W2k server settings override local xp security

  • Thread starter Thread starter blackbluecat
  • Start date Start date
B

blackbluecat

Hi,

Before anything else, I'd like to apologize for the cross-post, but I
honestly don't know where to post this because it touches several
topics and am quite desperate.

I'm working on a network consisting of a server running w2k server, 2
workstations running w98, and I'm trying to add 2 new workstations
running XP Pro (which are replacing two computers that were struck by
lightning and are dead).

Everything appeared to be running nicely, except that once I connected
the xp stations to the domain, I was no longer able to create folders
under c:\program files unless I'd log out and log back in with the
network's admin user name and password.

This is quite a problem because I have an application that needs to be
able to do ANYTHING it wants in the c: drive and it can't.

I even went to the server and gave administrative rights to this user
and still no dice. I can't add folders to c:\program files.

In the server I went into the active directory configuration and under
the properties for one of this computers changed the "Managed by" from
blank to the user's name. Still nothing.

What I want, in a nutshell, is to have these XP workstations become as
insecure as a Windows98 computer would be. While I don't want the users
roaming freely in the Windows 2000 server, I want them to be in
ABSOLUTE control of their local machines.

Where do I need to go to remove any restrictions established at the
domain level for these users?

Regarding local control, I'm assuming that by making the users members
of the administrator group in the local machine (which I renamed
LocalAdministrators to make it distinguishable from the domain's
Administrators group) would do the trick once I'm able to lift the
domain-related restrictions, but please please PLEASE correct me if I'm
wrong. I'm really desperate with this one.

Thanks for any and all your help!

Alex

PS: If you need to send email directly, change the domain from bigfoot
to gmail.
 
Hi,

Before anything else, I'd like to apologize for the cross-post, but I
honestly don't know where to post this because it touches several
topics and am quite desperate.

I'm working on a network consisting of a server running w2k server, 2
workstations running w98, and I'm trying to add 2 new workstations
running XP Pro (which are replacing two computers that were struck by
lightning and are dead).

Everything appeared to be running nicely, except that once I connected
the xp stations to the domain, I was no longer able to create folders
under c:\program files unless I'd log out and log back in with the
network's admin user name and password.

This is quite a problem because I have an application that needs to be
able to do ANYTHING it wants in the c: drive and it can't.
Click to expand...

I'd strongly recommend replacing such a poorly written application, but
I understand that this isn't always a feasible course of action.

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."


I even went to the server and gave administrative rights to this user
and still no dice. I can't add folders to c:\program files.
Click to expand...

Granting the user admin privileges to the server would have little
effect upon file permissions on a workstation. However, adding the
user's domain account to the workstation's local administrator group
should do the trick.

In the server I went into the active directory configuration and under
the properties for one of this computers changed the "Managed by" from
blank to the user's name. Still nothing.
Click to expand...

That gives the user permissions to remotely manage the computer - not
what you want.

What I want, in a nutshell, is to have these XP workstations become as
insecure as a Windows98 computer would be. While I don't want the users
roaming freely in the Windows 2000 server, I want them to be in
ABSOLUTE control of their local machines.
Click to expand...


Two choices: Remove WinXP and install Win98, or re-install WinXP after
formatting the hard drives as FAT32. Either method will render the
computers in question completely unsecured, as you wish.

Where do I need to go to remove any restrictions established at the
domain level for these users?
Click to expand...

The restrictions you're encountering aren't at the domain level,
they're inherent in WinXP's design and file system.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
Hi Bruce,

Thanks for the very prompt response. I will try your suggestions when I
go visit the client on Wednesday.

To shed some light, the app isn't even a windows app, it's a dos app
with a windows-based component called Winagent, that is used to allow
it to print to non-dos-compatible printers (it drops a text file in a
predetermined folder, and winagent picks it up and prints it). The
app's name is Alpha4.

I will be posting in their forum as well, but from what i've read
there, no one has had this problem before, and since it isn't possible
to modify the app, I'd like to "adjust" the operating system around its
quirks.

Again, thank you for your suggestions!

Alex
 
log on as a domain admin, go to computer management -> local users and
groups -> groups. Right-click administrators, add the DOMAIN account you are
logging on with to the LOCAL administrators group. If you want this to be
blanket for all users on all computers, add the "domain users" group (from
the domain to the local admins group. Note that this will defeat local
security on all workstations, but not at the domain level.

....kurt
 
Thanks all for your replies.

The following day, another tech was at the client for something else
and he called me to try fix the problem. I had left one of the dell
computers back to out-of-the-box state, so he tried with that one and
was able to get everything done without problems.

Other than setting up the user name as the administrator, and having
found something misconfigured in the server's dns and wins services, he
didn't do anything out of the ordinary, yet everything worked, so I'm
not going to over-analyze this and just get on with the program.

I returned the next day to finish installing everything else that the
users required.

Thanks again!

Alex
 
Back
Top