Solved

Make user local admin on server 2003 DC

Posted on 2010-09-22
13
872 Views
Last Modified: 2012-05-10
Hi,

I have a user that I need to give admin rights on a few of our servers in order for them to run some sql based software directly from the server..

Is it possible to do this or do i need to make them an admin of the domain?

There is no local accounts on the servers that are DCs and AD has no local administrators group as far as I can find.

thanks
0
Comment
Question by:jerryhatt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 10

Expert Comment

by:PlusIT
ID: 33741458
you can add him to the group Administrators (not Domain Admins)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33741490
On DCs you cannot create local users. Is it really required to have administrative rights to manage that application? There are some special groups in built-in container which can allow him doing some tasks.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33741495
Not possible if the server in question is a DC.  Then, as you've found, there is no local accounts.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 27

Expert Comment

by:davorin
ID: 33741496
I would try put him/her in server operators group. I hope he/she will have enough permissions to run desired SW.

This one could help you:
http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

0
 
LVL 10

Expert Comment

by:PlusIT
ID: 33741506
there is an adminstrators group on 2003 who is not part of the domain admins.  Remember when you had the Blackberry user give access to the server as admin but you could not add it to domain adminds because of the deny permission?  Right you had to add him to administrators.  Then he has local admin to that box but no domain admin.

Thought that the op was asking for this.  IT will offcourse be a domain user as local users are disabled on a DC.
0
 

Author Comment

by:jerryhatt
ID: 33742402
Adding to Administrators group does not allow access.
Adding to Server Operators does not allow access.

I have tried accessing non DC servers and it doesn't work on those either.

Only adding to domain admins group lets the user log on.

Group policy is set to allow log on locally as well as allow logon via terminal server for administrators as well as the specified user and I have forced a GP update.

0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742451
You can add a user to the administrators (domain local) group, but this
makes the user an administrator for all DCs, and therefore the domain (with
regards to the AD itself, not all domain members).

You can't make a user an administrator of one single DC.

However my question would be why are you running SQL from a DC. Dedicate another server or VM to that. Unless it is a SBS server, and its the only server you got. Though it sounds like you guys are running multiple systems.

In my personal opinion you keep a DC to do DC/Network roles only. FSMO's, DNS, DHCP perhaps. But no apps which could cause for high CPU usage etc. Keep it light, keep it simple. That way you also never need 3rd party users, or non Domain Admins to have access to your DC.
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742473
P.S. If adding to the Administrators group does not allow access to the SQL engine, then there is a permission issue in SQL. Is the user account setup as a authorized account within SQL? Did you check the security settings within SQL?
0
 

Author Comment

by:jerryhatt
ID: 33742492
It is a fairly old network setup with multiple DCs and lots of SQL dependancy on old database systems across the network.

Removing or moving these would be a nightmare as they are all old programs and mainly unsupported now.

It isn't that the administrator right doesn't grant access to the sql program but the user cannot use terminal services to log on. This also affects the non DC machines as well.

0
 
LVL 10

Accepted Solution

by:
PlusIT earned 500 total points
ID: 33742711
jerryhat when you make him member of the administrators group you have to go to the domain security policy and add the user account there so he can logon on locally or via terminal services.
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33742721
Aah, got you. I misunderstood the initial question. Just to confirm. You did add his user account as a remote user account on the server? There is a built-in group called Remote Desktop Users that can RDP into domain controllers. Check to see which accounts are in that group. Does not require Domain Admin rights
0
 
LVL 6

Expert Comment

by:B12BLIB
ID: 33765365
Did any of this work? Just curious :)
0
 

Author Closing Comment

by:jerryhatt
ID: 33778469
Thanks to all for the help. It was the log on rights in GP.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question