Solved

user accounts and groups

Posted on 2007-03-29
10
286 Views
Last Modified: 2010-04-20
have a question on the user accounts......We have W2k3 server and 60 desktops........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex admin.....my goal is to remove users from domain admins grop.......so that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.

shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run. If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

response 2: User abc should just have basic user rights on the workstation.  Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost here........help........
0
Comment
Question by:rrajani
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 2

Expert Comment

by:emiops
ID: 18818718
If you are adding a local account (Not setup in AD), your domain would be the name of the computer...
Computername\Useraccount
0
 
LVL 2

Expert Comment

by:emiops
ID: 18818746
I take that back... I dont add local accounts through the control panel.  Right click my computer and go to "manage"

Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 250 total points
ID: 18818783
If I'm understanding correctly, what you're trying to do is set up the users correctly so that they (1) do NOT have Domain Admin membership; and (2) have access and appropriate rights on their workstations.  You need to do two things:

1.  In AD Users and Computers, in the user's properties/Member Of tab, remove the "Domain Admins" group.
2.  On the workstation, log on with an account that DOES have domain administrator rights.  Then go to Computer Management Console/System Tools/Local Users and Groups.  
3. Open the Administrators Group and make sure that both the domain Administrator account and the Domain Admins group are part of the local Administrators group. Make sure that the user's account, whether local or domain-level, is NOT in this group.
4.  Now you have a choice.  If you want the user to be able to run most programs without any potential permissions issue, add them to the Power Users group.  If you want their local permissions to be more restricted, add them to the Users group.  In either case, you want to select the domain, not the local machine, as the source and select the user's domain account.  Do NOT add a local user account; it's just additional work and not necessary.

That should cover the basic issue you've described.  If, after adding them to the Power Users group on the workstation you still have issues running certain programs, you can add them (again using their domain user account) to the local Administrators group on the workstation if absolutely necessary.  
0
 
LVL 13

Expert Comment

by:strongline
ID: 18818786
when you select domain, it lists domain account only, these accounts can be seen by both domain and computers that are in domain
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.

step 2 asks you to remove abc out of local admin, and you tried to add him in?

"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.

Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.
0
 

Author Comment

by:rrajani
ID: 18819712
hypercat: so in step 4, you are telling me to add a the same domain user 'abc' on the local workstn as well ?....and make him member of power , restricted or user group.....?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:rrajani
ID: 18819900
ok so.........

1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.

it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18820640
Rrajani, sounds like you've got it correct.  Just to clarify, I'm telling you to add the domain user account itself to the local Power User group.  I think that's what you're doing, but I wanted to be sure that you understand I'm not telling you to create a local user account that is the same as the domain user account.  You just click the Add button for the Power User group, and select the already-existing AD user account to add it to the group. You can also just add the AD Domain Users security group on the workstations if you want all of the domain users to be able to log on to any workstation on the domain.
0
 

Author Comment

by:rrajani
ID: 18820723
what is the difference if you add a domain user via Control panel | User Accounts or via clickiing on add button for power user group ? .......i tried both and it does the same thing .......

by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......

Any suggestions......
0
 
LVL 6

Expert Comment

by:mattyfonz
ID: 18820945
a quicker and more efficient way of adding all your domain users to the power users group is to use the
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18823608
No difference, I just find the Computer Mgmt. console more flexible and direct than the Control Panel Wizard.  As far as the UPS application, I'm afraid that's typical.  I've run across a number of third party applications, usually not really designed for a network environment, that have the same problem.  Sometimes you can get around it if you can identify the registry keys that are required and give the Power Users group permissions to just those registry keys.  However, that takes some work and in some cases it's just impossible to identify all of them.  Another workaround is to make them local admins, install the application under their logon, and then remove them from the local admins group.  Sometimes that works.  At least making them local administrators is a lot better than having them as members of the Domain Admins group!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now