Solved

Make user local admin on server 2003 DC

Posted on 2010-09-22
13
830 Views
Last Modified: 2012-05-10
Hi,

I have a user that I need to give admin rights on a few of our servers in order for them to run some sql based software directly from the server..

Is it possible to do this or do i need to make them an admin of the domain?

There is no local accounts on the servers that are DCs and AD has no local administrators group as far as I can find.

thanks
0
Comment
Question by:jerryhatt
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 10

Expert Comment

by:PlusIT
Comment Utility
you can add him to the group Administrators (not Domain Admins)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
On DCs you cannot create local users. Is it really required to have administrative rights to manage that application? There are some special groups in built-in container which can allow him doing some tasks.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Not possible if the server in question is a DC.  Then, as you've found, there is no local accounts.
0
 
LVL 27

Expert Comment

by:davorin
Comment Utility
I would try put him/her in server operators group. I hope he/she will have enough permissions to run desired SW.

This one could help you:
http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

0
 
LVL 10

Expert Comment

by:PlusIT
Comment Utility
there is an adminstrators group on 2003 who is not part of the domain admins.  Remember when you had the Blackberry user give access to the server as admin but you could not add it to domain adminds because of the deny permission?  Right you had to add him to administrators.  Then he has local admin to that box but no domain admin.

Thought that the op was asking for this.  IT will offcourse be a domain user as local users are disabled on a DC.
0
 

Author Comment

by:jerryhatt
Comment Utility
Adding to Administrators group does not allow access.
Adding to Server Operators does not allow access.

I have tried accessing non DC servers and it doesn't work on those either.

Only adding to domain admins group lets the user log on.

Group policy is set to allow log on locally as well as allow logon via terminal server for administrators as well as the specified user and I have forced a GP update.

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 6

Expert Comment

by:B12BLIB
Comment Utility
You can add a user to the administrators (domain local) group, but this
makes the user an administrator for all DCs, and therefore the domain (with
regards to the AD itself, not all domain members).

You can't make a user an administrator of one single DC.

However my question would be why are you running SQL from a DC. Dedicate another server or VM to that. Unless it is a SBS server, and its the only server you got. Though it sounds like you guys are running multiple systems.

In my personal opinion you keep a DC to do DC/Network roles only. FSMO's, DNS, DHCP perhaps. But no apps which could cause for high CPU usage etc. Keep it light, keep it simple. That way you also never need 3rd party users, or non Domain Admins to have access to your DC.
0
 
LVL 6

Expert Comment

by:B12BLIB
Comment Utility
P.S. If adding to the Administrators group does not allow access to the SQL engine, then there is a permission issue in SQL. Is the user account setup as a authorized account within SQL? Did you check the security settings within SQL?
0
 

Author Comment

by:jerryhatt
Comment Utility
It is a fairly old network setup with multiple DCs and lots of SQL dependancy on old database systems across the network.

Removing or moving these would be a nightmare as they are all old programs and mainly unsupported now.

It isn't that the administrator right doesn't grant access to the sql program but the user cannot use terminal services to log on. This also affects the non DC machines as well.

0
 
LVL 10

Accepted Solution

by:
PlusIT earned 500 total points
Comment Utility
jerryhat when you make him member of the administrators group you have to go to the domain security policy and add the user account there so he can logon on locally or via terminal services.
0
 
LVL 6

Expert Comment

by:B12BLIB
Comment Utility
Aah, got you. I misunderstood the initial question. Just to confirm. You did add his user account as a remote user account on the server? There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group. Does not require Domain Admin rights
0
 
LVL 6

Expert Comment

by:B12BLIB
Comment Utility
Did any of this work? Just curious :)
0
 

Author Closing Comment

by:jerryhatt
Comment Utility
Thanks to all for the help. It was the log on rights in GP.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now