re-configure AD

I had this question posted on the forum last week:
rrajani wrote:
"have a single server with DC and exchange 03 on it......60 there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?...."

mattyfonz replied:
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?

rrajani wrote:
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and  
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....

What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......

we do not have any group policies setup yet.......pls advice.............
New question as of today:
I removed the users from domain admins group.....all the users were not able to open the programs which were installed on their computers....i believe that is because these programs were isntalled after they were made the member of domain admins and now if you remove them from domain admins group......the programs started giving errors........

what is my best way to re-configure AD....looking at the present scenario.......

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run.

If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
rrajaniAuthor Commented:
For now i have come across only 3 programs which were not working.......

UPS worlship
Symantec Procomm Plus (which is used to connect to Unix server).......

I will try power users option and let you know......if i make them as power users on local machines, will they able to install softwares ? which way power users is different then being member of domain admin group ?...

Here is more information on the built-in groups:

Power users can "Install programs that do not modify operating system files or install system services".  This is not an ideal situation but is much better than making all users administrators.

Granting users permission to the specific files and registry keys they need is the best solution.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

rrajaniAuthor Commented:
i used the power users option on 1 user to test out and it seems like it is working......i will be monitoring for couple days and will let you know...

if i need to try the second option of running process monitor i need to run on each individual uers computers (xp pro)........?
Log on as a user who is not in the Power Users group.  Run Process Monitor and then run one of the problem programs.  Look for ACCESS DENIED entries to see what files and keys the users need permission to.
rrajaniAuthor Commented:
At present all the users are

1. on server - memeber of domain admins and domain users
2. on individual computers - member of administrator group

So my steps to try out on user abc will be:
1. remove abc from domain admin on server
2. log on to his computer as a member of admin grp and run process monitor, after giving access
3. change the user on local machine to belong to user group ?

Pls advice........
Steps 1 and 3 are good.  Step 2 is a little off though.  User abc should just have basic user rights on the workstation.  Here's the way it should go:

1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
rrajaniAuthor Commented:
we have 60 users......if 8 steps works then....i have to run procmon.exe on all boxes.....right ?....
No.  Do steps 1 and 2 for all non-administrative users.  Do steps 3-7 one time.  Do step 8 on all the boxes.  This could be automated with a script using the CACLS command.
rrajaniAuthor Commented:
You mean, do steps 1 & 2 for administrator users, right ?.....I haven't used procmon.exe before so it is kind of hard for me to please bear with me.........without running steps 3-7 how can you run step 8 ?
rrajaniAuthor Commented:
all 60 users are member of domain admins on AD and belongs to administrator group on local boxes.......
Do steps 1 and 2 for all users who are currently in the Domain Admins group but who do not actually require those privileges to administer the network on a daily basis.

Steps 3-7 will tell you what files and keys the users require access to in order to run the programs.  These will be the same for all users, so you only have to do this part once.  Once you know which files and keys are required, grant all users the access to them.

If you are uncomfortable with these procedures then it would be simplest just to add the INTERACTIVE account to the Power Users group on all workstations.  This is a straightforward solution which does not compromise security too badly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rrajaniAuthor Commented:
I performed step 1,2,3 and when i run step 4 it tells me that user does not has administrator rights to run procmon.exe

user abc is domain user and that user is not created on the local i have to add user 'abc' on local machine and under domain i have to add main server domain or local computer domain ?.......
Ah.  Log onto the workstation as the domain user abc and then right-click Procmon (or you might have to Shift-right click), select Run As, and log on as administrator.  That should allow you to run Procmon but still monitor events from the user.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.