Hello all,

I have an XP machine which I successfully joined to a Win2003 Server Domain. FYI, I did not define a local profile for any user (other than the pre-existing administrator acct) on that XP client machine.

When a user logs into the domain at this client pc, they are not permitted to run things like Windows Update, nor can they work with the c:\windows\temp folder.

How can I delegate authority to a user so they have local "admin" rights (to the client machine only) after logging into the domain server? I am trying to avoid having two separate profiles; one on the local machine for local access .. and one on the domain server for domain access.

Thank you in advance for your time.

You can make their domain account and administrator of that machine by placing the domain account in the local administrators group on that pc.

Go into the Local Users and Groups on that machine, go to the Administrators group and add the domain account.

Good luck.

Glen

Otherwise you can create a group on the server such as workstationadmin and then on all new workstations put this group in the local administrators group. This means you can administer from the server without having to connect to the workstation or add multiple people to each computer.

Thank you. I also thought that, but I am having this issue.

On the client XP, I go to Computer Management, then to Local Users and Groups, then Groups. Double-click on Administrators and click Add. I can only see the local computer in the Locations selection; it does not allow me to specify the domain user.

As I mentioned, the user profile is ONLY defined on the domain server at this time.

Thanks and looking forward to your follow-up.

Craig, thanks for your idea.

Please elaborate on the "workstationadmin" group. What users would be in that group?

There are basically two types of users that I envision logging into our domain server: The first type should be allowed admin control over their client pc, while the other type will have limited abilities over their client pc.

Again, my goal (if possible) is to avoid having two separate login profiles; one for the domain server and another for local pc (with admin priviledges) access.

Thanks!

You need to clarify your terms since I believe you are using the 'profile' term incorrectly. You don't "specify a users profile on the domain server'. You create a user account on the domain. There are two types of user accounts. Local accounts and domain accounts. And, you don't log into the domain server, you log into the domain. You can only log into the domain with a domain account.

Now then - when a pc is added to the domain, the group called Domain Admins is automatically added to the local Administrators group of that pc. That means that anyone who is in the Domain Admins group is also an administrator of every pc in the domain.

If you want a specific user, for example the users of his own pc, to also be an administrator of that same pc, you could add the users domain account to the local Administrators group also. (I'll address your difficulty in adding that in a bit.) If you want a handful of people to be administrators of all pcs but not be Domain Admins, then you can use Craigs idea. Create another domain group called WorkstationAdmins and put those specified users in that group. Then when you add a pc to the domain, you also add that group, WorkstationAdmins, to the local Administrators group of that pc.

You say you can't add domain users to the local Administrators group. Is this pc configured to join the domain? If not, you can't add a domain account to it's local groups. Once you configure the pc to join the domain, the default location for that it will look to when adding users to local groups will be the domain.

Hope that helps. Write back if you have any more questions.

Glen

Hello, Glen. Yes, sorry for the incorrect terminology. I am obviously in a learning stage. Thanks for the clarification, as I have a better understanding now.

Per the issue at hand, the computer WAS configured for the domain (under My Computer, Computer Name tab). Strangely, today the Select Users or Groups window DOES show the domain now. The From This Location reads "ourdomain.local" However, when I enter the person's account F.LLLLL (first.lastname) and click Check Names, it says "Windows cannot process the object with the name XXXXX because of the following error: The specified domain either does not exist or could not be contacted". Bizarre as it is, the XXXXX -IS- indeed the user's full name! So, it must have contacted the domain. Moreover, if I click the Locations button, I do see "ourdomain.local" under the Entire Directory heirarchy.

What next?! Thanks for your direction.

UPDATE!

I logged into the client PC as administrator and chose the domain (versus logging into the local machine).

On the client PC, I went to System Props and, this time, clicked the Network ID button to launch the wizard. As it walked me through the steps, I was prompted for an account that had priveledges (even though I was already logged in as the Administrator of the domain), so I re-entered the admin's login info and continued. It told me that the client pc was not part of the domain (even though it is configured on the domain).

Finally, I arrived at a prompt labeled "User Account" stating "Adding a user to this computer grants the user access to all the resources on this computer and to all shared resources on the network." Choices were "add the following user" and "do not add user at this time". I chose "Add user" and entered the user's account info and the domain name. It then prompted me for the user's Access Level.

So, this looks like what I wanted, but could not do manually. I will follow up once this completes and is working without incidence...

Follow-up: I confirmed that the domain account was added to "Power Users" group on the client pc as "ourdomain\f.lllll"

This access level, however, cannot run Windows Update. Any ideas on how to get around this? I don't prefer the user to have admin-level clearance to the client machine, if possible.

Thank you.

Quite the ordeal here. You may want to add this computer to a Workgroup, thus taking it off the domain, then add it back to the domain to clean things up.

But, if that is working, you'll need to add the domain account to the Administrators group, just like you did to the Power Users group. Power Users is powerful but still not an Admin. Try that and it should work.

Then again, with your luck - maybe not. ;)

Actually, in the interim of receiving your recent reply, I chose "Adminstrator" when it prompted me for the user's Access Level.

The only thing that worries me is the wording on the Access Level selection window/step. In the list of choices, Power Users clearly refers to the local machine only. However, the Administrator choice is worded in such a way that I am concerned the user would have Admin priveledges in the Domain .. when I only want the person to be the Admin of their own pc.

What's your take on that? Again, it's merely the wording that is eluding.

Thanks!

There is no need to worry about your local user having admin rights. If you are looking for an alternative to adding a local user check out this article:

http://www.mcpmag.com/columns/article.asp?EditorialsID=614

I haven't really been able to get it to work consistently but maybe you'll have better luck.