Guest mcp6453 Posted August 22, 2008 Posted August 22, 2008 I do computer support for a non-profit organization. They just had 10 new Pentium 4 computers donated. The machines have fresh installations of XP SP2. It takes a long time to install SP3 and the updates. Plus, there are several other applications that need to be installed on each computer. Hopefully I can save some time by building one machine and then imaging the drive to the others. (All software is properly licensed.) So, I will use this occasion to try to understand a perpetual problem that I have: Giving administrator rights to the local machine after the work station joins the domain of the Windows 2003 Server. I have tried a number of ways, and something always seems to go wrong. There are two parts to this question. The first part is, if I build one machine to spec, join the domain, and then image the drive to another (identical) computer, what do I have to change on the second machine to enable it to log into the network? The machine name? Or, do I have to go through the same routine to join the domain? The second part of the question is, after a machine joins the domain using the Administrator account, how do I give any authenticated users administrator rights on the local machine? Do I add "Domain Users" or "Authenticated Users" to the local machine Administrators group? This part is the one that I always have problems with. As you can tell, I am not a server guy. If you would give me a detailed procedure to give the local machine administrator rights (even though some people don't think it's a good idea), I would be most grateful. It's been a while since I added a computer, but here is what I did: 1. Log into the work station as an administrator of the local machine. 2. Click on "Network ID" or "Change..." to join the domain. (Which one should I use? What's the difference between the two methods?) 3. After joining the domain, Run "control userpasswords2", Advanced, Advanced, Groups, Administrators, Add... and then add Domain Users. (Sometimes "Domain Users" verifies, sometimes it doesn't.) 4. Okay all the way out. 5. Log out as Administrator and log in as with a server user account. Thanks.
Guest Lanwench [MVP - Exchange] Posted August 22, 2008 Posted August 22, 2008 Re: Installing New Work Stations mcp6453 <mcp6453@gmail.com> wrote: > I do computer support for a non-profit organization. They just had 10 > new Pentium 4 computers donated. The machines have fresh installations > of XP SP2. It takes a long time to install SP3 and the updates. Plus, > there are several other applications that need to be installed on each > computer. > > Hopefully I can save some time by building one machine and then > imaging the drive to the others. (All software is properly licensed.) If you don't have fairly identical hardware, this won't work well - Acronis software, such as SnapDeploy or TrueImage Workstation with Universal Restore may be able to do it for you, though. SnapDeploy is a bit complex but is designed to do what you're trying to do and includes a SID changing tool. > So, I will use this occasion to try to understand a perpetual problem > that I have: Giving administrator rights to the local machine after > the work station joins the domain of the Windows 2003 Server. Why is that a problem? "You don't want to do it, really. But if you do want to, it's not hard to do. > I have > tried a number of ways, and something always seems to go wrong. > > There are two parts to this question. The first part is, if I build > one machine to spec, join the domain, No - don't join the domain first. Image first. Then join the domain (using the SBS wizards!) > and then image the drive to > another (identical) computer, what do I have to change on the second > machine to enable it to log into the network? The machine name? Or, > do I have to go through the same routine to join the domain? You have to change the SID (most cloning software gives you the option to do that). Then join the domain. > > The second part of the question is, after a machine joins the domain > using the Administrator account, how do I give any authenticated users > administrator rights on the local machine? You really shouldn't be doing that, actually. > Do I add "Domain Users" or > "Authenticated Users" to the local machine Administrators group? You can, but I'd use a custom AD group and a startup script (I don't really like Restricted Groups much). I tend to set up AD groups called LocalAdmin, LocalPowerUser, to make this easier. You can also create one for Remote Desktop access, too - (SBS has this built in). The batch file would have this: ......... net localgroup administrators DOMAIN\localadmin /add net localgroup power users DOMAIN\localpoweruser /add net localgroup remote desktop users DOMAIN\Web Workplace Users /add ......... When I set up a new user, I often find I need to add their domain account to LocalAdmin before I log in as them the first time to customize their profile/install any sw that must be installed by the user him/herself ....then remove them from the domain LocalAdmin group on the domain when done. You can create/link a new GPO at the appropriate OU where your computers live (if you haven't created custom ones, you'll need to - unless you're using SBS, which creates its own hierarchy). Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts (startup/shutdown) Double-click Startup, click Add Copy the batch file you created to the clipboard, then paste it in the window here Exit/apply/ok/finish whatever All the computers in this OU should have the startup script applied when they restart, and you can now control all this at the server. THAT SAID - it's not good practice to let users have local admin rights - so if you have software that won't behave properly without admin rights, try to correct it. First, I'd holler at the software developer, because this is sloppy code, but then you can try downloading Process Explorer from Microsoft (a sysinternals utility) to see what the app is trying to do. You can then modify permissions in the file system/registry appropriately, to let ordinary users have the access the software needs. > This > part is the one that I always have problems with. As you can tell, I > am not a server guy. If you would give me a detailed procedure to > give the local machine administrator rights (even though some people > don't think it's a good idea), Anyone who manages networks should think it's a bad idea! > I would be most grateful. > > It's been a while since I added a computer, but here is what I did: > > 1. Log into the work station as an administrator of the local machine. > 2. Click on "Network ID" or "Change..." to join the domain. (Which one > should I use? What's the difference between the two methods?) Don't use either. If you're using SBS, you really need to use the wizards. Go to Server Management on the SBS box, Computers, and add your client computers there- then join the domain using http://servername/connectcomputer. > 3. After joining the domain, Run "control userpasswords2", Advanced, > Advanced, Groups, Administrators, Add... and then add Domain Users. > (Sometimes "Domain Users" verifies, sometimes it doesn't.) > 4. Okay all the way out. > 5. Log out as Administrator and log in as with a server user account. > > Thanks. Local admin rights & machine imaging don't really have much to do with each other, note.
Guest mcp6453 Posted August 22, 2008 Posted August 22, 2008 Re: Installing New Work Stations Lanwench [MVP - Exchange] wrote: > mcp6453 <mcp6453@gmail.com> wrote: >> I do computer support for a non-profit organization. They just had 10 >> new Pentium 4 computers donated. The machines have fresh installations >> of XP SP2. It takes a long time to install SP3 and the updates. Plus, >> there are several other applications that need to be installed on each >> computer. >> >> Hopefully I can save some time by building one machine and then >> imaging the drive to the others. (All software is properly licensed.) > > If you don't have fairly identical hardware, this won't work well - Acronis > software, such as SnapDeploy or TrueImage Workstation with Universal Restore > may be able to do it for you, though. SnapDeploy is a bit complex but is > designed to do what you're trying to do and includes a SID changing tool. > >> So, I will use this occasion to try to understand a perpetual problem >> that I have: Giving administrator rights to the local machine after >> the work station joins the domain of the Windows 2003 Server. > > Why is that a problem? "You don't want to do it, really. But if you do want > to, it's not hard to do. > >> I have >> tried a number of ways, and something always seems to go wrong. >> >> There are two parts to this question. The first part is, if I build >> one machine to spec, join the domain, > > No - don't join the domain first. Image first. Then join the domain (using > the SBS wizards!) > >> and then image the drive to >> another (identical) computer, what do I have to change on the second >> machine to enable it to log into the network? The machine name? Or, >> do I have to go through the same routine to join the domain? > > You have to change the SID (most cloning software gives you the option to do > that). Then join the domain. >> The second part of the question is, after a machine joins the domain >> using the Administrator account, how do I give any authenticated users >> administrator rights on the local machine? > > You really shouldn't be doing that, actually. > >> Do I add "Domain Users" or >> "Authenticated Users" to the local machine Administrators group? > > You can, but I'd use a custom AD group and a startup script (I don't really > like Restricted Groups much). I tend to set up AD groups called LocalAdmin, > LocalPowerUser, to make this easier. You can also create one for Remote > Desktop access, too - (SBS has this built in). > > The batch file would have this: > ........ > net localgroup administrators DOMAIN\localadmin /add > net localgroup power users DOMAIN\localpoweruser /add > net localgroup remote desktop users DOMAIN\Web Workplace Users /add > > ........ > > When I set up a new user, I often find I need to add their domain account to > LocalAdmin before I log in as them the first time to customize their > profile/install any sw that must be installed by the user him/herself > ...then remove them from the domain LocalAdmin group on the domain when > done. > > You can create/link a new GPO at the appropriate OU where your computers > live (if you haven't created custom ones, you'll need to - unless you're > using SBS, which creates its own hierarchy). > > Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts > (startup/shutdown) > Double-click Startup, click Add > Copy the batch file you created to the clipboard, then paste it in the > window here > Exit/apply/ok/finish whatever > > All the computers in this OU should have the startup script applied when > they restart, and you can now control all this at the server. > > THAT SAID - it's not good practice to let users have local admin rights - so > if you have software that won't behave properly without admin rights, try to > correct it. First, I'd holler at the software developer, because this is > sloppy code, but then you can try downloading Process Explorer from > Microsoft (a sysinternals utility) to see what the app is trying to do. You > can then modify permissions in the file system/registry appropriately, to > let ordinary users have the access the software needs. > > > > >> This >> part is the one that I always have problems with. As you can tell, I >> am not a server guy. If you would give me a detailed procedure to >> give the local machine administrator rights (even though some people >> don't think it's a good idea), > > Anyone who manages networks should think it's a bad idea! > >> I would be most grateful. >> >> It's been a while since I added a computer, but here is what I did: >> >> 1. Log into the work station as an administrator of the local machine. >> 2. Click on "Network ID" or "Change..." to join the domain. (Which one >> should I use? What's the difference between the two methods?) > > Don't use either. If you're using SBS, you really need to use the wizards. > Go to Server Management on the SBS box, Computers, and add your client > computers there- then join the domain using > http://servername/connectcomputer. > >> 3. After joining the domain, Run "control userpasswords2", Advanced, >> Advanced, Groups, Administrators, Add... and then add Domain Users. >> (Sometimes "Domain Users" verifies, sometimes it doesn't.) >> 4. Okay all the way out. >> 5. Log out as Administrator and log in as with a server user account. >> >> Thanks. > > Local admin rights & machine imaging don't really have much to do with each > other, note. LW, there is no doubt in my mind that the procedures you are recommending are the best practices to follow. Your reputation precedes you. However, much of what you suggest is way over my head, and I am not willing to take an in depth course on Windows Server to volunteer for this non-profit organization. Most of what I do for them is work station maintenance, at which I am close to being a pro. However, the server issues do arise, and I do the best I can with what I know. The server is not SBS, it's Windows Server 2003. The workstations are identical hardware. I don't know what SID is, but I will learn. I've printed your post and will spend some time plodding through it. Thanks for taking the time. Hopefully with your recommendations I can find out what I'm missing along the way.
Guest Lanwench [MVP - Exchange] Posted August 22, 2008 Posted August 22, 2008 Re: Installing New Work Stations mcp6453 <mcp6453@gmail.com> wrote: > Lanwench [MVP - Exchange] wrote: >> mcp6453 <mcp6453@gmail.com> wrote: >>> I do computer support for a non-profit organization. They just had >>> 10 new Pentium 4 computers donated. The machines have fresh >>> installations of XP SP2. It takes a long time to install SP3 and >>> the updates. Plus, there are several other applications that need >>> to be installed on each computer. >>> >>> Hopefully I can save some time by building one machine and then >>> imaging the drive to the others. (All software is properly >>> licensed.) >> >> If you don't have fairly identical hardware, this won't work well - >> Acronis software, such as SnapDeploy or TrueImage Workstation with >> Universal Restore may be able to do it for you, though. SnapDeploy >> is a bit complex but is designed to do what you're trying to do and >> includes a SID changing tool. >>> So, I will use this occasion to try to understand a perpetual >>> problem that I have: Giving administrator rights to the local >>> machine after the work station joins the domain of the Windows 2003 >>> Server. >> >> Why is that a problem? "You don't want to do it, really. But if you >> do want to, it's not hard to do. >> >>> I have >>> tried a number of ways, and something always seems to go wrong. >>> >>> There are two parts to this question. The first part is, if I build >>> one machine to spec, join the domain, >> >> No - don't join the domain first. Image first. Then join the domain >> (using the SBS wizards!) >> >>> and then image the drive to >>> another (identical) computer, what do I have to change on the second >>> machine to enable it to log into the network? The machine name? Or, >>> do I have to go through the same routine to join the domain? >> >> You have to change the SID (most cloning software gives you the >> option to do that). Then join the domain. >>> The second part of the question is, after a machine joins the domain >>> using the Administrator account, how do I give any authenticated >>> users administrator rights on the local machine? >> >> You really shouldn't be doing that, actually. >> >>> Do I add "Domain Users" or >>> "Authenticated Users" to the local machine Administrators group? >> >> You can, but I'd use a custom AD group and a startup script (I don't >> really like Restricted Groups much). I tend to set up AD groups >> called LocalAdmin, LocalPowerUser, to make this easier. You can also >> create one for Remote Desktop access, too - (SBS has this built in). >> >> The batch file would have this: >> ........ >> net localgroup administrators DOMAIN\localadmin /add >> net localgroup power users DOMAIN\localpoweruser /add >> net localgroup remote desktop users DOMAIN\Web Workplace Users /add >> >> ........ >> >> When I set up a new user, I often find I need to add their domain >> account to LocalAdmin before I log in as them the first time to >> customize their profile/install any sw that must be installed by the >> user him/herself ...then remove them from the domain LocalAdmin >> group on the domain when done. >> >> You can create/link a new GPO at the appropriate OU where your >> computers live (if you haven't created custom ones, you'll need to - >> unless you're using SBS, which creates its own hierarchy). >> >> Edit the GPO - go to Computer Configuration \ Windows Settings \ >> Scripts (startup/shutdown) >> Double-click Startup, click Add >> Copy the batch file you created to the clipboard, then paste it in >> the window here >> Exit/apply/ok/finish whatever >> >> All the computers in this OU should have the startup script applied >> when they restart, and you can now control all this at the server. >> >> THAT SAID - it's not good practice to let users have local admin >> rights - so if you have software that won't behave properly without >> admin rights, try to correct it. First, I'd holler at the software >> developer, because this is sloppy code, but then you can try >> downloading Process Explorer from Microsoft (a sysinternals utility) >> to see what the app is trying to do. You can then modify permissions >> in the file system/registry appropriately, to let ordinary users >> have the access the software needs. >>> This >>> part is the one that I always have problems with. As you can tell, I >>> am not a server guy. If you would give me a detailed procedure to >>> give the local machine administrator rights (even though some people >>> don't think it's a good idea), >> >> Anyone who manages networks should think it's a bad idea! >> >>> I would be most grateful. >>> >>> It's been a while since I added a computer, but here is what I did: >>> >>> 1. Log into the work station as an administrator of the local >>> machine. 2. Click on "Network ID" or "Change..." to join the domain. >>> (Which >>> one should I use? What's the difference between the two methods?) >> >> Don't use either. If you're using SBS, you really need to use the >> wizards. Go to Server Management on the SBS box, Computers, and add >> your client computers there- then join the domain using >> http://servername/connectcomputer. >> >>> 3. After joining the domain, Run "control userpasswords2", Advanced, >>> Advanced, Groups, Administrators, Add... and then add Domain Users. >>> (Sometimes "Domain Users" verifies, sometimes it doesn't.) >>> 4. Okay all the way out. >>> 5. Log out as Administrator and log in as with a server user >>> account. Thanks. >> >> Local admin rights & machine imaging don't really have much to do >> with each other, note. > > LW, there is no doubt in my mind that the procedures you are > recommending are the best practices to follow. Your reputation > precedes you. <blush> I thought they said it would STAY in Vegas! > However, much of what you suggest is way over my head, > and I am not willing to take an in depth course on Windows Server to > volunteer for this non-profit organization. Most of what I do for > them is work station maintenance, at which I am close to being a pro. > However, the server issues do arise, and I do the best I can with > what I know. > The server is not SBS, it's Windows Server 2003. Sorry, I subscribe to a lot of newsgroups and forgot where I was. Forget the setup wizard junk I mentioned. That said, for an office such as this, SBS would've been a very good fit - it's a lot easier to manage if you don't have a lot of experience (and is a lot cheaper considering what it includes). Check techsoup.org. > The workstations are > identical hardware. I don't know what SID is, but I will learn. Security identifier. Every object in AD has one - and they're all unique. You don't want to join the domain until you know the machine has a unique SID. It's not a big deal to change it. > > I've printed your post and will spend some time plodding through it. > Thanks for taking the time. Hopefully with your recommendations I can > find out what I'm missing along the way. No prob - hope it gets you started. Post back if you need more help.
Guest Dusko Savatovic Posted August 22, 2008 Posted August 22, 2008 Re: Installing New Work Stations Hi mcp6453, Just download newsid.exe from http://www.sysinternals.com (it is a Microsoft web site now) and run it after you apply image to a new workstation. Then join it to the domain. Dush "mcp6453" <mcp6453@gmail.com> wrote in message news:ehHukj$AJHA.5964@TK2MSFTNGP04.phx.gbl... >I do computer support for a non-profit organization. They just had 10 new >Pentium 4 computers donated. The machines have fresh installations of XP >SP2. It takes a long time to install SP3 and the updates. Plus, there are >several other applications that need to be installed on each computer. > > Hopefully I can save some time by building one machine and then imaging > the drive to the others. (All software is properly licensed.) So, I will > use this occasion to try to understand a perpetual problem that I have: > Giving administrator rights to the local machine after the work station > joins the domain of the Windows 2003 Server. I have tried a number of > ways, and something always seems to go wrong. > > There are two parts to this question. The first part is, if I build one > machine to spec, join the domain, and then image the drive to another > (identical) computer, what do I have to change on the second machine to > enable it to log into the network? The machine name? Or, do I have to go > through the same routine to join the domain? > > The second part of the question is, after a machine joins the domain using > the Administrator account, how do I give any authenticated users > administrator rights on the local machine? Do I add "Domain Users" or > "Authenticated Users" to the local machine Administrators group? This part > is the one that I always have problems with. As you can tell, I am not a > server guy. If you would give me a detailed procedure to give the local > machine administrator rights (even though some people don't think it's a > good idea), I would be most grateful. > > It's been a while since I added a computer, but here is what I did: > > 1. Log into the work station as an administrator of the local machine. > 2. Click on "Network ID" or "Change..." to join the domain. (Which one > should I use? What's the difference between the two methods?) > 3. After joining the domain, Run "control userpasswords2", Advanced, > Advanced, Groups, Administrators, Add... and then add Domain Users. > (Sometimes "Domain Users" verifies, sometimes it doesn't.) > 4. Okay all the way out. > 5. Log out as Administrator and log in as with a server user account. > > Thanks.
Recommended Posts