I hope someone can help me. I'm having a hard time setting up a
roaming profile for a user with Administrative privileges. I have no
trouble setting up roaming profiles in general, but for some reason
they lose their Admin privileges after I set them up as a roaming
profile.

I'm running W2K Pro & Server, w/SP4. I create a local user (i.e.,
JOE_ADMIN) on a W2k Pro machine and make the account a member of the
Admins group. I log in as JOE_ADMIN to create a local profile, then
log out. I've verified that JOE_ADMIN has admin privileges on the
local machine.

In ADUC, I create a user and configure the user properties to save the
roaming profile in a shared PROFILES subdirectory, e.g.,
\\SRV_NAME\PROFILES\JOE_ADMIN. I make JOE a member of the
Administrators group.

Then, back at the workstation, I log in as Administrator and use the
(System Properties->User Profiles) COPY TO command to copy JOE_ADMIN's
local profile from the workstation up to
\\SRV_NAME\PROFILES\JOE_ADMIN. I configure "Permitted to use" so
DOMAIN\JOE_ADMIN can access the profile. Then I log off as
Administrator on the workstation.

When I log in as JOE_ADMIN@DOMAIN at the workstation, JOE's profile
gets downloaded successfully. I can make changes to JOE's desktop and
they get saved in the roaming profile. If I log into another
workstation, the desktop changes are still there. However, JOE is no
longer a member of the local Admin's group, even on the original
machine I used to set up the local profile, before promoting it to
being a roaming profile.

Am I missing something, or is there some trick to assigning local
Admin priviliges to a user with a roaming profile? There are some
programs I want to run on the local machine that require local admin
priviliges, and I'd like to run them even though I'm logged in as a
roaming user. I've run into problems using RUN AS that are a subject
for another day.

I'd appreciate any advice.

Thanks,

- Steve

In article <8nnsi09g91d0qit7uh89uni7k38mgp8hm8@4ax.com>, in the
microsoft.public.win2000.security news group, Steve Hull
says...

> Am I missing something, or is there some trick to assigning local
> Admin priviliges to a user with a roaming profile? There are some
> programs I want to run on the local machine that require local admin
> priviliges, and I'd like to run them even though I'm logged in as a
> roaming user. I've run into problems using RUN AS that are a subject
> for another day.
>

You're totally misunderstanding the subject. You've never made the
domain\joe_admin account a member of the local administrators group.
Simply assigning the domain\joe_admin account a profile that has been
used by a local admin does not make that account a local admin on the
box.
--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

OK, I'm confused. I get your point that LOCAL\JOE is not the same
user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
I'm logged in as DOMAIN\JOE, I can't access any of the local user
accounts . On the other hand, if I'm logged in as a local admin, I
can't access any of the DOMAIN user accounts. If I can't access
DOMAIN\JOE from a local admin's account, I don't know how I can make
him a member of a local group.

Thanks,

- Steve


On Thu, 26 Aug 2004 18:25:06 -0400, Paul Adare - MVP - Microsoft
Virtual PC wrote:

>In article <8nnsi09g91d0qit7uh89uni7k38mgp8hm8@4ax.com>, in the
>microsoft.public.win2000.security news group, Steve Hull
> says...
>
>> Am I missing something, or is there some trick to assigning local
>> Admin priviliges to a user with a roaming profile? There are some
>> programs I want to run on the local machine that require local admin
>> priviliges, and I'd like to run them even though I'm logged in as a
>> roaming user. I've run into problems using RUN AS that are a subject
>> for another day.
>>
>
>You're totally misunderstanding the subject. You've never made the
>domain\joe_admin account a member of the local administrators group.
>Simply assigning the domain\joe_admin account a profile that has been
>used by a local admin does not make that account a local admin on the
>box.

In article , in the
microsoft.public.win2000.security news group, Steve Hull
says...

> OK, I'm confused. I get your point that LOCAL\JOE is not the same
> user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
> I'm logged in as DOMAIN\JOE, I can't access any of the local user
> accounts . On the other hand, if I'm logged in as a local admin, I
> can't access any of the DOMAIN user accounts. If I can't access
> DOMAIN\JOE from a local admin's account, I don't know how I can make
> him a member of a local group.
>

Log on as the local admin. Try to add domain\joe_admin to the local
administrators group. You'll be prompted for credentials that have
permissions to read the AD accounts. Provide the domain\joe_admin
credentials when prompted and add the account to the local
administrators account.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Thanks, Paul. I was able to get DOMAIN\JOE added to the local
Administrators on one workstation. And, DOMAIN\JOE is set up to use a
roaming profile.

This leads to another question. I really don't want to walk around to
each workstation and manually add DOMAIN\JOE to the local admins
group. Is there any way to automate this (e.g., GPO, Script, etc.) ??

Thanks again,

- Steve



On Thu, 26 Aug 2004 20:11:30 -0400, Paul Adare - MVP - Microsoft
Virtual PC wrote:

>In article , in the
>microsoft.public.win2000.security news group, Steve Hull
> says...
>
>> OK, I'm confused. I get your point that LOCAL\JOE is not the same
>> user as DOMAIN\JOE, but how do I make DOMAIN\JOE a local admin? When
>> I'm logged in as DOMAIN\JOE, I can't access any of the local user
>> accounts . On the other hand, if I'm logged in as a local admin, I
>> can't access any of the DOMAIN user accounts. If I can't access
>> DOMAIN\JOE from a local admin's account, I don't know how I can make
>> him a member of a local group.
>>
>
>Log on as the local admin. Try to add domain\joe_admin to the local
>administrators group. You'll be prompted for credentials that have
>permissions to read the AD accounts. Provide the domain\joe_admin
>credentials when prompted and add the account to the local
>administrators account.

In article , in the
microsoft.public.win2000.security news group, Steve Hull
says...

> This leads to another question. I really don't want to walk around to
> each workstation and manually add DOMAIN\JOE to the local admins
> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
>

You can do this with the Restricted Groups option in Group Policy. You
really should read up on the feature (in help, and on the Microsoft web
site) before doing this however. You need to make sure that you set the
policy at the right place (for example, if you do this at the domain
level, you're going to wind up adding the account to the Administrators
group on your Domain Controllers as well as the workstations, which you
might not want to do). You also want to make sure that you keep the
default users and groups in the local Administrators group.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

As Paul mentions Restricted Groups is one option but it probably will remove existing
members of the local administrators group from computers on the container where it is
implemented. Another option is a "startup" script implemented via Group Policy to
computers within the scope of influence of the policy such as the Organizational Unit
level. You can use the net localgroup command. Use net help localgroup for more
information at the command prompt. For instance to add domain user Bubba to the Local
Administrators group use [ net localgroup administrators mydomain\Bubba /add ]. The
command line tool cusrmgr can also do the same with a batchfile. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241 --- Group Policy
scripts and how to configure

"Paul Adare - MVP - Microsoft Virtual PC" wrote in message
news:MPG.1b98bc09e8ded3d0989a36@msnews.microsoft.com...
> In article , in the
> microsoft.public.win2000.security news group, Steve Hull
> says...
>
>> This leads to another question. I really don't want to walk around to
>> each workstation and manually add DOMAIN\JOE to the local admins
>> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
>>
>
> You can do this with the Restricted Groups option in Group Policy. You
> really should read up on the feature (in help, and on the Microsoft web
> site) before doing this however. You need to make sure that you set the
> policy at the right place (for example, if you do this at the domain
> level, you're going to wind up adding the account to the Administrators
> group on your Domain Controllers as well as the workstations, which you
> might not want to do). You also want to make sure that you keep the
> default users and groups in the local Administrators group.
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Thanks, Steve (and Paul).

I tried the Restricted Groups approach: created a security group
called "Roaming Local Admins" and added several user accounts. I also
created an OU and put the computers in it that I want to use my
Roaming Local Admins group. Then I added a GPO to the OU and created
an entry in Restricted Groups for the "Roaming Local Admins" security
group.

However, in looking at all the options available in the GPO, I don't
see how to make the Roaming Local Admins group a member of the local
Administrators group on the computers in my OU. Although there are
many options that let me assign most of the functionality of a local
admin to my Restricted Group, I don't see any option that lets me add
members to a computer's local Administrators group.

Next, I set up a startup script with the "net localgroup
administrators mydomain\Roaming Local Admins /add" command.
(Actually, I had to put quotes around the domain name\group name.)
That did the trick!

Thanks to both of you. I learned a lot.

- Steve


On Fri, 27 Aug 2004 15:13:56 GMT, "Steven L Umbach"
wrote:

>As Paul mentions Restricted Groups is one option but it probably will remove existing
>members of the local administrators group from computers on the container where it is
>implemented. Another option is a "startup" script implemented via Group Policy to
>computers within the scope of influence of the policy such as the Organizational Unit
>level. You can use the net localgroup command. Use net help localgroup for more
>information at the command prompt. For instance to add domain user Bubba to the Local
>Administrators group use [ net localgroup administrators mydomain\Bubba /add ]. The
>command line tool cusrmgr can also do the same with a batchfile. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-US;322241 --- Group Policy
>scripts and how to configure
>
>"Paul Adare - MVP - Microsoft Virtual PC" wrote in message
>news:MPG.1b98bc09e8ded3d0989a36@msnews.microsoft.com...
>> In article , in the
>> microsoft.public.win2000.security news group, Steve Hull
>> says...
>>
>>> This leads to another question. I really don't want to walk around to
>>> each workstation and manually add DOMAIN\JOE to the local admins
>>> group. Is there any way to automate this (e.g., GPO, Script, etc.) ??
>>>
>>
>> You can do this with the Restricted Groups option in Group Policy. You
>> really should read up on the feature (in help, and on the Microsoft web
>> site) before doing this however. You need to make sure that you set the
>> policy at the right place (for example, if you do this at the domain
>> level, you're going to wind up adding the account to the Administrators
>> group on your Domain Controllers as well as the workstations, which you
>> might not want to do). You also want to make sure that you keep the
>> default users and groups in the local Administrators group.
>>
>> --
>> Paul Adare
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>

In article , in the
microsoft.public.win2000.security news group, Steve Hull
says...

> Then I added a GPO to the OU and created
> an entry in Restricted Groups for the "Roaming Local Admins" security
> group.

This is where you made your error. You want to create an entry for the
Administrators group (just type in Administrators, don't browse for it,
the workstation will figure it out when the policy is applied), and then
add your Roaming Local Admins group to the Members of this group section
in the Administrators group Properties.

> Next, I set up a startup script with the "net localgroup
> administrators mydomain\Roaming Local Admins /add" command.
> (Actually, I had to put quotes around the domain name\group name.)
> That did the trick!

The reason I don't like this method is that membership is only
controlled when the computer boots. Once the system is up and running,
anyone with sufficient privileges can now change the membership of the
group and it will stay changed until the next time you reboot. With
Restricited Groups, your settings will be reapplied every time Group
Policy is refreshed.


--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

On Sat, 28 Aug 2004 12:41:41 -0400, Paul Adare - MVP - Microsoft
Virtual PC wrote:

>In article , in the
>microsoft.public.win2000.security news group, Steve Hull
> says...
>
>> Then I added a GPO to the OU and created
>> an entry in Restricted Groups for the "Roaming Local Admins" security
>> group.
>
>This is where you made your error. You want to create an entry for the
>Administrators group (just type in Administrators, don't browse for it,
>the workstation will figure it out when the policy is applied), and then
>add your Roaming Local Admins group to the Members of this group section
>in the Administrators group Properties.

I can't figure out how to implement your suggestions. I modified the
GPO associated with the OU that contains the computers I want to use
with my Roaming Local Admins group. In that GPO, in the Restricted
Groups section, I ran "Add Group" and added the Roaming Local Admins
group. Then I double-clicked on the group name (Roaming Local Admins)
and it brought up a dialog box that lets me add members to the
restricted group and to define the groups the restricted group will
belong to. In the top half of the dialog box, I added 2 domain users
(Adam and Bob) to the Roaming Local Admins group. In the bottom half
of the dialog box, I typed in "Administrators" to indicate that we
want the Restricted Group to be a member of the Administrators group.

When I log into one of the designated workstation as Adam (or Bob), I
do not have local Admin privileges.

------ Chapter 2 -----
Ok, so maybe I didn't interpret your instructions correctly. I
deleted all my entries in the GPO and started again. In the GPO, I
right-click on "Restricted Groups" and select "Add Group". For a
group name, I used "Administrators". I right-click on the new,
"Administrators" Restricted Group and don't get a Properties
selection, per se. But there is a Security Option that lets me add
members to the group, and to define which groups my new,
"Administrators" group will belong. In fact, this is the same screen
I got to with my first attempt. Once again, I add Adam and Bob to the
list of members, and also enter "Administrators" in the bottom half of
the screen to indicate that this Restricted Group should be a member
of the Administrators group after we log on.

When I log on at the workstation, I get the following error message:
"Windows cannot create profile directory
\\MyServerName\Users\Adam.pds. You will be logged on with a local
profile only. Changes to the profile will not be propagated to the
server...."


>
>> Next, I set up a startup script with the "net localgroup
>> administrators mydomain\Roaming Local Admins /add" command.
>> (Actually, I had to put quotes around the domain name\group name.)
>> That did the trick!
>
>The reason I don't like this method is that membership is only
>controlled when the computer boots. Once the system is up and running,
>anyone with sufficient privileges can now change the membership of the
>group and it will stay changed until the next time you reboot. With
>Restricited Groups, your settings will be reapplied every time Group
>Policy is refreshed.
>

Anyone with sufficient privileges can change the GPO :)

Thanks,

- Steve

In article , in the
microsoft.public.win2000.security news group, Steve Hull
says...

> Anyone with sufficient privileges can change the GPO :)
>

Only at the domain level.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.