• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 880
  • Last Modified:

Make user local admin on server 2003 DC

Hi,

I have a user that I need to give admin rights on a few of our servers in order for them to run some sql based software directly from the server..

Is it possible to do this or do i need to make them an admin of the domain?

There is no local accounts on the servers that are DCs and AD has no local administrators group as far as I can find.

thanks
0
jerryhatt
Asked:
jerryhatt
  • 4
  • 3
  • 3
  • +3
1 Solution
 
PlusITCommented:
you can add him to the group Administrators (not Domain Admins)
0
 
Krzysztof PytkoActive Directory EngineerCommented:
On DCs you cannot create local users. Is it really required to have administrative rights to manage that application? There are some special groups in built-in container which can allow him doing some tasks.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not possible if the server in question is a DC.  Then, as you've found, there is no local accounts.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
davorinCommented:
I would try put him/her in server operators group. I hope he/she will have enough permissions to run desired SW.

This one could help you:
http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

0
 
PlusITCommented:
there is an adminstrators group on 2003 who is not part of the domain admins.  Remember when you had the Blackberry user give access to the server as admin but you could not add it to domain adminds because of the deny permission?  Right you had to add him to administrators.  Then he has local admin to that box but no domain admin.

Thought that the op was asking for this.  IT will offcourse be a domain user as local users are disabled on a DC.
0
 
jerryhattAuthor Commented:
Adding to Administrators group does not allow access.
Adding to Server Operators does not allow access.

I have tried accessing non DC servers and it doesn't work on those either.

Only adding to domain admins group lets the user log on.

Group policy is set to allow log on locally as well as allow logon via terminal server for administrators as well as the specified user and I have forced a GP update.

0
 
B12BLIBCommented:
You can add a user to the administrators (domain local) group, but this
makes the user an administrator for all DCs, and therefore the domain (with
regards to the AD itself, not all domain members).

You can't make a user an administrator of one single DC.

However my question would be why are you running SQL from a DC. Dedicate another server or VM to that. Unless it is a SBS server, and its the only server you got. Though it sounds like you guys are running multiple systems.

In my personal opinion you keep a DC to do DC/Network roles only. FSMO's, DNS, DHCP perhaps. But no apps which could cause for high CPU usage etc. Keep it light, keep it simple. That way you also never need 3rd party users, or non Domain Admins to have access to your DC.
0
 
B12BLIBCommented:
P.S. If adding to the Administrators group does not allow access to the SQL engine, then there is a permission issue in SQL. Is the user account setup as a authorized account within SQL? Did you check the security settings within SQL?
0
 
jerryhattAuthor Commented:
It is a fairly old network setup with multiple DCs and lots of SQL dependancy on old database systems across the network.

Removing or moving these would be a nightmare as they are all old programs and mainly unsupported now.

It isn't that the administrator right doesn't grant access to the sql program but the user cannot use terminal services to log on. This also affects the non DC machines as well.

0
 
PlusITCommented:
jerryhat when you make him member of the administrators group you have to go to the domain security policy and add the user account there so he can logon on locally or via terminal services.
0
 
B12BLIBCommented:
Aah, got you. I misunderstood the initial question. Just to confirm. You did add his user account as a remote user account on the server? There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group. Does not require Domain Admin rights
0
 
B12BLIBCommented:
Did any of this work? Just curious :)
0
 
jerryhattAuthor Commented:
Thanks to all for the help. It was the log on rights in GP.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now