Jump to content

Installing Software and Permissions

Guest lozza

By Guest lozza
in Windows NT Server

 Share

Recommended Posts

Guest lozza

Guest lozza

Posted
Posted

Hey Guys,

 

Looking for some pointers by the more experienced. I would like to allow

certain users the ability to administer a TS Server and also install software

etc etc on my TS Server. Now, the good way to do this, I believe is by

grouping all these users into a AD Global Security Group and then adding that

security group to the Local Administrators group. Then anytime someone new

needs to be added as an administrator, simply add them to that very Global

Security group and they'll have TS admin permissions... So here is what I

have done:

 

1) Creating an AD group called TS_Admins - Populated with Users

2) Created an AD group called TS_Users - Populated with Users

3) Added TS_Admins to TS_Users (this has been done so I can treat the

TS_Users group as all possible TS users and security filter GPOs to them if

required)

4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users

5) Added TS_Admins to the Local group on the TS Server - Administrators

6) All in all the Local Administrators Group on the TS Server is now

populated with Administrator, Domain Admins and TS_Admins

 

So far so good... I hope.

 

So here is the issue.... I log into the TS Server as a User (user1) who is a

member of the TS_Admins group and try and install a piece of software.... Put

the server in Install mode and During installation an error message is

received saying this User does not have admin rights!!!... confused.

 

So here is what I have noticed.

- If I log on as myself (member of Domain Admins group) it installs.

Implying the nested group structure and permissions are working (?)

- To troubleshoot whether the user1 really is an admin on the TS Server, I

have added more users to the Local Administrators group using the user1

account. This applies fine... Is there any other tests I can do to ensure

this user is being treated as an administrator?

- If I put user1 in directly under the Local administrators group (so trying

to avoid the nested group structure) - it installs fine under the user1

account.

 

My questions would be.. is this a quirky TS issue? and what can I do to

troubleshoot this further? Are my group structures wrong?

 

I'd to be able to grant admin rights to my users via the TS_Admins AD

Group... If any other info is required, please feel free to ask...

 

Help appreciated

Lozza....

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest lozza

Guest lozza

Posted
Posted

RE: Installing Software and Permissions

 

a small update that may help as well... the user user1 is also a member of

Domain Admins... but this will eventually be locked down. But again, the

software would refuse to install for user1 until user1 was added directly to

the TS Servers Local Admins group

 

 

"lozza" wrote:

> Hey Guys,

>

> Looking for some pointers by the more experienced. I would like to allow

> certain users the ability to administer a TS Server and also install software

> etc etc on my TS Server. Now, the good way to do this, I believe is by

> grouping all these users into a AD Global Security Group and then adding that

> security group to the Local Administrators group. Then anytime someone new

> needs to be added as an administrator, simply add them to that very Global

> Security group and they'll have TS admin permissions... So here is what I

> have done:

>

> 1) Creating an AD group called TS_Admins - Populated with Users

> 2) Created an AD group called TS_Users - Populated with Users

> 3) Added TS_Admins to TS_Users (this has been done so I can treat the

> TS_Users group as all possible TS users and security filter GPOs to them if

> required)

> 4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users

> 5) Added TS_Admins to the Local group on the TS Server - Administrators

> 6) All in all the Local Administrators Group on the TS Server is now

> populated with Administrator, Domain Admins and TS_Admins

>

> So far so good... I hope.

>

> So here is the issue.... I log into the TS Server as a User (user1) who is a

> member of the TS_Admins group and try and install a piece of software.... Put

> the server in Install mode and During installation an error message is

> received saying this User does not have admin rights!!!... confused.

>

> So here is what I have noticed.

> - If I log on as myself (member of Domain Admins group) it installs.

> Implying the nested group structure and permissions are working (?)

> - To troubleshoot whether the user1 really is an admin on the TS Server, I

> have added more users to the Local Administrators group using the user1

> account. This applies fine... Is there any other tests I can do to ensure

> this user is being treated as an administrator?

> - If I put user1 in directly under the Local administrators group (so trying

> to avoid the nested group structure) - it installs fine under the user1

> account.

>

> My questions would be.. is this a quirky TS issue? and what can I do to

> troubleshoot this further? Are my group structures wrong?

>

> I'd to be able to grant admin rights to my users via the TS_Admins AD

> Group... If any other info is required, please feel free to ask...

>

> Help appreciated

> Lozza....

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

RE: Installing Software and Permissions

 

Sounds to me that you did everything correct.

I assume that the user logged of and on again after you made

changes to the group membership?

You can type "whoami /groups" in a Terminal Server session to see

the group membership list of a user.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 15

apr 2008 in microsoft.public.windows.terminal_services:

> a small update that may help as well... the user user1 is also a

> member of Domain Admins... but this will eventually be locked

> down. But again, the software would refuse to install for user1

> until user1 was added directly to the TS Servers Local Admins

> group

>

>

> "lozza" wrote:

>

>> Hey Guys,

>>

>> Looking for some pointers by the more experienced. I would like

>> to allow certain users the ability to administer a TS Server

>> and also install software etc etc on my TS Server. Now, the

>> good way to do this, I believe is by grouping all these users

>> into a AD Global Security Group and then adding that security

>> group to the Local Administrators group. Then anytime someone

>> new needs to be added as an administrator, simply add them to

>> that very Global Security group and they'll have TS admin

>> permissions... So here is what I have done:

>>

>> 1) Creating an AD group called TS_Admins - Populated with Users

>> 2) Created an AD group called TS_Users - Populated with Users

>> 3) Added TS_Admins to TS_Users (this has been done so I can

>> treat the TS_Users group as all possible TS users and security

>> filter GPOs to them if required)

>> 4) Added TS_Users to the Local group on the TS Server - Remote

>> Desktop Users 5) Added TS_Admins to the Local group on the TS

>> Server - Administrators 6) All in all the Local Administrators

>> Group on the TS Server is now populated with Administrator,

>> Domain Admins and TS_Admins

>>

>> So far so good... I hope.

>>

>> So here is the issue.... I log into the TS Server as a User

>> (user1) who is a member of the TS_Admins group and try and

>> install a piece of software.... Put the server in Install mode

>> and During installation an error message is received saying

>> this User does not have admin rights!!!... confused.

>>

>> So here is what I have noticed.

>> - If I log on as myself (member of Domain Admins group) it

>> installs. Implying the nested group structure and permissions

>> are working (?) - To troubleshoot whether the user1 really is

>> an admin on the TS Server, I have added more users to the Local

>> Administrators group using the user1 account. This applies

>> fine... Is there any other tests I can do to ensure this user

>> is being treated as an administrator? - If I put user1 in

>> directly under the Local administrators group (so trying to

>> avoid the nested group structure) - it installs fine under the

>> user1 account.

>>

>> My questions would be.. is this a quirky TS issue? and what can

>> I do to troubleshoot this further? Are my group structures

>> wrong?

>>

>> I'd to be able to grant admin rights to my users via the

>> TS_Admins AD Group... If any other info is required, please

>> feel free to ask...

>>

>> Help appreciated

>> Lozza....

Guest lozza

Guest lozza

Posted
Posted

RE: Installing Software and Permissions

 

Vera, thank you for the response... and the command line (will be very

useful), I will check this out tommorow and post back... Hopefully with some

successful news.

 

FYI, I did log the user off and back on after adding to the TS_Admin group.

I even rebooted the TS Server. Still, just confusing how as soon as the user

is added directly to the local admins group the install of the application

doesn't complain.

 

Anyhow...lets see what tommorow brings :)

 

Lozza

 

"Vera Noest [MVP]" wrote:

> Sounds to me that you did everything correct.

> I assume that the user logged of and on again after you made

> changes to the group membership?

> You can type "whoami /groups" in a Terminal Server session to see

> the group membership list of a user.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 15

> apr 2008 in microsoft.public.windows.terminal_services:

>

> > a small update that may help as well... the user user1 is also a

> > member of Domain Admins... but this will eventually be locked

> > down. But again, the software would refuse to install for user1

> > until user1 was added directly to the TS Servers Local Admins

> > group

> >

> >

> > "lozza" wrote:

> >

> >> Hey Guys,

> >>

> >> Looking for some pointers by the more experienced. I would like

> >> to allow certain users the ability to administer a TS Server

> >> and also install software etc etc on my TS Server. Now, the

> >> good way to do this, I believe is by grouping all these users

> >> into a AD Global Security Group and then adding that security

> >> group to the Local Administrators group. Then anytime someone

> >> new needs to be added as an administrator, simply add them to

> >> that very Global Security group and they'll have TS admin

> >> permissions... So here is what I have done:

> >>

> >> 1) Creating an AD group called TS_Admins - Populated with Users

> >> 2) Created an AD group called TS_Users - Populated with Users

> >> 3) Added TS_Admins to TS_Users (this has been done so I can

> >> treat the TS_Users group as all possible TS users and security

> >> filter GPOs to them if required)

> >> 4) Added TS_Users to the Local group on the TS Server - Remote

> >> Desktop Users 5) Added TS_Admins to the Local group on the TS

> >> Server - Administrators 6) All in all the Local Administrators

> >> Group on the TS Server is now populated with Administrator,

> >> Domain Admins and TS_Admins

> >>

> >> So far so good... I hope.

> >>

> >> So here is the issue.... I log into the TS Server as a User

> >> (user1) who is a member of the TS_Admins group and try and

> >> install a piece of software.... Put the server in Install mode

> >> and During installation an error message is received saying

> >> this User does not have admin rights!!!... confused.

> >>

> >> So here is what I have noticed.

> >> - If I log on as myself (member of Domain Admins group) it

> >> installs. Implying the nested group structure and permissions

> >> are working (?) - To troubleshoot whether the user1 really is

> >> an admin on the TS Server, I have added more users to the Local

> >> Administrators group using the user1 account. This applies

> >> fine... Is there any other tests I can do to ensure this user

> >> is being treated as an administrator? - If I put user1 in

> >> directly under the Local administrators group (so trying to

> >> avoid the nested group structure) - it installs fine under the

> >> user1 account.

> >>

> >> My questions would be.. is this a quirky TS issue? and what can

> >> I do to troubleshoot this further? Are my group structures

> >> wrong?

> >>

> >> I'd to be able to grant admin rights to my users via the

> >> TS_Admins AD Group... If any other info is required, please

> >> feel free to ask...

> >>

> >> Help appreciated

> >> Lozza....

>

 Share
Go to topic listing
×
×
  • Create New...