Remote User Management

[Eric]

Is there a way to manage user accounts on a remote computer?
It's on a 2003 Server network with all clients running XP Pro.
I tried Computer Management > Connect to another computer but that only
shows local users.
I want to delete users that are set up locally with a domain.

The only thing I could find is to right click the computer in Active
Directory and select Manage but that does absolutely nothing.
What a stupid feature...normally clicking on something shows something if
even an error message.
It doesn't do anything at all and doesn't tell me it tried to do anything
and had a problem.

 

[Seahawk60B]

Is there a way to manage user accounts on a remote computer?
It's on a 2003 Server network with all clients running XP Pro.
I tried Computer Management > Connect to another computer but that only
shows local users.
I want to delete users that are set up locally with a domain.

The only thing I could find is to right click the computer in Active
Directory and select Manage but that does absolutely nothing.
What a stupid feature...normally clicking on something shows something if
even an error message.
It doesn't do anything at all and doesn't tell me it tried to do anything
and had a problem.

User accounts would only exist in one of two places
1. Locally on the workstation/server, which you would indeed get to by
Computer Management > Connect to another computer
2. In the domain, which you would get to through Active Directory
Users and Computers, from either a DC or by installing the AD tools to
an XP workstation. But you would need to have the appropriate
administrative rights to manage domain user accounts.

 

[Eric]

User accounts would only exist in one of two places
1. Locally on the workstation/server, which you would indeed get to by
Computer Management > Connect to another computer
2. In the domain, which you would get to through Active Directory
Users and Computers, from either a DC or by installing the AD tools to
an XP workstation. But you would need to have the appropriate
administrative rights to manage domain user accounts.

The accounts are set up on the server in Active Directory.
Then I added those accounts as local users on the local machines.
Connect to another computer user management is only showing local accounts
on the local machines, not their domain accounts.
I have full admin rights to the domain.
Where would I find a tool to remove the user from their PC from my PC or the
server?

 

[Seahawk60B]

The accounts are set up on the server in Active Directory.
Then I added those accounts as local users on the local machines.
Connect to another computer user management is only showing local accounts
on the local machines, not their domain accounts.
I have full admin rights to the domain.
Where would I find a tool to remove the user from their PC from my PC or the
server?

What do you mean by "I added those accounts as local users on the
local machines"

You can add domain accounts to the local groups on the workstations,
but they won't show up as local user accounts, you would have to look
in the membership of each group and remove the users domain accounts.
Computer User management will only show local accounts and groups.

 

[Eric]

What do you mean by "I added those accounts as local users on the
local machines"

You can add domain accounts to the local groups on the workstations,
but they won't show up as local user accounts, you would have to look
in the membership of each group and remove the users domain accounts.
Computer User management will only show local accounts and groups.

I mean I physically went to each machine.
I selected Start > Settings > Control Panel > User Accounts.
It prompted, I entered: User name Administrator Password **** Domain
localmachinename
Then I got the screen with 2 tabs, Users and Advanced. I clicked Add.
It prompted User Name and Domain and I put in the network domain name.
Then it prompted for access level.
Now I want to know if I can remove those users without physically going back
to each machine.

Also, did I do that wrong to begin with? Is there a simpler way to give a
user more access to their local machine from Active Directory?

 

[Seahawk60B]

I mean I physically went to each machine.
I selected Start > Settings > Control Panel > User Accounts.
It prompted, I entered: User name Administrator Password **** Domain
localmachinename
Then I got the screen with 2 tabs, Users and Advanced. I clicked Add.
It prompted User Name and Domain and I put in the network domain name.
Then it prompted for access level.
Now I want to know if I can remove those users without physically going back
to each machine.

Also, did I do that wrong to begin with? Is there a simpler way to give a
user more access to their local machine from Active Directory?

If you look at the screen that prompts for access level, it is
basically just adding the domain account to either the Power Users or
Users group on the local PC. So if you added them as Standard users,
look in the Power Users group through Remote Management. If you added
them as Restricted users, look in the Users group on the remote
computer. You should see their domain account listed as a member of
one of those two groups. Delete it from the group membership. As an
added measure, you could also go to the documents and settings folder
on the workstation and delete their profile folder - \\computername\c$
\documents and settings\username

 

[Eric]

If you look at the screen that prompts for access level, it is
basically just adding the domain account to either the Power Users or
Users group on the local PC. So if you added them as Standard users,
look in the Power Users group through Remote Management. If you added
them as Restricted users, look in the Users group on the remote
computer. You should see their domain account listed as a member of
one of those two groups. Delete it from the group membership. As an
added measure, you could also go to the documents and settings folder
on the workstation and delete their profile folder - \\computername\c$
\documents and settings\username

Aha! Thanks. I went back into my control panel, Administrative Tools,
Computer Management.
I did Run As <network admin>, then Connect to Another Computer.
Under System Tools, Local Users and Groups, it didn't show the network user
I added under Users.
I checked Groups, Power Users, Properties, and it showed under there to
remove.
That should fix it.

 

[Seahawk60B]

Aha! Thanks. I went back into my control panel, Administrative Tools,
Computer Management.
I did Run As <network admin>, then Connect to Another Computer.
Under System Tools, Local Users and Groups, it didn't show the network user
I added under Users.
I checked Groups, Power Users, Properties, and it showed under there to
remove.
That should fix it.

Keep in mind that even though you removed their domain account from
Power Users, it doesn't necessarily remove access to the workstation.
When joined to a domain, the Domain Users group is part of the local
Users group on the workstation - meaning anyone with an AD account
that is in the Domain Users group can access the PC as a normal user.

 

[Eric]

Keep in mind that even though you removed their domain account from
Power Users, it doesn't necessarily remove access to the workstation.
When joined to a domain, the Domain Users group is part of the local
Users group on the workstation - meaning anyone with an AD account
that is in the Domain Users group can access the PC as a normal user.

Normal user access is normal. We want any user in the domain to be able to
access any machine. We just don't want them to have rights to mess anything
up (install programs, change system files). We recently installed a program
for some users that didn't work. The help for that program suggested
everyone who runs it should have Power User access to their machine so we
initially set them up that way. Then we narrowed down what access it was
looking for and gave them all write access to their C:\Program Files\Common
Files\System\Mapi folder so we could remove the Power User access and it
still worked.