Installing Software and Permissions

  • Thread starter Thread starter lozza
  • Start date Start date
L

lozza

Guest
Hey Guys,

Looking for some pointers by the more experienced. I would like to allow
certain users the ability to administer a TS Server and also install software
etc etc on my TS Server. Now, the good way to do this, I believe is by
grouping all these users into a AD Global Security Group and then adding that
security group to the Local Administrators group. Then anytime someone new
needs to be added as an administrator, simply add them to that very Global
Security group and they'll have TS admin permissions... So here is what I
have done:

1) Creating an AD group called TS_Admins - Populated with Users
2) Created an AD group called TS_Users - Populated with Users
3) Added TS_Admins to TS_Users (this has been done so I can treat the
TS_Users group as all possible TS users and security filter GPOs to them if
required)
4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users
5) Added TS_Admins to the Local group on the TS Server - Administrators
6) All in all the Local Administrators Group on the TS Server is now
populated with Administrator, Domain Admins and TS_Admins

So far so good... I hope.

So here is the issue.... I log into the TS Server as a User (user1) who is a
member of the TS_Admins group and try and install a piece of software.... Put
the server in Install mode and During installation an error message is
received saying this User does not have admin rights!!!... confused.

So here is what I have noticed.
- If I log on as myself (member of Domain Admins group) it installs.
Implying the nested group structure and permissions are working (?)
- To troubleshoot whether the user1 really is an admin on the TS Server, I
have added more users to the Local Administrators group using the user1
account. This applies fine... Is there any other tests I can do to ensure
this user is being treated as an administrator?
- If I put user1 in directly under the Local administrators group (so trying
to avoid the nested group structure) - it installs fine under the user1
account.

My questions would be.. is this a quirky TS issue? and what can I do to
troubleshoot this further? Are my group structures wrong?

I'd to be able to grant admin rights to my users via the TS_Admins AD
Group... If any other info is required, please feel free to ask...

Help appreciated
Lozza....
 
RE: Installing Software and Permissions

a small update that may help as well... the user user1 is also a member of
Domain Admins... but this will eventually be locked down. But again, the
software would refuse to install for user1 until user1 was added directly to
the TS Servers Local Admins group


"lozza" wrote:

> Hey Guys,
>
> Looking for some pointers by the more experienced. I would like to allow
> certain users the ability to administer a TS Server and also install software
> etc etc on my TS Server. Now, the good way to do this, I believe is by
> grouping all these users into a AD Global Security Group and then adding that
> security group to the Local Administrators group. Then anytime someone new
> needs to be added as an administrator, simply add them to that very Global
> Security group and they'll have TS admin permissions... So here is what I
> have done:
>
> 1) Creating an AD group called TS_Admins - Populated with Users
> 2) Created an AD group called TS_Users - Populated with Users
> 3) Added TS_Admins to TS_Users (this has been done so I can treat the
> TS_Users group as all possible TS users and security filter GPOs to them if
> required)
> 4) Added TS_Users to the Local group on the TS Server - Remote Desktop Users
> 5) Added TS_Admins to the Local group on the TS Server - Administrators
> 6) All in all the Local Administrators Group on the TS Server is now
> populated with Administrator, Domain Admins and TS_Admins
>
> So far so good... I hope.
>
> So here is the issue.... I log into the TS Server as a User (user1) who is a
> member of the TS_Admins group and try and install a piece of software.... Put
> the server in Install mode and During installation an error message is
> received saying this User does not have admin rights!!!... confused.
>
> So here is what I have noticed.
> - If I log on as myself (member of Domain Admins group) it installs.
> Implying the nested group structure and permissions are working (?)
> - To troubleshoot whether the user1 really is an admin on the TS Server, I
> have added more users to the Local Administrators group using the user1
> account. This applies fine... Is there any other tests I can do to ensure
> this user is being treated as an administrator?
> - If I put user1 in directly under the Local administrators group (so trying
> to avoid the nested group structure) - it installs fine under the user1
> account.
>
> My questions would be.. is this a quirky TS issue? and what can I do to
> troubleshoot this further? Are my group structures wrong?
>
> I'd to be able to grant admin rights to my users via the TS_Admins AD
> Group... If any other info is required, please feel free to ask...
>
> Help appreciated
> Lozza....
>
 
RE: Installing Software and Permissions

Sounds to me that you did everything correct.
I assume that the user logged of and on again after you made
changes to the group membership?
You can type "whoami /groups" in a Terminal Server session to see
the group membership list of a user.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 15
apr 2008 in microsoft.public.windows.terminal_services:

> a small update that may help as well... the user user1 is also a
> member of Domain Admins... but this will eventually be locked
> down. But again, the software would refuse to install for user1
> until user1 was added directly to the TS Servers Local Admins
> group
>
>
> "lozza" wrote:
>
>> Hey Guys,
>>
>> Looking for some pointers by the more experienced. I would like
>> to allow certain users the ability to administer a TS Server
>> and also install software etc etc on my TS Server. Now, the
>> good way to do this, I believe is by grouping all these users
>> into a AD Global Security Group and then adding that security
>> group to the Local Administrators group. Then anytime someone
>> new needs to be added as an administrator, simply add them to
>> that very Global Security group and they'll have TS admin
>> permissions... So here is what I have done:
>>
>> 1) Creating an AD group called TS_Admins - Populated with Users
>> 2) Created an AD group called TS_Users - Populated with Users
>> 3) Added TS_Admins to TS_Users (this has been done so I can
>> treat the TS_Users group as all possible TS users and security
>> filter GPOs to them if required)
>> 4) Added TS_Users to the Local group on the TS Server - Remote
>> Desktop Users 5) Added TS_Admins to the Local group on the TS
>> Server - Administrators 6) All in all the Local Administrators
>> Group on the TS Server is now populated with Administrator,
>> Domain Admins and TS_Admins
>>
>> So far so good... I hope.
>>
>> So here is the issue.... I log into the TS Server as a User
>> (user1) who is a member of the TS_Admins group and try and
>> install a piece of software.... Put the server in Install mode
>> and During installation an error message is received saying
>> this User does not have admin rights!!!... confused.
>>
>> So here is what I have noticed.
>> - If I log on as myself (member of Domain Admins group) it
>> installs. Implying the nested group structure and permissions
>> are working (?) - To troubleshoot whether the user1 really is
>> an admin on the TS Server, I have added more users to the Local
>> Administrators group using the user1 account. This applies
>> fine... Is there any other tests I can do to ensure this user
>> is being treated as an administrator? - If I put user1 in
>> directly under the Local administrators group (so trying to
>> avoid the nested group structure) - it installs fine under the
>> user1 account.
>>
>> My questions would be.. is this a quirky TS issue? and what can
>> I do to troubleshoot this further? Are my group structures
>> wrong?
>>
>> I'd to be able to grant admin rights to my users via the
>> TS_Admins AD Group... If any other info is required, please
>> feel free to ask...
>>
>> Help appreciated
>> Lozza....
 
RE: Installing Software and Permissions

Vera, thank you for the response... and the command line (will be very
useful), I will check this out tommorow and post back... Hopefully with some
successful news.

FYI, I did log the user off and back on after adding to the TS_Admin group.
I even rebooted the TS Server. Still, just confusing how as soon as the user
is added directly to the local admins group the install of the application
doesn't complain.

Anyhow...lets see what tommorow brings :)

Lozza

"Vera Noest [MVP]" wrote:

> Sounds to me that you did everything correct.
> I assume that the user logged of and on again after you made
> changes to the group membership?
> You can type "whoami /groups" in a Terminal Server session to see
> the group membership list of a user.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 15
> apr 2008 in microsoft.public.windows.terminal_services:
>
> > a small update that may help as well... the user user1 is also a
> > member of Domain Admins... but this will eventually be locked
> > down. But again, the software would refuse to install for user1
> > until user1 was added directly to the TS Servers Local Admins
> > group
> >
> >
> > "lozza" wrote:
> >
> >> Hey Guys,
> >>
> >> Looking for some pointers by the more experienced. I would like
> >> to allow certain users the ability to administer a TS Server
> >> and also install software etc etc on my TS Server. Now, the
> >> good way to do this, I believe is by grouping all these users
> >> into a AD Global Security Group and then adding that security
> >> group to the Local Administrators group. Then anytime someone
> >> new needs to be added as an administrator, simply add them to
> >> that very Global Security group and they'll have TS admin
> >> permissions... So here is what I have done:
> >>
> >> 1) Creating an AD group called TS_Admins - Populated with Users
> >> 2) Created an AD group called TS_Users - Populated with Users
> >> 3) Added TS_Admins to TS_Users (this has been done so I can
> >> treat the TS_Users group as all possible TS users and security
> >> filter GPOs to them if required)
> >> 4) Added TS_Users to the Local group on the TS Server - Remote
> >> Desktop Users 5) Added TS_Admins to the Local group on the TS
> >> Server - Administrators 6) All in all the Local Administrators
> >> Group on the TS Server is now populated with Administrator,
> >> Domain Admins and TS_Admins
> >>
> >> So far so good... I hope.
> >>
> >> So here is the issue.... I log into the TS Server as a User
> >> (user1) who is a member of the TS_Admins group and try and
> >> install a piece of software.... Put the server in Install mode
> >> and During installation an error message is received saying
> >> this User does not have admin rights!!!... confused.
> >>
> >> So here is what I have noticed.
> >> - If I log on as myself (member of Domain Admins group) it
> >> installs. Implying the nested group structure and permissions
> >> are working (?) - To troubleshoot whether the user1 really is
> >> an admin on the TS Server, I have added more users to the Local
> >> Administrators group using the user1 account. This applies
> >> fine... Is there any other tests I can do to ensure this user
> >> is being treated as an administrator? - If I put user1 in
> >> directly under the Local administrators group (so trying to
> >> avoid the nested group structure) - it installs fine under the
> >> user1 account.
> >>
> >> My questions would be.. is this a quirky TS issue? and what can
> >> I do to troubleshoot this further? Are my group structures
> >> wrong?
> >>
> >> I'd to be able to grant admin rights to my users via the
> >> TS_Admins AD Group... If any other info is required, please
> >> feel free to ask...
> >>
> >> Help appreciated
> >> Lozza....
>
 
Back
Top