Managing Domain workstations in AD 2003

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,
We have a really new domain which so far we only have about 5 workstations on it (ongoing process to migrate the other 300 workstations), plus I am only half way through my CompTIA A+ (which I have to complete before I do my MCSE)
I have been tweaking settings for this and have noticed that I can not access any of the computer management options for any of the workstations.

I get this error message " unable to access the computer [email protected]l. The error was: access denied "

Can anyone advise me how I can fix this?
Thanks in advance.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Whats under the GPO for your Workstations in Access This Computer From The Network?

 

Hi, I have just checked and it is currently set to "not defined". The only policy that is applied to the whole domain, including workstations is the master policy which most of the settings are still at the default level.
My workstations are all part of the Domain computers group, which also has all of the defualt settings.

I have lots more questions but don't know where to start!

 

Can you login to the Domain OK and access network resources on one of the PC's?

Need alot more information about your setup, won't be able to advise otherwise.

 

I can use any of the workstations to log into the domain and they can all access all available resources on the network.
Could it be simpy a case of enabling the option to allow access from the network?

Thats understandable, how about general questions about setting up new groups for Sub admin users? Could you help me do that?

 

Are logging on with an account that has Domain Admin permissions? If not, what account are you logging on with and what is it a member of or roles assigned to it (e.g. like what craigie asked)?

 

Most likely yes, GPO's are not inherited in child domains, tree roots or forests. Basically you have to build everything from scratch as they are seperate administrative groups.

If it is a brand new domain you wil not have any settings at all apart from the Defualt Domain Controllers and the inbuilt accounts.

I would compare and contrast your main domains GPO and then change your child.domain as applicable.

 

Do you mean on to the Domain Controller? I am logging in with my own account and I have all domain admin rights.

I will go in and enable the setting to allow network access now and test again.

It is a new domain but we have over 200 TS users so I don't really want to go messing and changing any of the existing GPO's or defualt settings.
Like you said, I was hoping to create a seperate group for "Helpdesk Staff", they will need certain admin rights but not as many as the domain admin.
Currently these helpdesk users are part of the domain admin group which is very dangerous as they know nothing at all about the domain. In particular they need full access to the terminal services manager to they can remote control users sessions.

Is this poosible?

 

This is completely different to what you stated earlier on which was to Computer Manage, this is now about TS and User Roles!

Follow this link to find out about the built in Groups in 2003 click me

Something in this maybe more suitable for your users, otherwise you will need to change there security rights manually.

You could create a custome MMC and give rights for the 'Helpdesk Staff' to access the Terminal Services Manager from this. Go to User Configuration\Admin Templates\Microsoft Management Console\Restricied/Permitted and adjust as necessary.

 

I am very sorry, I am very eager to ask questions and they all seem to lead on to another. I will concentrate on my first question again now.
I have found the setting to allow access from the network to the computer, however there is no simple enable option, it needs me to specify a user, groupor computer. Should I add the domain admin group or TS computer?

Now to my second question, I will follow the link provided and see if any of the built in users/groups match what I need.
Sorry if I'n being really dumb but which admin tool can I find the user configuration in?

 

You need to add the Group which is allowed access to your Computers in the OU.

Err all Group Polices are via Group Policy Management, rather than choose Computer Configuration choose User Configuration and follow my instructions above.

 

I don't want to come across as a killjoy here (that comes later lol) but are you sure you should be doing what you;re doing. its pretty clear that you're not experienced with Active Directory - and my advice to you would be that the very, very last place you want to be 'experimenting' is your new production domain!

Would you not be better off training yourself up in an environment where, if you break something, people aren't going to come down on you like a ton of wet dogs**t? If you buy yourself the MSFT press books and start running through them in a virtual environment (VMWare Server is free to download and use) you will give yourself a much better chance of underatanding what it is you're doing, and - more importantly - lessening the chances of you breaking something irreperably!

 

I agree totally with what you are saying, unfortunately I am the only person in the company who can even attempt any of this! Doesn't look promising does it?!
Before I do any of the above that has been suggested I am actually trying to set up VM ware as we speak, so I can replicate our current domain and then do my testing there. Its not great though as my collegue and I support over 300 users, on all software, hardware and technical issues so I'm not quite sure when I am going to fit it all in!

I think I need a miracle!

 

Or a consultant

 

Whatever Sparky charges I'm 10% less lol

Oh, how did you get on today with the 70-649 mate?

 

Heyyyy - I got dibs on this - I saw it first!

Seriously though - the best of luck to you. Sounds like your company are taking the piss a bit to be frank - how on Earth did you even get the first DC in there? You must have had a consultant at least design your structure for you and put the first DC in - can't you get them in to give you a hand?

 

Hi again, thanks for all of the offers, I would be very grateful of any of your help offers, so don't fight over me! I really don't know where to start!
I don't know how I got the job either, its an ongoing project that only I have taken any interest in so far, and I think that only because I will be doing my MCSE when my A+ is finished.

I (we) have no plans or even a design structure in place. They are new servers at a datacentre which are only being used to run our new business system on, I haven't even seen the things. Our comms suppliers put them in place and set them up and left it all with default settings so we only have the one, same policy applied to everything from DC's to packers in our warehouse!

Not ideal but as there are only 2 of us in the IT department we haven't got the time to sit down and sort it all out in one go, as day to day issues have to be dealt with first.
My plan was to install VM Ware, and replicate our current set up, then I could test thouroughly any changes that I wanted to make.

Has any one got any suggestions on how I can design the domain structure? Our advise how it should be set up? It would be intereing to see an screen shot of other peoples structure, as I'm not quite sure how to break my users up into different folders and apply different policies to different folders.

 

You need to tell your company to pay for a consultant to come in and set everything up for you. Sounds like the company that installed it originally has probably only been paid to get everything installed and working - and hasn't been asked to do any design work on your Ou structure, GPOs, replication (if any) etc. I'm not doing any private work at the moment, but there are other people on this forum (Sparky amongst them) who might be looking for some - or at least work for companies that specialise in what you need. My advice to you would be not to touch anything in case you break it.

Regarding setting up a vmware replica of your environment - this isn't what you need to do (and is a few steps ahead of what you should be thinking of at the moment). In order to familiarise yourself with the sort of technology you'll be using, you need to set up ANY type of domain structure and play with it - so that you understand the concepts behind what it is you need to achieve at work. You should get hold of the MSFT press self-paced learning books and build yourself a domain from scratch - I suggest two DCs, two workstations plus a file and print/DHCP server to get you started.

There are plenty of people on here who will be willing/able to help you work on getting that established - but we would be idiots if we gave a beginner advice that they then implemented on a production network and fubared it - causing your company to spend time and money recovering from and possibly leading you to the dole queue!

HTH