[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

configure a user account in domain so that he can work any application.

i have installed active directory in win2003 server sp2. Created one OU "test" with one user "amit".
I dont want to give this user any type of admin rights for local machine nor in domain .My problem is that this user work on application like autocad map5  or arcgis  ,or he cant work visual studio dot net.

Can you please help me how do i configure a user account and previledges he need so that he  can work on all application. As giving 150 user local machine admin rights is not a good idea.
Autocad need admin right ,power user rights dose not work.
1 Solution
Stephen MandersonCommented:
Does the user use one machine in particular or specific machines?

Then grant the user local admin on specific machines he/she may use.

1. Right click the "My Computer" icon and choose mange
2. Go to "Local Users and Groups" and mark groups
3. Mark and right click the Administrators group and choose "Add to Group..."
4. Press the "Add" button and type the user name you want to add (make sure that the location field indicate your domain name not the local machine)

Here's a link to a doc on running AutoCAD as a restricted user....


You just need to figure out what directories the user neeeds admin rights on and set them. Also what registry keys they need access to.

Hope this helps...
Stephen MandersonCommented:
Or if you may want to add the user to a group and assign the group local admin rights on all machines, that way you can add users along the line.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

The problem with giving the domain user admin rights is then the user has the rights to install/change anything they want on the local pc which, like in my environment and many others, is not allowed. Also he does not want the users to have admin rights locally or on the domain.
Stephen MandersonCommented:
That is indeed an issue, another way you could do this would be to install the required software on the pc's the user would be using and give the user local permissions to access the folder in Program Files.

This is how I have got round issues such as this in the past. All be it in an SBS enviroment I have also disabled any user from the local admins.

With AutoCAD, you need to give the users the permission to edit certain registry keys. The last company I work at used AutoCAD and we had to adjust permissions on the directories and add the registry keys to a GPO so AutoCAD could edit them. The link I posted above explains what needs to be done to allow this.
If you still want to go ahead and make those users local admins on their machines there is a simple way forward, via Restricted Groups in GPO

You will need to create Security group in AD called i.e. "AutoCad Users", then make all these users members of that group, and then finally take advantage of Restricted group feature.
This option can be found under
Computer Configuration/Windows Settings/Security Settings/Restricted Groups
Choose "Add Group" after you right-click on it
The group name you enter will be the group that is restricted (Administrators)
Select the group and choose the allowed members (you want Administrator to be one of them, I assume here that you have not renamed local admin account?) and also "AutoCad Users".
NOTE. Any group/ user not specified above will be wiped out from Administrators

If you want this domain group added to local Administrators only to those 150 workstation then you will have no choice but creating additional OU and moving those machine account. There is also option to user GPO filtering, but I guess above would be better (no additional overhead because of filtering)

go to program files folder or if the program is installed on another folder go yo it and open the security of this folder and give this user full control of the folder and subfolders it will give him the right to open any application in the program files folder or the other folder you do this on it
tomar_10Author Commented:
Well i have tested by  adding one machine to restricted group ,now i am unable to login into domain by that machine , through any user  i am not able to access the network. pls help how to get out . error access denied or unable to find user account .

all the comment i have received have something to do with local machine  we have 150 machine , each have different application ,around 10 autocad and visual studio how will i manage admin  rights for each machine.

Run AutoCAD does not need Administator right on local PC

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now