Hello I want to make a user to be only in "Performance Log Users" group , i added the user to the "Performance Log Users" group , then i tried to remove the user from "Domain Users" Group but faced bellow error: "The primary group cannot be removed. set another group as primary if you want to remove this one" But another issue is even the "Set Primary Group" bottom is grey and i cant make the "Perfomance Log Users" group as the primary and the only group of a user. Please help me to fix problem.

Primary-Group-ID Attribute: Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users Group. For more information, refer to this Microsoft article. Try to change this attribute. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Hello, the prinary group on the user account proerties never must be changed except you have POSIX-compliant applications or use Macintosh clients. So what is the reason to change the primary group? Please describe what you are trying to achive with that change.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

The Performance Log Users group is a builtin group. This means membership of this group is only effective on your domain controllers(DC) and not on your member servers or workstations. If you need to log performance counters on your member servers or workstations you should add the user to the local Performance Log Users of each computer. You can use a local user if you are concerned about security (not on a DC).

The Performance Log Users group is a builtin group. This means membership of this group is only effective on your domain controllers(DC) and not on your member servers or workstations. If you need to log performance counters on your member servers or workstations you should add the user to the local Performance Log Users of each computer. You can use a local user if you are concerned about security (not on a DC). Actually the situation i am in is in Domain Environment and i dont want to do anything with Local users. If i want to make a user just to logon on a domain from member servers or workstation to create performance logs and not to do anything else , What is the best thing do then ? It is still unclear for me the concept of Primary Group for users. i could not find an explanation on Technet. Thanks for your help.

Hello, the explanation is already direct at the button where you change it. And if you don't have POSIX enabled applications or Macintosh machines this settings is not required to change from you. Definitely it has nothing to do with logging on to the domain from which machine ever. In a domain by default domain user are restricted to workstations only. Also after logon the first time into the domain they are able to work with "cached credentials" which allows them to logon (to the domain after ctrl+alt+del) even if the domain is not available. This option can be removed. If you don't provide local user accounts for your users and they DON'T know the local administrator account paasword they are NOT able to logon to the computer. What kind of performance log should a user create on a server, this is normally an admin task.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

't provide local user accounts for your users and they DON'T know the local administrator account paasword they are NOT able to logon to the computer. What kind of performance log should a user create on a server, this is normally an admin task. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Thanks for thr answer. I want to Deligate creating performance logs to a domain user and the the user should have any other privileges to do any other administrative tasks. What should i do then ?

1) You can only use Global Groups as the Primary Group. Performance log users is a Domain Local group. 2) Being a Domain User does not provide any other admin rights, so it would be acceptable to be a member of both the Domain Users group and the Performance log users. 3) Optional: Create a new Global Group, place that group in Performance log users, make the user a member of the new group, set the primary group to the new group. Remove the user from domain users.