Installing New Work Stations

  • Thread starter Thread starter mcp6453
  • Start date Start date
M

mcp6453

Guest
I do computer support for a non-profit organization. They just had 10
new Pentium 4 computers donated. The machines have fresh installations
of XP SP2. It takes a long time to install SP3 and the updates. Plus,
there are several other applications that need to be installed on each
computer.

Hopefully I can save some time by building one machine and then imaging
the drive to the others. (All software is properly licensed.) So, I will
use this occasion to try to understand a perpetual problem that I have:
Giving administrator rights to the local machine after the work station
joins the domain of the Windows 2003 Server. I have tried a number of
ways, and something always seems to go wrong.

There are two parts to this question. The first part is, if I build one
machine to spec, join the domain, and then image the drive to another
(identical) computer, what do I have to change on the second machine to
enable it to log into the network? The machine name? Or, do I have to go
through the same routine to join the domain?

The second part of the question is, after a machine joins the domain
using the Administrator account, how do I give any authenticated users
administrator rights on the local machine? Do I add "Domain Users" or
"Authenticated Users" to the local machine Administrators group? This
part is the one that I always have problems with. As you can tell, I am
not a server guy. If you would give me a detailed procedure to give the
local machine administrator rights (even though some people don't think
it's a good idea), I would be most grateful.

It's been a while since I added a computer, but here is what I did:

1. Log into the work station as an administrator of the local machine.
2. Click on "Network ID" or "Change..." to join the domain. (Which one
should I use? What's the difference between the two methods?)
3. After joining the domain, Run "control userpasswords2", Advanced,
Advanced, Groups, Administrators, Add... and then add Domain Users.
(Sometimes "Domain Users" verifies, sometimes it doesn't.)
4. Okay all the way out.
5. Log out as Administrator and log in as with a server user account.

Thanks.
 
Re: Installing New Work Stations

mcp6453 <mcp6453@gmail.com> wrote:
> I do computer support for a non-profit organization. They just had 10
> new Pentium 4 computers donated. The machines have fresh installations
> of XP SP2. It takes a long time to install SP3 and the updates. Plus,
> there are several other applications that need to be installed on each
> computer.
>
> Hopefully I can save some time by building one machine and then
> imaging the drive to the others. (All software is properly licensed.)

If you don't have fairly identical hardware, this won't work well - Acronis
software, such as SnapDeploy or TrueImage Workstation with Universal Restore
may be able to do it for you, though. SnapDeploy is a bit complex but is
designed to do what you're trying to do and includes a SID changing tool.

> So, I will use this occasion to try to understand a perpetual problem
> that I have: Giving administrator rights to the local machine after
> the work station joins the domain of the Windows 2003 Server.

Why is that a problem? "You don't want to do it, really. But if you do want
to, it's not hard to do.

> I have
> tried a number of ways, and something always seems to go wrong.
>
> There are two parts to this question. The first part is, if I build
> one machine to spec, join the domain,

No - don't join the domain first. Image first. Then join the domain (using
the SBS wizards!)

> and then image the drive to
> another (identical) computer, what do I have to change on the second
> machine to enable it to log into the network? The machine name? Or,
> do I have to go through the same routine to join the domain?

You have to change the SID (most cloning software gives you the option to do
that). Then join the domain.
>
> The second part of the question is, after a machine joins the domain
> using the Administrator account, how do I give any authenticated users
> administrator rights on the local machine?

You really shouldn't be doing that, actually.

> Do I add "Domain Users" or
> "Authenticated Users" to the local machine Administrators group?

You can, but I'd use a custom AD group and a startup script (I don't really
like Restricted Groups much). I tend to set up AD groups called LocalAdmin,
LocalPowerUser, to make this easier. You can also create one for Remote
Desktop access, too - (SBS has this built in).

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\Web Workplace Users /add

.........

When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself
....then remove them from the domain LocalAdmin group on the domain when
done.

You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

THAT SAID - it's not good practice to let users have local admin rights - so
if you have software that won't behave properly without admin rights, try to
correct it. First, I'd holler at the software developer, because this is
sloppy code, but then you can try downloading Process Explorer from
Microsoft (a sysinternals utility) to see what the app is trying to do. You
can then modify permissions in the file system/registry appropriately, to
let ordinary users have the access the software needs.




> This
> part is the one that I always have problems with. As you can tell, I
> am not a server guy. If you would give me a detailed procedure to
> give the local machine administrator rights (even though some people
> don't think it's a good idea),

Anyone who manages networks should think it's a bad idea!

> I would be most grateful.
>
> It's been a while since I added a computer, but here is what I did:
>
> 1. Log into the work station as an administrator of the local machine.
> 2. Click on "Network ID" or "Change..." to join the domain. (Which one
> should I use? What's the difference between the two methods?)

Don't use either. If you're using SBS, you really need to use the wizards.
Go to Server Management on the SBS box, Computers, and add your client
computers there- then join the domain using
http://servername/connectcomputer.

> 3. After joining the domain, Run "control userpasswords2", Advanced,
> Advanced, Groups, Administrators, Add... and then add Domain Users.
> (Sometimes "Domain Users" verifies, sometimes it doesn't.)
> 4. Okay all the way out.
> 5. Log out as Administrator and log in as with a server user account.
>
> Thanks.

Local admin rights & machine imaging don't really have much to do with each
other, note.
 
Re: Installing New Work Stations

Lanwench [MVP - Exchange] wrote:
> mcp6453 <mcp6453@gmail.com> wrote:
>> I do computer support for a non-profit organization. They just had 10
>> new Pentium 4 computers donated. The machines have fresh installations
>> of XP SP2. It takes a long time to install SP3 and the updates. Plus,
>> there are several other applications that need to be installed on each
>> computer.
>>
>> Hopefully I can save some time by building one machine and then
>> imaging the drive to the others. (All software is properly licensed.)
>
> If you don't have fairly identical hardware, this won't work well - Acronis
> software, such as SnapDeploy or TrueImage Workstation with Universal Restore
> may be able to do it for you, though. SnapDeploy is a bit complex but is
> designed to do what you're trying to do and includes a SID changing tool.
>
>> So, I will use this occasion to try to understand a perpetual problem
>> that I have: Giving administrator rights to the local machine after
>> the work station joins the domain of the Windows 2003 Server.
>
> Why is that a problem? "You don't want to do it, really. But if you do want
> to, it's not hard to do.
>
>> I have
>> tried a number of ways, and something always seems to go wrong.
>>
>> There are two parts to this question. The first part is, if I build
>> one machine to spec, join the domain,
>
> No - don't join the domain first. Image first. Then join the domain (using
> the SBS wizards!)
>
>> and then image the drive to
>> another (identical) computer, what do I have to change on the second
>> machine to enable it to log into the network? The machine name? Or,
>> do I have to go through the same routine to join the domain?
>
> You have to change the SID (most cloning software gives you the option to do
> that). Then join the domain.
>> The second part of the question is, after a machine joins the domain
>> using the Administrator account, how do I give any authenticated users
>> administrator rights on the local machine?
>
> You really shouldn't be doing that, actually.
>
>> Do I add "Domain Users" or
>> "Authenticated Users" to the local machine Administrators group?
>
> You can, but I'd use a custom AD group and a startup script (I don't really
> like Restricted Groups much). I tend to set up AD groups called LocalAdmin,
> LocalPowerUser, to make this easier. You can also create one for Remote
> Desktop access, too - (SBS has this built in).
>
> The batch file would have this:
> ........
> net localgroup administrators DOMAIN\localadmin /add
> net localgroup power users DOMAIN\localpoweruser /add
> net localgroup remote desktop users DOMAIN\Web Workplace Users /add
>
> ........
>
> When I set up a new user, I often find I need to add their domain account to
> LocalAdmin before I log in as them the first time to customize their
> profile/install any sw that must be installed by the user him/herself
> ...then remove them from the domain LocalAdmin group on the domain when
> done.
>
> You can create/link a new GPO at the appropriate OU where your computers
> live (if you haven't created custom ones, you'll need to - unless you're
> using SBS, which creates its own hierarchy).
>
> Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
> (startup/shutdown)
> Double-click Startup, click Add
> Copy the batch file you created to the clipboard, then paste it in the
> window here
> Exit/apply/ok/finish whatever
>
> All the computers in this OU should have the startup script applied when
> they restart, and you can now control all this at the server.
>
> THAT SAID - it's not good practice to let users have local admin rights - so
> if you have software that won't behave properly without admin rights, try to
> correct it. First, I'd holler at the software developer, because this is
> sloppy code, but then you can try downloading Process Explorer from
> Microsoft (a sysinternals utility) to see what the app is trying to do. You
> can then modify permissions in the file system/registry appropriately, to
> let ordinary users have the access the software needs.
>
>
>
>
>> This
>> part is the one that I always have problems with. As you can tell, I
>> am not a server guy. If you would give me a detailed procedure to
>> give the local machine administrator rights (even though some people
>> don't think it's a good idea),
>
> Anyone who manages networks should think it's a bad idea!
>
>> I would be most grateful.
>>
>> It's been a while since I added a computer, but here is what I did:
>>
>> 1. Log into the work station as an administrator of the local machine.
>> 2. Click on "Network ID" or "Change..." to join the domain. (Which one
>> should I use? What's the difference between the two methods?)
>
> Don't use either. If you're using SBS, you really need to use the wizards.
> Go to Server Management on the SBS box, Computers, and add your client
> computers there- then join the domain using
> http://servername/connectcomputer.
>
>> 3. After joining the domain, Run "control userpasswords2", Advanced,
>> Advanced, Groups, Administrators, Add... and then add Domain Users.
>> (Sometimes "Domain Users" verifies, sometimes it doesn't.)
>> 4. Okay all the way out.
>> 5. Log out as Administrator and log in as with a server user account.
>>
>> Thanks.
>
> Local admin rights & machine imaging don't really have much to do with each
> other, note.

LW, there is no doubt in my mind that the procedures you are
recommending are the best practices to follow. Your reputation precedes
you. However, much of what you suggest is way over my head, and I am not
willing to take an in depth course on Windows Server to volunteer for
this non-profit organization. Most of what I do for them is work station
maintenance, at which I am close to being a pro. However, the server
issues do arise, and I do the best I can with what I know.

The server is not SBS, it's Windows Server 2003. The workstations are
identical hardware. I don't know what SID is, but I will learn.

I've printed your post and will spend some time plodding through it.
Thanks for taking the time. Hopefully with your recommendations I can
find out what I'm missing along the way.
 
Re: Installing New Work Stations

mcp6453 <mcp6453@gmail.com> wrote:
> Lanwench [MVP - Exchange] wrote:
>> mcp6453 <mcp6453@gmail.com> wrote:
>>> I do computer support for a non-profit organization. They just had
>>> 10 new Pentium 4 computers donated. The machines have fresh
>>> installations of XP SP2. It takes a long time to install SP3 and
>>> the updates. Plus, there are several other applications that need
>>> to be installed on each computer.
>>>
>>> Hopefully I can save some time by building one machine and then
>>> imaging the drive to the others. (All software is properly
>>> licensed.)
>>
>> If you don't have fairly identical hardware, this won't work well -
>> Acronis software, such as SnapDeploy or TrueImage Workstation with
>> Universal Restore may be able to do it for you, though. SnapDeploy
>> is a bit complex but is designed to do what you're trying to do and
>> includes a SID changing tool.
>>> So, I will use this occasion to try to understand a perpetual
>>> problem that I have: Giving administrator rights to the local
>>> machine after the work station joins the domain of the Windows 2003
>>> Server.
>>
>> Why is that a problem? "You don't want to do it, really. But if you
>> do want to, it's not hard to do.
>>
>>> I have
>>> tried a number of ways, and something always seems to go wrong.
>>>
>>> There are two parts to this question. The first part is, if I build
>>> one machine to spec, join the domain,
>>
>> No - don't join the domain first. Image first. Then join the domain
>> (using the SBS wizards!)
>>
>>> and then image the drive to
>>> another (identical) computer, what do I have to change on the second
>>> machine to enable it to log into the network? The machine name? Or,
>>> do I have to go through the same routine to join the domain?
>>
>> You have to change the SID (most cloning software gives you the
>> option to do that). Then join the domain.
>>> The second part of the question is, after a machine joins the domain
>>> using the Administrator account, how do I give any authenticated
>>> users administrator rights on the local machine?
>>
>> You really shouldn't be doing that, actually.
>>
>>> Do I add "Domain Users" or
>>> "Authenticated Users" to the local machine Administrators group?
>>
>> You can, but I'd use a custom AD group and a startup script (I don't
>> really like Restricted Groups much). I tend to set up AD groups
>> called LocalAdmin, LocalPowerUser, to make this easier. You can also
>> create one for Remote Desktop access, too - (SBS has this built in).
>>
>> The batch file would have this:
>> ........
>> net localgroup administrators DOMAIN\localadmin /add
>> net localgroup power users DOMAIN\localpoweruser /add
>> net localgroup remote desktop users DOMAIN\Web Workplace Users /add
>>
>> ........
>>
>> When I set up a new user, I often find I need to add their domain
>> account to LocalAdmin before I log in as them the first time to
>> customize their profile/install any sw that must be installed by the
>> user him/herself ...then remove them from the domain LocalAdmin
>> group on the domain when done.
>>
>> You can create/link a new GPO at the appropriate OU where your
>> computers live (if you haven't created custom ones, you'll need to -
>> unless you're using SBS, which creates its own hierarchy).
>>
>> Edit the GPO - go to Computer Configuration \ Windows Settings \
>> Scripts (startup/shutdown)
>> Double-click Startup, click Add
>> Copy the batch file you created to the clipboard, then paste it in
>> the window here
>> Exit/apply/ok/finish whatever
>>
>> All the computers in this OU should have the startup script applied
>> when they restart, and you can now control all this at the server.
>>
>> THAT SAID - it's not good practice to let users have local admin
>> rights - so if you have software that won't behave properly without
>> admin rights, try to correct it. First, I'd holler at the software
>> developer, because this is sloppy code, but then you can try
>> downloading Process Explorer from Microsoft (a sysinternals utility)
>> to see what the app is trying to do. You can then modify permissions
>> in the file system/registry appropriately, to let ordinary users
>> have the access the software needs.
>>> This
>>> part is the one that I always have problems with. As you can tell, I
>>> am not a server guy. If you would give me a detailed procedure to
>>> give the local machine administrator rights (even though some people
>>> don't think it's a good idea),
>>
>> Anyone who manages networks should think it's a bad idea!
>>
>>> I would be most grateful.
>>>
>>> It's been a while since I added a computer, but here is what I did:
>>>
>>> 1. Log into the work station as an administrator of the local
>>> machine. 2. Click on "Network ID" or "Change..." to join the domain.
>>> (Which
>>> one should I use? What's the difference between the two methods?)
>>
>> Don't use either. If you're using SBS, you really need to use the
>> wizards. Go to Server Management on the SBS box, Computers, and add
>> your client computers there- then join the domain using
>> http://servername/connectcomputer.
>>
>>> 3. After joining the domain, Run "control userpasswords2", Advanced,
>>> Advanced, Groups, Administrators, Add... and then add Domain Users.
>>> (Sometimes "Domain Users" verifies, sometimes it doesn't.)
>>> 4. Okay all the way out.
>>> 5. Log out as Administrator and log in as with a server user
>>> account. Thanks.
>>
>> Local admin rights & machine imaging don't really have much to do
>> with each other, note.
>
> LW, there is no doubt in my mind that the procedures you are
> recommending are the best practices to follow. Your reputation
> precedes you.

<blush> I thought they said it would STAY in Vegas!

> However, much of what you suggest is way over my head,
> and I am not willing to take an in depth course on Windows Server to
> volunteer for this non-profit organization. Most of what I do for
> them is work station maintenance, at which I am close to being a pro.
> However, the server issues do arise, and I do the best I can with
> what I know.
> The server is not SBS, it's Windows Server 2003.

Sorry, I subscribe to a lot of newsgroups and forgot where I was. Forget the
setup wizard junk I mentioned.

That said, for an office such as this, SBS would've been a very good fit -
it's a lot easier to manage if you don't have a lot of experience (and is a
lot cheaper considering what it includes). Check techsoup.org.

> The workstations are
> identical hardware. I don't know what SID is, but I will learn.

Security identifier. Every object in AD has one - and they're all unique.
You don't want to join the domain until you know the machine has a unique
SID. It's not a big deal to change it.
>
> I've printed your post and will spend some time plodding through it.
> Thanks for taking the time. Hopefully with your recommendations I can
> find out what I'm missing along the way.

No prob - hope it gets you started. Post back if you need more help.
 
Re: Installing New Work Stations

Hi mcp6453,

Just download newsid.exe from www.sysinternals.com (it is a Microsoft web
site now) and run it after you apply image to a new workstation. Then join
it to the domain.

Dush

"mcp6453" <mcp6453@gmail.com> wrote in message
news:ehHukj$AJHA.5964@TK2MSFTNGP04.phx.gbl...
>I do computer support for a non-profit organization. They just had 10 new
>Pentium 4 computers donated. The machines have fresh installations of XP
>SP2. It takes a long time to install SP3 and the updates. Plus, there are
>several other applications that need to be installed on each computer.
>
> Hopefully I can save some time by building one machine and then imaging
> the drive to the others. (All software is properly licensed.) So, I will
> use this occasion to try to understand a perpetual problem that I have:
> Giving administrator rights to the local machine after the work station
> joins the domain of the Windows 2003 Server. I have tried a number of
> ways, and something always seems to go wrong.
>
> There are two parts to this question. The first part is, if I build one
> machine to spec, join the domain, and then image the drive to another
> (identical) computer, what do I have to change on the second machine to
> enable it to log into the network? The machine name? Or, do I have to go
> through the same routine to join the domain?
>
> The second part of the question is, after a machine joins the domain using
> the Administrator account, how do I give any authenticated users
> administrator rights on the local machine? Do I add "Domain Users" or
> "Authenticated Users" to the local machine Administrators group? This part
> is the one that I always have problems with. As you can tell, I am not a
> server guy. If you would give me a detailed procedure to give the local
> machine administrator rights (even though some people don't think it's a
> good idea), I would be most grateful.
>
> It's been a while since I added a computer, but here is what I did:
>
> 1. Log into the work station as an administrator of the local machine.
> 2. Click on "Network ID" or "Change..." to join the domain. (Which one
> should I use? What's the difference between the two methods?)
> 3. After joining the domain, Run "control userpasswords2", Advanced,
> Advanced, Groups, Administrators, Add... and then add Domain Users.
> (Sometimes "Domain Users" verifies, sometimes it doesn't.)
> 4. Okay all the way out.
> 5. Log out as Administrator and log in as with a server user account.
>
> Thanks.
 

Similar threads

C
Best docking stations in 2021: Connect your devices
Replies
0
Views
86
Chris Hachey
C
A
IIS Admin Service unable to start - How and Why it can happen?
Replies
0
Views
246
ashfana
A
J
Using TLS certificate with Windows 2008 SMTP virtual server
Replies
0
Views
276
JonF2010
J
B
Can't listen on anything but localhost
Replies
0
Views
372
Blue Baron
B
L
Windows 10 Unable to log on to a domain or local account on a PC after upgrading to Windows 10 Pro build 2004 outside the domain network
Replies
0
Views
241
Lukáš Gančarčík
L
Back
Top