Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


user accounts and groups

Posted on 2007-03-29
Medium Priority
Last Modified: 2010-04-20
have a question on the user accounts......We have W2k3 server and 60 desktops........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex admin.....my goal is to remove users from domain admins grop.......so that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.

shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run. If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.

response 2: User abc should just have basic user rights on the workstation.  Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost here........help........
Question by:rrajani
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2

Expert Comment

ID: 18818718
If you are adding a local account (Not setup in AD), your domain would be the name of the computer...

Expert Comment

ID: 18818746
I take that back... I dont add local accounts through the control panel.  Right click my computer and go to "manage"

Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
LVL 38

Accepted Solution

Hypercat (Deb) earned 1000 total points
ID: 18818783
If I'm understanding correctly, what you're trying to do is set up the users correctly so that they (1) do NOT have Domain Admin membership; and (2) have access and appropriate rights on their workstations.  You need to do two things:

1.  In AD Users and Computers, in the user's properties/Member Of tab, remove the "Domain Admins" group.
2.  On the workstation, log on with an account that DOES have domain administrator rights.  Then go to Computer Management Console/System Tools/Local Users and Groups.  
3. Open the Administrators Group and make sure that both the domain Administrator account and the Domain Admins group are part of the local Administrators group. Make sure that the user's account, whether local or domain-level, is NOT in this group.
4.  Now you have a choice.  If you want the user to be able to run most programs without any potential permissions issue, add them to the Power Users group.  If you want their local permissions to be more restricted, add them to the Users group.  In either case, you want to select the domain, not the local machine, as the source and select the user's domain account.  Do NOT add a local user account; it's just additional work and not necessary.

That should cover the basic issue you've described.  If, after adding them to the Power Users group on the workstation you still have issues running certain programs, you can add them (again using their domain user account) to the local Administrators group on the workstation if absolutely necessary.  
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 13

Expert Comment

ID: 18818786
when you select domain, it lists domain account only, these accounts can be seen by both domain and computers that are in domain
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.

step 2 asks you to remove abc out of local admin, and you tried to add him in?

"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.

Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.

Author Comment

ID: 18819712
hypercat: so in step 4, you are telling me to add a the same domain user 'abc' on the local workstn as well ?....and make him member of power , restricted or user group.....?

Author Comment

ID: 18819900
ok so.........

1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.

it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18820640
Rrajani, sounds like you've got it correct.  Just to clarify, I'm telling you to add the domain user account itself to the local Power User group.  I think that's what you're doing, but I wanted to be sure that you understand I'm not telling you to create a local user account that is the same as the domain user account.  You just click the Add button for the Power User group, and select the already-existing AD user account to add it to the group. You can also just add the AD Domain Users security group on the workstations if you want all of the domain users to be able to log on to any workstation on the domain.

Author Comment

ID: 18820723
what is the difference if you add a domain user via Control panel | User Accounts or via clickiing on add button for power user group ? .......i tried both and it does the same thing .......

by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......

Any suggestions......

Expert Comment

ID: 18820945
a quicker and more efficient way of adding all your domain users to the power users group is to use the
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18823608
No difference, I just find the Computer Mgmt. console more flexible and direct than the Control Panel Wizard.  As far as the UPS application, I'm afraid that's typical.  I've run across a number of third party applications, usually not really designed for a network environment, that have the same problem.  Sometimes you can get around it if you can identify the registry keys that are required and give the Power Users group permissions to just those registry keys.  However, that takes some work and in some cases it's just impossible to identify all of them.  Another workaround is to make them local admins, install the application under their logon, and then remove them from the local admins group.  Sometimes that works.  At least making them local administrators is a lot better than having them as members of the Domain Admins group!

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question