rrajani
asked on
user accounts and groups
have a question on the user accounts......We have W2k3 server and 60 desktops........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex admin.....my goal is to remove users from domain admins grop.......so that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.
shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations. See if this allows the programs to run. If not, what specific programs aren't working? Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
response 2: User abc should just have basic user rights on the workstation. Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor. It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs. You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys. They should then be able to run the program without being in the Administrators or Power Users groups.
--------------------------
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost here........help........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex admin.....my goal is to remove users from domain admins grop.......so that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.
shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations. See if this allows the programs to run. If not, what specific programs aren't working? Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
response 2: User abc should just have basic user rights on the workstation. Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor. It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs. You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys. They should then be able to run the program without being in the Administrators or Power Users groups.
--------------------------
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost here........help........
I take that back... I dont add local accounts through the control panel. Right click my computer and go to "manage"
Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
when you select domain, it lists domain account only, these accounts can be seen by both domain and computers that are in domain
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.
step 2 asks you to remove abc out of local admin, and you tried to add him in?
"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.
Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.
step 2 asks you to remove abc out of local admin, and you tried to add him in?
"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.
Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.
ASKER
hypercat: so in step 4, you are telling me to add a the same domain user 'abc' on the local workstn as well ?....and make him member of power , restricted or user group.....?
ASKER
ok so.........
1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.
it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.
it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
Rrajani, sounds like you've got it correct. Just to clarify, I'm telling you to add the domain user account itself to the local Power User group. I think that's what you're doing, but I wanted to be sure that you understand I'm not telling you to create a local user account that is the same as the domain user account. You just click the Add button for the Power User group, and select the already-existing AD user account to add it to the group. You can also just add the AD Domain Users security group on the workstations if you want all of the domain users to be able to log on to any workstation on the domain.
ASKER
what is the difference if you add a domain user via Control panel | User Accounts or via clickiing on add button for power user group ? .......i tried both and it does the same thing .......
by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......
Any suggestions......
by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......
Any suggestions......
a quicker and more efficient way of adding all your domain users to the power users group is to use the
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
No difference, I just find the Computer Mgmt. console more flexible and direct than the Control Panel Wizard. As far as the UPS application, I'm afraid that's typical. I've run across a number of third party applications, usually not really designed for a network environment, that have the same problem. Sometimes you can get around it if you can identify the registry keys that are required and give the Power Users group permissions to just those registry keys. However, that takes some work and in some cases it's just impossible to identify all of them. Another workaround is to make them local admins, install the application under their logon, and then remove them from the local admins group. Sometimes that works. At least making them local administrators is a lot better than having them as members of the Domain Admins group!
Computername\Useraccount