ACTIVE Directory server 2008R2

I am new to active directory,i want to know how to add an administrator user in active directory 2008 R2 which have full access to database server( and sharepoint server( only but cant access other servers in active directory domain.
please tell me in detail with step by step .
kastro AbbasiIT consultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
in this case for two servers I'd just add the account to the local admin group on the server

Start >> Run >> compmgmt.msc  and then add the account to the local administrators group

If it was a large group of servers I'd look at using restricted groups (group policy setting)


yes like Mike said just add the account to the local admin group on the server
kastro AbbasiIT consultantAuthor Commented:
local administrator group in active directory server or database and sharepoint server.

i go to active directory server->run->compmgmt.msc->local users and groups->users-new user

thats it or there ll be some other actions.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

hi yes
Mike KlineCommented:
I was talking about on the database and sharepoint server...sorry if that was not clear


kastro AbbasiIT consultantAuthor Commented:

if i ll create users on both machines local administrative group,then there is any need of creating this account on active direcdtory.

for example
i have created a user name "ayaz" on both of database and sharepoint.should i create the same account on active directory.

moreover both of these machines needs each other for some of installation.i needs an administrative access.
I think what Mike is driving at is putting a Domain User into the respective server local Administrators groups.  That way, you're using the same account for both (assuming that's what you want) - rather than two different accounts.  Further, the domain account can be used for single sign on to other domain resources (file/print/Exchange/etc) without admin privileges.

But... using the server local Administrators group may be over-provisioning access.  Does this use need OS-level admin to the servers hosting SQL and SharePoint?  Or are you trying to make the user an admin of the SQL and SharePoint instances only?  If the latter, then it would be better to grant the admin privs at the instance level.

And... generally best practices would indicate using an AD (domain) group for each set of privileges (there's no logical relationship between SQL admin and SharePoint admin per se).  The AD group would either be granted the appropriate privs at the instance level, or nested into the two server local Administrators groups - depending on how fine-grained you want your admin access model to be.  Then you would add the domain user account to each group.  Subsequent SQL admins (who might not always overlap SharePoint admins) would be added to the "SQL_Admin" domain group, and so on...

If you want to get a little more specific about which of these approaches suits you, I'd be happy to provide a quick "click here, then here" style walk-through.

Hope that helps!
Syed_M_UsmanSystem AdministratorCommented:

1) You cannot have Local Administrator on your AD server,,,,,, once you have AD install on serevr, server will become DC or RODC and all local administrator users accounts lost.

2) by default Doamin Administrator has full access to all server/computers in the network...

3) if you want to have Administrator Privillage on any server (other then your AD server) you have many options

Option 1: if you want to be a SQL or any Database administrator i would suggest you to create your own user with administrative privallage ''''' Ayaz member of SQL, or administrator Group

Option 2: if you need to have Administrator access on any application, you can have admins rights on application level...
i know many application has two levels of administrators,,,  DB & Application
kastro AbbasiIT consultantAuthor Commented:
i want to create an administrator user in active directory who have an access to SQL and sharepoint only.
kastro AbbasiIT consultantAuthor Commented:
i mean the admin user with  complete OS level access including SQL and share point on both servers.
Syed_M_UsmanSystem AdministratorCommented:

1) once you install SQL server in any domain member, SQL server will automaticlly create security groups (refer to atatched),,,, SQL Sec GPif you want any user to have admins rights you can simply add user in desired security group..

Allow/deny permissions are responsibility of AD System Administrators, if you are not i would suggest to check with you AD SA  BUT  if you are SA for AD and dont know you can simple ask the SQL SA to let you know which security group has admin right then you can add any user in the group via AD.

apart from all above please make sure dont install sql on a Domain controller,, refer to
section: Installing SQL Server on a Domain Controller

for more info please look @
Syed_M_UsmanSystem AdministratorCommented:
if you want to add Existing AD user (Ayaz) into server

Control Panel>User Accounts>Manage User Accounts>Add>Click on Browse>Type name and search> once user appears click next and assign as Administrator

same procedure if you have two servers (Sql and share point)

if you want to add  Local user (Ayaz) into server

My comoputer>Right click Manage> users>add> ayaz>ok
My comoputer>Right click Manage> Groups>Administraror>Members>add>ayaz.. ok
i mean the admin user with  complete OS level access including SQL and share point on both servers.

I recommend using your AD user account (not local users).  I still recommend using AD groups rather than direct user membership in server local Administrators - the "one-user-at-a-time" approach doesn't scale well.

On Server 2008R2...
Start-> Run -> compmgmt.msc -> Local Users and Groups -> Groups -> Administrators -> Add -> Add

"From this location" should already show the domain of which the server is a member.  If not, you can specify the user object in DOMAIN\USER or USER@DOMAIN format.

This will grant the AD user OS-level admin access.  Depending on the SQL and SharePoint configurations, this may not be all you have to do...

For SQL 2008, look here...

For SharePoint 2010, look here...

Hope that helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kastro AbbasiIT consultantAuthor Commented:
Excellent i have implemented ntjgrnaut solution and it helps me alot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.