We have a domain controller currently running Windows Server 2000, and we're in the process of upgrading some of our workstations to Windows 7.
The problem is that users are getting access denied messages to things they should be able to do, even trivial things like deleting shortcuts from the desktop. The users run at less than administrative levels, which we want to maintain.
We think this is caused by Windows 7 having extra security permission settings that are getting defaulted to denied, because the new settings wouldn't actually exist in the Windows 2000 profiles.
The reason I'm asking about Windows 2003 Server is because we have an available license of that, and not to 2008 (which would likely solve the problem completely, but costs $). So what I'd like to find out is if the permission settings in 2003 will be sufficient for our needs to justify upgrading the domain controller to 2003.
I suspect the problem is that your non-admin users are attempting to delete shortcuts which exist on the common desktop (C:\Users\Public\Desktop). Only administrators can do that.
Generally, the version of your DC has very little to do with what permissions and rights exist on your workstations. Sure, you can have all sorts of group policy settings and security templates which change workstation security settings, file permissions, etc. I am assuming that your environment isn't so heavily customised though.
You need to upgrade the DC to 2003 ASAP since no more Win2k security updates will be released after June of this year. Win2k is at end of life from a MS support perspective.
The problem you are seeing is not related to the Dc, but to the client OS and has to do with the fact that one is not an admin on a WIn7 box unless one shuts of User Access Control. As Graeme says, the user is likely deleting a shortcut from the all users profile, not his own.
I suspect if you took away admin rights on the OLD PC, you would see similar results and the user would no longer have delete rights to the all user profile.
Do Not turn of UAC - it is the admins friend.
\\Greg
I would experiment with dis-abling UAC for one of the accounts to see if that helps clear things up a little. It could be that your users are just not used to UAC.