What authorization should I give to the user, by error, or workstation?

If I can set up a new domain details within Active Directory (AD) and then access to a workstation with this account, what authorization should give to the user, by error, or the workstation?
