Giving Windows NT Workstation Domain Users the Local Power User Privileges

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: June 1, 1997

Exploring Windows NT

A Publication of The Cobb Group

Windows NT Workstation contains a special group called the Power Users group that includes far more privileges than an NT domain's Users group. A Windows NT Workstation allows you to do the following if you're a member of the workstation's Power Users group:

  • Log on locally

  • Shut down the system

  • Access this computer from the network

  • Change the system time

  • Force shutdown from a remote system

  • Create and manage user accounts

  • Create and manage local groups

  • Lock the computer

  • Create common groups

  • Keep a local profile

  • Share and stop sharing directories

  • Share and stop sharing printers

Members of the Users group don't have the last two privileges: They can't share and stop sharing directories or printers.

Many workstation users depend on these rights. However, the Power Users group isn't available on a Windows NT domain. Therefore, it's understandable that existing Power Users may not want to join an NT domain if it means losing the majority of their local workstation rights when they log in to the domain instead of their local workstation as a member of the default Domain Users group.

It may seem as though it's an either/or situation where either Power Users will be unhappy if they log in to a domain, or domain administrators will be unhappy if workstations aren't registering with the domain. However, we've figured out a way to make both parties happy—by allowing Power Users to make a few changes on their local security accounts database on their NT machines so they can keep their rights and log in to the domain as well. We'll show you this technique in this article.

On This Page

The gist of it
A task for the power user or administrator
Conclusion

The gist of it

Each local Windows NT Workstation maintains its own user accounts. Although you may log in to an NT Workstation through the domain (using a centrally maintained user account), local accounts still apply. For example, suppose you're using Windows NT Workstation and you log in to an NT domain with the user name John_Doe, who belongs to the Domain Users group. Also, suppose that the local NT Workstation maintains an identical user called John_Doe with Power User privileges.

Although there are two different—albeit identical—accounts, John_Doe can log in to the domain through the workstation and extend his local Power User privileges to the workstation. Here you have the best of both worlds. Rather than needlessly duplicating accounts on both the domain and the workstation, we'll show you how to associate a single domain account to the workstation so a user can log in to a domain and still keep his local Power User privileges.

A task for the power user or administrator

First, log in to the Windows NT Workstation as a local or domain administrator or as a Power User. Then, run User Manager, as shown in Figure A.

Cc750298.ewn9763a(en-us,TechNet.10).gif

Figure A: Start the User Manager Application

Next, double-click the Power Users group. In the resulting Local Group Properties window shown in Figure B, click the Add… button.

Cc750298.ewn9763b(en-us,TechNet.10).gif

Figure B: These are the existing Power Users for this workstation.

Now, select the name of your domain from the List Names From dropdown list. Then, choose the Domain Users group from the Names list box, as shown in Figure C.

Cc750298.ewn9763c(en-us,TechNet.10).gif

Figure C: Add the domain's Domain Users group to the local workstation's Power Users group.

Finally, click the Add button and click OK. This gives any domain user Power User access to the workstation, as shown in Figure D.

Cc750298.ewn9763d(en-us,TechNet.10).gif

Figure D: Now domain users have Power-User access to the workstation.

Members of the Domain Users group in the NT domain can now log in to the Windows NT Workstation and receive Power User rights. We've added the domain users to the workstation merely as an example—you may not want to give your domain users Power User access to a Windows NT Workstation.

Conclusion

In this article, we've explained how NT keeps a user's domain and workstation privileges separate. We've shown you how you can get around this by combining these privileges using a single user account.

The article entitled "Giving Windows NT Workstation domain users the local power user privileges" was originally published in Exploring Windows NT, June 1997. Copyright © 1997, The Cobb Group, 9420 Bunson Parkway, Louisville, KY 40220. All rights reserved. For subscription information, call the Cobb Group at 1-800-223-8720.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement , and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.