Solved

Make user local admin on server 2003 DC

Posted on 2010-09-22
13
856 Views
Last Modified: 2012-05-10
Hi,

I have a user that I need to give admin rights on a few of our servers in order for them to run some sql based software directly from the server..

Is it possible to do this or do i need to make them an admin of the domain?

There is no local accounts on the servers that are DCs and AD has no local administrators group as far as I can find.

thanks
0
Comment
Question by:jerryhatt
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 10

Expert Comment

by:PlusIT
ID: 33741458
you can add him to the group Administrators (not Domain Admins)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33741490
On DCs you cannot create local users. Is it really required to have administrative rights to manage that application? There are some special groups in built-in container which can allow him doing some tasks.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 33741495
Not possible if the server in question is a DC.  Then, as you've found, there is no local accounts.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 27

Expert Comment

by:davorin
ID: 33741496
I would try put him/her in server operators group. I hope he/she will have enough permissions to run desired SW.

This one could help you:
http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

0
 
LVL 10

Expert Comment

by:PlusIT
ID: 33741506
there is an adminstrators group on 2003 who is not part of the domain admins.  Remember when you had the Blackberry user give access to the server as admin but you could not add it to domain adminds because of the deny permission?  Right you had to add him to administrators.  Then he has local admin to that box but no domain admin.

Thought that the op was asking for this.  IT will offcourse be a domain user as local users are disabled on a DC.
0
 

Author Comment

by:jerryhatt
ID: 33742402
Adding to Administrators group does not allow access.
Adding to Server Operators does not allow access.

I have tried accessing non DC servers and it doesn't work on those either.

Only adding to domain admins group lets the user log on.

Group policy is set to allow log on locally as well as allow logon via terminal server for administrators as well as the specified user and I have forced a GP update.

0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742451
You can add a user to the administrators (domain local) group, but this
makes the user an administrator for all DCs, and therefore the domain (with
regards to the AD itself, not all domain members).

You can't make a user an administrator of one single DC.

However my question would be why are you running SQL from a DC. Dedicate another server or VM to that. Unless it is a SBS server, and its the only server you got. Though it sounds like you guys are running multiple systems.

In my personal opinion you keep a DC to do DC/Network roles only. FSMO's, DNS, DHCP perhaps. But no apps which could cause for high CPU usage etc. Keep it light, keep it simple. That way you also never need 3rd party users, or non Domain Admins to have access to your DC.
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742473
P.S. If adding to the Administrators group does not allow access to the SQL engine, then there is a permission issue in SQL. Is the user account setup as a authorized account within SQL? Did you check the security settings within SQL?
0
 

Author Comment

by:jerryhatt
ID: 33742492
It is a fairly old network setup with multiple DCs and lots of SQL dependancy on old database systems across the network.

Removing or moving these would be a nightmare as they are all old programs and mainly unsupported now.

It isn't that the administrator right doesn't grant access to the sql program but the user cannot use terminal services to log on. This also affects the non DC machines as well.

0
 
LVL 10

Accepted Solution

by:
PlusIT earned 500 total points
ID: 33742711
jerryhat when you make him member of the administrators group you have to go to the domain security policy and add the user account there so he can logon on locally or via terminal services.
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742721
Aah, got you. I misunderstood the initial question. Just to confirm. You did add his user account as a remote user account on the server? There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group. Does not require Domain Admin rights
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33765365
Did any of this work? Just curious :)
0
 

Author Closing Comment

by:jerryhatt
ID: 33778469
Thanks to all for the help. It was the log on rights in GP.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question