At work we have a small client-server LAN with a single Windows NT 4.0 domain. We have about 20 clients, and most of them are running Windows 98. I have been appointed with the task of upgrading 2 workstations to Windows 2000 professional for testing reasons. Everything has gone smoothly with the upgrades except that I am having domain logon issues. I am unable to log onto the domain with any existing user accounts, but if I go to the NT 4.0 Domain Controller and create NEW user accounts, i can log on just fine. Whats the deal? I have another problem. If i successfully log on to the domain with one of the new user accounts, I can't install programs because I lack local administrative rights. If i log on locally as the administrator, I have the power to install anything i want, but then i lose access to all of the Domain resources. (printers, network shares). My question is: How can i be logged onto the domain, yet at the same time have administrative rights to install programs on the client? I am missing something here. Any help is appreciated!

Domain users by default don't have any type of Administrative privileges. That's the whole point. :) Logon to the machine with your Domain Administrator account, and you'll have access to all the Domain resources and be able to install software. Users logging into the domain will have access to any network resources allowable...printers, shares, etc. I recommend you also upgrade ALL of your workstations to 2000. The security of a Domain is only as secure as its LEAST secure OS, which in your case, is 98.

Wow!! Log on as Domain Admin to install software!! That is the LAST thing you want to do. If you follow that advice, and the software you are installing has some hidden code to wipe out all the user accounts, the domain admin account will allow it and you'll be - well, you won't be happy. Lyle. The problem you are having is that the domain account does not have administrative permissions to the local pc. What you would need to do to correct that is add the domain account to the local Administrators group. Right click on My Computer | Manage| Local Users and Groups and select the Administrators group. Click ADD and in the Look In section, select the domain and add the desired account. This will make that domain users a local administrator and meet the condition you request of being logged into the domain yet still have admin rights on the pc. Whether or not you want users to be local administrators is your call but again, I would most certainly be sure this domain user is NOT a domain administrator. It is one of the most dangerous things you can do. Hope that helps.

Glen, I'm sure Lyle IS the Domain Administrator. Domain Admins have those privileges necessary to do whatever needs to be done on a Domain machine. Domain Users DON'T. Why add an account to the Local Admin Group when you can use your DA or Master account to install the software? I'm not sure what you think is so dangerous. Adding a Domain User to the Local Admin group requires proper privileges BOTH on the local machine and the Domain. Doing it your way, he'd have to login locally with a Administrator account, then authenticate to the Domain using his DA account, THEN add the necessary account to the Local Admin Group. Why go through all that? If he just wants to install software, then use the DA or Master account. That way, no Domain User account has Local Admin on the machine. Much simpler. If there's an issue with certain privileges needed to run software, then adjustments can be made to file permissions and registry keys, but Lyle didn't mention that as an issue.

You confuse me Glen! You make sense about adding to the local admin group ... that's what I do ... only, I add the Domain Administrators Group to the local Administrators Group on the local PC. I don't personally see any point in giving any user (as in, non admin) any access of any kind other than what they need to do their work. I don't want users installing software either, because if you let them, they'll be installing games and winamp and downloading mp3's when they should be working. Installing software is a network admin job, ergo, they are the only ones that should be allowed such access. As to your first reference about installing software that "has some hidden code to wipe out all the user accounts"...this makes little or no sense either. Stick to known good software from known good vendors and you won't have to worry about that kind of situation arising. Unless you're refering to programs like Exchange which can make changes to the Schema........but that's a horse of a different color and requires Schema Admin access...

Jennifer, If the computer is already configured to join the domain as he says it is, and he logs in as local administrator, he will not have to authenticate the Domain Admin account. True, he will get prompted for a username a password to get the list of users, but he will have that info. Look at any security guidelines/checklist and what you will see is that you do not install software or run applications, or any day to day functions as a domain admin. I'm a bit surprised I'd even have to explain this to you but I'll try. It is dangerous because this account has permissions that will allow access all areas of the domain. Any Trojan Horse software for example would have complete reign over the domain and all users pc's. This is way more power than is needed to simply install an application on a pc. The best scenario is have a domain account that has administrative access to the pc, so we can install the software, but at the same time, does NOT have access to the entire domain and AD so that it is protected. You simply do not need the amount of power that a domain admin account has just to install software. Your way may be 'simpler' as you say but it is inheriently a bad idea. This is one of the reasons the secondary logon feature (runas command) was incorporated into W2k. This allows a standard, non-admin account to perform day to day tasks, then use the runas command to perform administrative tasks without needing to log off and on. Curt, you don't need to add Domain Admins to the local Administrator account because it is done as part of joining the domain. I am not necessarily saying all users should be admins of their own pc's. You'll notice in my original post, I made that distinction. I completely agree that the vast majority of users need the minimum amount of permissions required to do their jobs. I also agree that what you will end up with is the Winamp's, Webshots, etc. etc. that you mention that will simply cause problems. I was simply answering Lyle's original post. Also, sticking to known software is great idea in theory but not also adhered to. Vbs scripts, email attachments, downloading from the net, all pose the risk of malicious code, thus bringing up my point of the dangers of using Domain Admin account. Here is one a several security sites you could visit... http://www.labmice.net/articles/securingwin2000.htm Take a look at the 4th suggestion - -or- http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_runas.htm