Microsoft KB Archive/262591

= SBS: Removing Users from the Local Administrators Group on Windows NT Clients =

Article ID: 262591

Article Last Modified on 1/25/2006

-

APPLIES TO


 * Microsoft BackOffice Small Business Server 4.0
 * Microsoft BackOffice Small Business Server 4.0a
 * Microsoft BackOffice Small Business Server 4.5

-



This article was previously published under Q262591



SUMMARY
By default, when you add a user to a new or existing Microsoft Windows NT client through the Small Business Server (SBS) Console, that user becomes a member of the local Administrators group for that SBS client. Some administrators consider this a violation of security on their own network and do not want users to have client Administrator privileges.



MORE INFORMATION
When an administrator removes a user from the local Administrators group on a Windows NT client, the next time the user logs on and every subsequent time he or she logs on, he or she receives the following error message:

You are not a member of the Administrators group for this computer. You must be a member of the Administrators group in order to install applications and make changes to this computer.

To make a user a member of the Administrators group, exit and log in using an Administrator account. Then use the User Manager program to add a user to the Administrators group for this computer.

When the required applications are installed, this is an informative error message. When the users clicks OK, the message is cleared, allowing the user to continue. If the required applications are not installed yet on the Windows NT client, the user is prevented from installing the software unless Administrator rights are given to the user. To eliminate this error message, follow these steps:

 On the SBS server, start Windows NT Explorer. Locate the logon script for the user. The file is located in %Systemroot%\System32\Repl\Import\Scripts\SmallBusiness. Right-click the file and click Edit to open the user's logon script for editing. The file is named Username.bat where username is the user's logon name. Find the line that calls the program startcli.exe. This looks similar to the following:

\\ \Clients\Setup\%Directory%\Startcli.exe /s: /u:Username /l:%Systemroot%\..\Startcli.log

Where  is the name of the SBS server. Add the word REM to the beginning of this line. This stops the logon script from running startcli.exe and allows the user to log on to the client without receiving that error message.

NOTE: Removing the user from the local Administrators group on the Windows NT clients prevents the user from adding software or making some changes. If you wish to push out an application at a later time through the SBS Console, for example, Microsoft Outlook 2000, the user must be given Administrator rights on the workstation to install the new application. An alternative is to log on to each client with the domain Administrator account to install the applications.

Additional query words: smallbiz login script

Keywords: kbinfo kbenv KB262591

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.