user accounts and groups

have a question on the user accounts......We have W2k3 server and 60 desktops........
At present we have 60 users member of domain admins and domain users grp on the server......this is how it is being configured by ex goal is to remove users from domain admins that i can control the security on the desktops........what i need to understand is, say for e.g.
user 'abc' is memeber of domain admin and domain user grp on the server but user 'abc' is not setup as a user in 'user accounts' on local desktop 'desktop-01'......i had posted question on the forum this week and i accidentaly closed the question.

shift-3 responded as follows:
response 1: Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run. If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.

response 2: User abc should just have basic user rights on the workstation.  Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
i tried step 1 - remove user from domain admins grop , step 2 - added user 'abc' on the local machine as a user , which domain should i select when i am adding a user , server domain or the local machine domain......because it is not allowing me to include this user in local machine domain.......i am kind of lost
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you are adding a local account (Not setup in AD), your domain would be the name of the computer...
I take that back... I dont add local accounts through the control panel.  Right click my computer and go to "manage"

Navigate to "Local user accounts" and the folder "users" and add it there.... Much easier
Hypercat (Deb)Commented:
If I'm understanding correctly, what you're trying to do is set up the users correctly so that they (1) do NOT have Domain Admin membership; and (2) have access and appropriate rights on their workstations.  You need to do two things:

1.  In AD Users and Computers, in the user's properties/Member Of tab, remove the "Domain Admins" group.
2.  On the workstation, log on with an account that DOES have domain administrator rights.  Then go to Computer Management Console/System Tools/Local Users and Groups.  
3. Open the Administrators Group and make sure that both the domain Administrator account and the Domain Admins group are part of the local Administrators group. Make sure that the user's account, whether local or domain-level, is NOT in this group.
4.  Now you have a choice.  If you want the user to be able to run most programs without any potential permissions issue, add them to the Power Users group.  If you want their local permissions to be more restricted, add them to the Users group.  In either case, you want to select the domain, not the local machine, as the source and select the user's domain account.  Do NOT add a local user account; it's just additional work and not necessary.

That should cover the basic issue you've described.  If, after adding them to the Power Users group on the workstation you still have issues running certain programs, you can add them (again using their domain user account) to the local Administrators group on the workstation if absolutely necessary.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

when you select domain, it lists domain account only, these accounts can be seen by both domain and computers that are in domain
similiarly, when you select computer name, it lists machine local account only, these account can be seen only by this computer.

step 2 asks you to remove abc out of local admin, and you tried to add him in?

"users" or "domain users" is builtin group whose membership is determined on the fly, you can't really change that, not neccessary either.
ideally, all normal users should be created as plain user accounts, no more, no less. You don't add them into Power Users, let alone Domain Admins. Then you grant them permissions as approprieate.

Normally a user should always uses his/her domain account to log into domain. His/her domain account could/could not be a member of local admin("administrators") of his/her own workstation, depending on your preference, but none of the normal user should be member of Domain Admin except those you select to be.
rrajaniAuthor Commented:
hypercat: so in step 4, you are telling me to add a the same domain user 'abc' on the local workstn as well ?....and make him member of power , restricted or user group.....?
rrajaniAuthor Commented:
ok so.........

1. removed domain user abc from the domain admin group
2. on the local wrkstn , made sure that the domain adminstrator account and domain admin grp are the member of local adminstrator group and no user account was in this group
3. logged on to local wrkstn with admin rights and added domain user 'abc' on the local machine and made him the member of power users group.

it is working fine.......i am going to monitor for few days and make sure he is able to use all the programs on that wkrstn...
Hypercat (Deb)Commented:
Rrajani, sounds like you've got it correct.  Just to clarify, I'm telling you to add the domain user account itself to the local Power User group.  I think that's what you're doing, but I wanted to be sure that you understand I'm not telling you to create a local user account that is the same as the domain user account.  You just click the Add button for the Power User group, and select the already-existing AD user account to add it to the group. You can also just add the AD Domain Users security group on the workstations if you want all of the domain users to be able to log on to any workstation on the domain.
rrajaniAuthor Commented:
what is the difference if you add a domain user via Control panel | User Accounts or via clickiing on add button for power user group ? .......i tried both and it does the same thing .......

by making user as member of power user group on local machine, UPS online worldship software is giving errors and i had to make them member of admin group on local machine.......

Any suggestions......
a quicker and more efficient way of adding all your domain users to the power users group is to use the
Restricted Groups group policy under computers settings / windows settings / security settings.
add a new group under called power users and add the domain users group as a member of this group. then go restart your client machines to refresh group policy. that way all domain users are automatically added to the power users group when the machine boots up instead of you manually adding users on each machine.
Hypercat (Deb)Commented:
No difference, I just find the Computer Mgmt. console more flexible and direct than the Control Panel Wizard.  As far as the UPS application, I'm afraid that's typical.  I've run across a number of third party applications, usually not really designed for a network environment, that have the same problem.  Sometimes you can get around it if you can identify the registry keys that are required and give the Power Users group permissions to just those registry keys.  However, that takes some work and in some cases it's just impossible to identify all of them.  Another workaround is to make them local admins, install the application under their logon, and then remove them from the local admins group.  Sometimes that works.  At least making them local administrators is a lot better than having them as members of the Domain Admins group!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.