain. This
would need to be changed.

I agree with you; I create the "Installers" group as well
( straight from MM's awesome book ). Have you noticed
all of the editing erros, though? Far too many. Still,
not his MMs fault.

Cary

 

[NIC Student]

Hey Cary,

Yeah MM's 2000 server book is full of editing errors, especially the Server
2003 version. I have used the 2000 version a lot but the 2003 was
disappointing.

 

[andrew p]

I had similar problems. You might need to run the "Delegation of control
Wizard", which you can do from AD Users and Computers. Right click on the
domain - Delegate Control.