user accounts and groups

have a question on the user accounts......We have W2k3 server and 60 desktops........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex goal is to remove users from domain admins that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.

shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run. If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.

response 2: User abc should just have basic user rights on the workstation.  Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost
Who is Participating?
Hypercat (Deb)Connect With a Mentor Commented:
If I'm understanding correctly, what you're trying to do is set up the users correctly so that they (1) do NOT have Domain Admin membership; and (2) have access and appropriate rights on their workstations.  You need to do two things:

1.  In AD Users and Computers, in the user's properties/Member Of tab, remove the "Domain Admins" group.
2.  On the workstation, log on with an account that DOES have domain administrator rights.  Then go to Computer Management Console/System Tools/Local Users and Groups.  
3. Open the Administrators Group and make sure that both the domain Administrator account and the Domain Admins group are part of the local Administrators group. Make sure that the user's account, whether local or domain-level, is NOT in this group.
4.  Now you have a choice.  If you want the user to be able to run most programs without any potential permissions issue, add them to the Power Users group.  If you want their local permissions to be more restricted, add them to the Users group.  In either case, you want to select the domain, not the local machine, as the source and select the user's domain account.  Do NOT add a local user account; it's just additional work and not necessary.

That should cover the basic issue you've described.  If, after adding them to the Power Users group on the workstation you still have issues running certain programs, you can add them (again using their domain user account) to the local Administrators group on the workstation if absolutely necessary.  
If you are adding a local account (Not setup in AD), your domain would be the name of the computer...
I take that back... I dont add local accounts through the control panel.  Right click my computer and go to "manage"

Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

when you select domain, it lists domain account only, these accounts can be seen by both domain and computers that are in domain
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.

step 2 asks you to remove abc out of local admin, and you tried to add him in?

"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.

Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.
rrajaniAuthor Commented:
hypercat: so in step 4, you are telling me to add a the same domain user 'abc' on the local workstn as well ?....and make him member of power , restricted or user group.....?
rrajaniAuthor Commented:
ok so.........

1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.

it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
Hypercat (Deb)Commented:
Rrajani, sounds like you've got it correct.  Just to clarify, I'm telling you to add the domain user account itself to the local Power User group.  I think that's what you're doing, but I wanted to be sure that you understand I'm not telling you to create a local user account that is the same as the domain user account.  You just click the Add button for the Power User group, and select the already-existing AD user account to add it to the group. You can also just add the AD Domain Users security group on the workstations if you want all of the domain users to be able to log on to any workstation on the domain.
rrajaniAuthor Commented:
what is the difference if you add a domain user via Control panel | User Accounts or via clickiing on add button for power user group ? .......i tried both and it does the same thing .......

by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......

Any suggestions......
a quicker and more efficient way of adding all your domain users to the power users group is to use the
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
Hypercat (Deb)Commented:
No difference, I just find the Computer Mgmt. console more flexible and direct than the Control Panel Wizard.  As far as the UPS application, I'm afraid that's typical.  I've run across a number of third party applications, usually not really designed for a network environment, that have the same problem.  Sometimes you can get around it if you can identify the registry keys that are required and give the Power Users group permissions to just those registry keys.  However, that takes some work and in some cases it's just impossible to identify all of them.  Another workaround is to make them local admins, install the application under their logon, and then remove them from the local admins group.  Sometimes that works.  At least making them local administrators is a lot better than having them as members of the Domain Admins group!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.