No admin privileges when logged in as a domain user

I'm setting up a new Dell Vostro 1014 with Windows 7 Professional 32bit preinstalled. I was able to connect it to my company's domain and log in as the domain admin.

I logged in as this computer admin and went to users accounts. I added the domain user there and they are part of the administrator group.
I clicked on the advanced tab up top and went to "advanced user management". I clicked groups and opened up "administrators". I added "domain admins", "domain users" and "domain\saleslaptop2" (the actual user).

I did the same by logging in as the domain admin.

I couldn't add a new folder for hijackthis in "program files" without getting an error. I can't add a folder in "c/users/saleslaptop2"

I found this thread: Domain users and the super admin account
and tried:
cmd,
gpupdate /force

I still have the issues. I couldn't install the accounting software by double clicking on the setup.exe on the network folder like I normally do. I had to right click and "run as administrator". I was able to get it to run, but it took FOREVER. It normally takes 5 minutes, I had to leave it going overnight. It seemed to keep freezing and took a long time when installing .net 1.1 (for my accounting software).

I can't seem to get the domain user to have administrative privileges. It went so smooth when I upgrade my Vostro 1500 from Win XP to WIn 7 Pro 32bit.

Any suggestions?

Since you are on a domain, are you enforcing group policy ? You are making the user account a Local administrator on this computer, but not a Domain Administrator. Group policy will keep this user account from doing some things if the account is just a domain user. I assume that this user will not normally be a domain administrator, is that correct ? In Active Directory on the server, open Active Directory Users and Groups and see what domain groups does this user account belong to ? You may have to temporarily add this user account to one or more administrative groups in AD for this user account to do all the things you want it to be able to do. Try adding this user to the Domain Admins and the Group Policy Creator / Owners groups on the server, then go to the PC and log in as the user. You may need to log in twice before the elevated permissions show up. When done, be sure to remove this user account from the administrative groups in AD.

Ah-ha... I'm a Domain Admin in Active Directory. Now it makes sense why I didn't have these problems.

The new user belongs to two groups. 1. Accounting software group, 2. Domain Users

I will probably just add them to "Domain admin" and "Group Policy Creator / Owner" and reinstall the accounting software.

I'd rather not leave them in that group permanently. Right now, this is the only W7 computer where the user doesn't have network admin privileges. How can we get around this in the future. I don't want to have to add and remove users from the "Domain Admin" group constantly when I upgrade computers in the future. It seems pretty dumb that they will have issues installing updates or creating folders on their own computer unless they're permanently added as a "Domain Admin"

Is there any easy was around this? This really makes me think twice about rolling out Win 7 company wide.

I'm not familiar with group policy, but imagine it can be turned off. It had to be on for a reason though.

I spoke with my consultant; he recommended installing programs by logging in as the local computer admin. I should map "my documents" to the server and work from there. You can go crazy with group policies (and my initial google results seems to confirm this.)

I'm not sure what your configuration is there in your office, but on ours, software isn't installed under a user logon. I log on to the users computer with my own username and I am a domain administrator. I install the software, create the necessary shortcuts in the user's profile, make any necessary file permission changes for the software, then log off and then log on with the users account to make sure it all works right. This is for both windows XP and windows 7.

With the XP workstations, I would initial log-in as the domain administrator and add "domain_users" to the admin group on the computer. I'm able to install software and upgrades at any time when I'm logged in as the user. They didn't have admin privileges on the server, network folders, etc.

That worked fine with XP workstations. Not true with the Windows 7 workstation. It's just frustrating that you can't create a simple folder using a non-admin domain log-in.


With the way you have your network setup, can users install updates themselves? (i.e. windows updates, adobe reader? java? malwarebytes?).