How do I set up a user's rights without granting administrative rights?
I installed DNS and Active Directory on Windows 2000 and I have two big issues. First, users cannot log in from their workstations; they get "Access is Denied" when they try using their user login name, but if logging as administrator, it works fine using the same workstation. How do I set up the user's rights to log in to the server without granting the user administrative rights?
Second, is it necessary to use NetBIOS to be able to connect to the server? How can I implement a login script (.bat) to a group of users? Any effort to point me to an answer or solution is greatly appreciated.
Be sure that there is a Global Catalog that's accessible (testing all aspects of name resolution) from the workstations that are being problematic. If a GC cannot be contacted, only administrators will be able to log onto Active Directory. Also check the Local Security Policy on the domain controller to be sure that the "Access this computer from the network" setting has not been restricted to administrative users only.
For your second question, NetBIOS connectivity is only necessary if you have specific client workstations (like NT or 9x) or applications that require NetBIOS name resolution. If all of your clients and apps can use DNS for name resolution, you can disable NetBIOS from your server. Finally, you can enable logon scripts using Group Policy Objects attached to a Site, Domain or Organizational Unit.
This was first published in May 2004