locked
Active Directory - Power User Issue RRS feed

  • Question

  • Hi Guys, 

    I have some problems with power users group. I have added the power user group to the restricted group but I still dont see the necessary privileges available to power users. 

    Here is how I have setup the power users. 

    My set up 

    1 Server thats on the domain (testdom.com)

    2 Computers (testpc1, testpc2)

    I have created a child OU(powerusercomputer) inside the (testdom.com) OU and inside that I have created 2 users (user1, user2), 1 group (power_users) and moved the computers to that OU(powerusercomputer). I added the 2 users to the power_users group. 

    After this, I right click on the (powerusercomputer) OU and get to group policy. I create a new group policy named "power users group test". I go to this option "Restricted Groups" which is available in computer configuration --> windows settings -->secruity settings --> Restricted groups --> add group. I add the power user group and in the option available at members of this group, I add user1 and user2. 

    Then I start editing the "user configuration" on what all permissions they would get. Some of them are "Ability to rename LAN connections or remote access connection", Ability to enable/disable a lan connection, ability to rename lan connections, etc. 

    After applying the policy, I do a gpupdate /force at workstation to see if it has applied the GP settings but I dont see the above changes for power users. 

    What am I doing wrong??

    What I don't understand in doing all this is that, how would a GPO know what all computers this settings would apply. I understand the settings being applied to a user. 

    If the information I have provided does not make sense, please let me know. I will explain it in a different way. But above is the way I have set up the power user group. 

    I am new to active directory and trying to learn all of this by testing it in a test domain. 

    If anyone of you guys have a walk through document on how to set up a power user group. It would be great. That would clear most of my doubts. 

    Looking forward to experts response. 

    Thx

    Mhndr

    Thursday, April 8, 2010 2:07 PM

Answers

  • Hello,

    The Power Users group is a built in group that have specific roles assigned to the members of that group on a local machine. "Power Users possess most administrative powers with some restrictions.  Thus, Power Users can run legacy applications in addition to certified applications"

    So once you add users to this group, you do not need any additional user configuration.

    Now, on the Restricted group,

    computer configuration --> windows settings -->secruity settings --> Restricted groups -->..Right click and add the Group "Power Users" and then add "power_users" group in the add members of this group. and yo are set to go.

    I have blog post of restricted group, so you can look at it, you can follow all the steps and only replace Administrators with Power Users and WksAdmins with "power_users" and you are set.

     

    On your last question, Once you link the GPO to the powerusercomputer OU that contains testpc1 and 2, those will be the only PC that the gpo will apply to.

     

    Hope this helps,


    Isaac Oben MCITP:EA, MCSE
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:28 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:28 PM
    Thursday, April 8, 2010 2:45 PM
  • Power Users is the built-in group on any non-domain Windows computers. Launch Local Users and Groups console and you should be able to locate it fairly quickly...

    Once again, you should be able to use the Restricted Groups functionality (as described earlier by both Isaac and Mike) - and apply it to Power Users - as long as you run it from a workstation or a domain member server...

    hth
    Marcin

    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:35 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 4:48 PM
  • You have two options:

    - add the specified users manually to all the workstations Power Users group (not practical if you have a lot of computers)

    - use Restricted Group Policy setting (recommended approach)

    hth
    Marcin

    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 5:02 PM
  • Hello,

    As Marcin, repeated, you can use restricted groups to add users to the "Power Users" group..Here is the information on how

    http://www.isaacoben.com/2009/10/03/how-to-control-memberships-for-local-computers-builtin-groups/

     

    Also, to find the default power users group on a member server, select My computer, right click, choose manage and expand systems tools, Local Users and Groups, Groups and you should see the Power Users Group

     

    What version of windows are you working on?


    Isaac Oben MCITP:EA, MCSE
    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:34 PM
    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:34 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 5:07 PM
  • you wouldn't link this GPO at the domain controller OU level or make the changes in the default domain controller policy.

    Link the restricted group GPO where it will affect the computers you wish the changes to be on (domain or OU level)

    If you make changes to user configuration portions of the GPO that policy has to be linked at a location where it flows to the users.

     

    Thanks

     

    Mike


    http://adisfun.blogspot.com;
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 6:11 PM

All replies

  • If you just want to add user1 and user2 to your power_users group within Active Directory you can just add them directly to the group.  You wouldn't need to use restricted groups for that.  Florian has a great blog entry on restricted groups here:

    http://www.frickelsoft.net/blog/?p=13

    Is your goal to add those users to the power users group on the local workstation?

    Within your AD are user1 and user2 in the powerusercomputer OU?

    How the GPO knows what computers to apply to depends on the GPO and where you have it linked, what settings you have defined and if there are any security filters.

    So in your case if you have two computers in the powerusercomputerOU and have the GPO with computer settings defined then those settings would apply to only those computers within that GPO.

     

    Thanks

    Mike


    http://adisfun.blogspot.com;
    Thursday, April 8, 2010 2:41 PM
  • Hello,

    The Power Users group is a built in group that have specific roles assigned to the members of that group on a local machine. "Power Users possess most administrative powers with some restrictions.  Thus, Power Users can run legacy applications in addition to certified applications"

    So once you add users to this group, you do not need any additional user configuration.

    Now, on the Restricted group,

    computer configuration --> windows settings -->secruity settings --> Restricted groups -->..Right click and add the Group "Power Users" and then add "power_users" group in the add members of this group. and yo are set to go.

    I have blog post of restricted group, so you can look at it, you can follow all the steps and only replace Administrators with Power Users and WksAdmins with "power_users" and you are set.

     

    On your last question, Once you link the GPO to the powerusercomputer OU that contains testpc1 and 2, those will be the only PC that the gpo will apply to.

     

    Hope this helps,


    Isaac Oben MCITP:EA, MCSE
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:28 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:28 PM
    Thursday, April 8, 2010 2:45 PM
  • Hey Mike,y

    Yes, the idea is to add the power users group on the local workstation. 

    Do I have to define the policy settings for the local workstation when I set the GPO or does it have a default setting?

    The server that I am using is windows server 2003 and I dont see a default power users group available.

     

    I didn't get the first sentence you mentioned. 

    Can you please through it in a detailed way??

    "If you just want to add user1 and user2 to your power_users group within Active Directory you can just add them directly to the group.  You wouldn't need to use restricted groups for that.  Florian has a great blog entry on restricted groups here:"

    From what you said above, does it mean that there is no need to create a power_users group and adding users? Instead I could just create 2 users and in restricted group I add the users?? Is that the way I should go about this? But then, the option I get when I right click restricted group is "Add Group" option. How does that work??

    Thanks for your reply. I have been breaking my head with this thing for sometime. If I can make a basic power user setting group workable then I can build on to it. 

    I will look forward to your reply. 

    Thx

    Mhndr

    Thursday, April 8, 2010 3:04 PM
  • Hey Isaac, 

    Thanks for your reply. 

    Where do I find a power users group in windows server 2003. I can that option available in Win XP, VIsta and so on. But I dont see it in the server 2003. That is the main reason I am creating a power_user group and adding the members there. 

    Can you please give me your blog information so that I can see how to setup a basic power user group. ??

    I will look forward to your reply. 

    Thx

    Mhndr

    Thursday, April 8, 2010 3:07 PM
  • Hey Mike,y

    Yes, the idea is to add the power users group on the local workstation. 

    Do I have to define the policy settings for the local workstation when I set the GPO or does it have a default setting?

    The server that I am using is windows server 2003 and I dont see a default power users group available.

     

    I didn't get the first sentence you mentioned. 

    Can you please through it in a detailed way??

    "If you just want to add user1 and user2 to your power_users group within Active Directory you can just add them directly to the group.  You wouldn't need to use restricted groups for that.  Florian has a great blog entry on restricted groups here:"

    From what you said above, does it mean that there is no need to create a power_users group and adding users? Instead I could just create 2 users and in restricted group I add the users?? Is that the way I should go about this? But then, the option I get when I right click restricted group is "Add Group" option. How does that work??

    Thanks for your reply. I have been breaking my head with this thing for sometime. If I can make a basic power user setting group workable then I can build on to it. 

    I will look forward to your reply. 

    Thx

    Mhndr

    Do you want that group you created called Power_users to be a member of the local power user group on workstations.  If that is the goal use the steps Isaac outlined.   

    You won't see power users on your domain controller because that group doesn't exist on the domain level.  The way you did it by creating the group in the domain is fine.   I think my explanation was a little confusing.  This is one of those times I wish we had a virtual white board.

    Thanks

    Mike


    http://adisfun.blogspot.com;
    Thursday, April 8, 2010 3:18 PM
  • Isaac, 

    I tried what you have mentioned above. When I try to add the power users group I get a message saying that " An object named power users cannot be found". This is a little confusing to me. I am using server 2003 and as Mike said, there is no built in power user group available in server 2003 as Win XP, Vista, etc. 

    How do I go about this??

    I am sorry, but I have been trying this one for sometime but I just have so many questions that its hard for me to find information about it in any book. 

    Most of the books that I have referred dont have any detailed information on how this one works. 

    Please reply at your earliest. 

    Thx

    Mhndr

    Thursday, April 8, 2010 3:28 PM
  • Hey Mike, 

    I m trying to learn all of this on my own. I know when you say white board, some of these would easily make sense. If someone can give me information on how the flow of Power User group is from an OU from the domain to how it applies in a local workstation and what goes in between all of this. It would be great. 

    Thanks again for your reply. This thing has been my priority for sometime to learn. 

    Mhndr

    Thursday, April 8, 2010 3:32 PM
  • Install GPMC (http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en)  on one of your XP workstations or one of domain member servers. Make sure you are logged on with your Domain Admin user account. Then edit the GPO through which you want to apply Restricted Group policy by following instructions provided by Isaac (or the article from Florian referenced by Mike)

    hth
    Marcin

    Thursday, April 8, 2010 4:03 PM
  • Hello,

    If your windows server 2003 is a domain controller, then as mike said, there is no "Power Users" group, but if it is a member server, there is aPower Users group. For domain servers, you can use the equivalent which is "Server Operators" group.

    So, what exactly or what fucntions/role do you want this users to have?


    Isaac Oben MCITP:EA, MCSE
    Thursday, April 8, 2010 4:17 PM
  • Hi Isaac, 

    I dont see the Server Operators Group in the domain controller. 

    I have only one server where I am trying it on. 

    The other question I have is... Where would I find the default Power User Group if I have a member server? Is it builtin or do I have to create it?

    Some of the roles I want this group users to be assigned is the ability to be able to change network settings, disable and enable network connection, change the properties of the LAN connection and so on.. These are some of it... If I one of them working, I would add on to it.

    Can you also please send me your blog information. 

    Thx

    Mhndr

    Thursday, April 8, 2010 4:34 PM
  • Power Users is the built-in group on any non-domain Windows computers. Launch Local Users and Groups console and you should be able to locate it fairly quickly...

    Once again, you should be able to use the Restricted Groups functionality (as described earlier by both Isaac and Mike) - and apply it to Power Users - as long as you run it from a workstation or a domain member server...

    hth
    Marcin

    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:35 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 4:48 PM
  • Does that mean that I have to manually add the specified users in all the local workstation power user groups??

     

    Thursday, April 8, 2010 4:59 PM
  • You have two options:

    - add the specified users manually to all the workstations Power Users group (not practical if you have a lot of computers)

    - use Restricted Group Policy setting (recommended approach)

    hth
    Marcin

    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 5:02 PM
  • Hello,

    As Marcin, repeated, you can use restricted groups to add users to the "Power Users" group..Here is the information on how

    http://www.isaacoben.com/2009/10/03/how-to-control-memberships-for-local-computers-builtin-groups/

     

    Also, to find the default power users group on a member server, select My computer, right click, choose manage and expand systems tools, Local Users and Groups, Groups and you should see the Power Users Group

     

    What version of windows are you working on?


    Isaac Oben MCITP:EA, MCSE
    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:34 PM
    • Proposed as answer by Isaac Oben Thursday, April 8, 2010 5:34 PM
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 5:07 PM
  • It all makes sense now.. 

    The latter is the best option for automation. 

    Thx for ur help

    Mhndr

    Thursday, April 8, 2010 5:23 PM
  • I am using Server 2003 and the workstations that I m testing are all Windows XP. 

    One last question guys...

    Say, I have added the group to the restricted groups in computer configuration of domain controller group policy. 

    I dont need to play with any of the computer configuration settings? Is that correct??

    All I would need to do is to specify the necessary priviliges in "User Configuration" and that user would have the ability to manage all the computers across the domain. Is that correct??

    Provided the computers are available in that OU? Right??

     

    Thursday, April 8, 2010 5:52 PM
  • you wouldn't link this GPO at the domain controller OU level or make the changes in the default domain controller policy.

    Link the restricted group GPO where it will affect the computers you wish the changes to be on (domain or OU level)

    If you make changes to user configuration portions of the GPO that policy has to be linked at a location where it flows to the users.

     

    Thanks

     

    Mike


    http://adisfun.blogspot.com;
    • Marked as answer by Mhndr Thursday, April 8, 2010 6:27 PM
    Thursday, April 8, 2010 6:11 PM
  • That completely makes sense. 

    You guys are great... 

    I got answers for all of my questions. 

    Great job you all.. Keep up the good work. 

    Thanks all of you..

    Mhndr

    Thursday, April 8, 2010 6:27 PM