Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

ACTIVE Directory server 2008R2

I am new to active directory,i want to know how to add an administrator user in active directory 2008 R2 which have full access to database server(192.168.1.10) and sharepoint server(192.168.1.11) only but cant access other servers in active directory domain.
please tell me in detail with step by step .
0
kastro Abbasi
Asked:
kastro Abbasi
  • 5
  • 3
  • 2
  • +2
1 Solution
 
Mike KlineCommented:
in this case for two servers I'd just add the account to the local admin group on the server

Start >> Run >> compmgmt.msc  and then add the account to the local administrators group

If it was a large group of servers I'd look at using restricted groups (group policy setting)

Thanks

Mike
0
 
joenswCommented:
hi
yes like Mike said just add the account to the local admin group on the server
0
 
kastro AbbasiAuthor Commented:
ok
local administrator group in active directory server or database and sharepoint server.

i go to active directory server->run->compmgmt.msc->local users and groups->users-new user

thats it or there ll be some other actions.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
joenswCommented:
hi yes
0
 
Mike KlineCommented:
I was talking about on the database and sharepoint server...sorry if that was not clear

Thanks

Mike
0
 
kastro AbbasiAuthor Commented:
ok

if i ll create users on both machines local administrative group,then there is any need of creating this account on active direcdtory.

for example
i have created a user name "ayaz" on both of database and sharepoint.should i create the same account on active directory.

moreover both of these machines needs each other for some of installation.i needs an administrative access.
0
 
netjgrnautCommented:
I think what Mike is driving at is putting a Domain User into the respective server local Administrators groups.  That way, you're using the same account for both (assuming that's what you want) - rather than two different accounts.  Further, the domain account can be used for single sign on to other domain resources (file/print/Exchange/etc) without admin privileges.

But... using the server local Administrators group may be over-provisioning access.  Does this use need OS-level admin to the servers hosting SQL and SharePoint?  Or are you trying to make the user an admin of the SQL and SharePoint instances only?  If the latter, then it would be better to grant the admin privs at the instance level.

And... generally best practices would indicate using an AD (domain) group for each set of privileges (there's no logical relationship between SQL admin and SharePoint admin per se).  The AD group would either be granted the appropriate privs at the instance level, or nested into the two server local Administrators groups - depending on how fine-grained you want your admin access model to be.  Then you would add the domain user account to each group.  Subsequent SQL admins (who might not always overlap SharePoint admins) would be added to the "SQL_Admin" domain group, and so on...

If you want to get a little more specific about which of these approaches suits you, I'd be happy to provide a quick "click here, then here" style walk-through.

Hope that helps!
0
 
Syed_M_UsmanCommented:
Dear

1) You cannot have Local Administrator on your AD server,,,,,, once you have AD install on serevr, server will become DC or RODC and all local administrator users accounts lost.

2) by default Doamin Administrator has full access to all server/computers in the network...

3) if you want to have Administrator Privillage on any server (other then your AD server) you have many options

Option 1: if you want to be a SQL or any Database administrator i would suggest you to create your own user with administrative privallage ''''' Ayaz member of SQL, or administrator Group

Option 2: if you need to have Administrator access on any application, you can have admins rights on application level...
i know many application has two levels of administrators,,,  DB & Application
0
 
kastro AbbasiAuthor Commented:
i want to create an administrator user in active directory who have an access to SQL and sharepoint only.
0
 
kastro AbbasiAuthor Commented:
i mean the admin user with  complete OS level access including SQL and share point on both servers.
0
 
Syed_M_UsmanCommented:
Dear,

1) once you install SQL server in any domain member, SQL server will automaticlly create security groups (refer to atatched),,,, SQL Sec GPif you want any user to have admins rights you can simply add user in desired security group..

Allow/deny permissions are responsibility of AD System Administrators, if you are not i would suggest to check with you AD SA  BUT  if you are SA for AD and dont know you can simple ask the SQL SA to let you know which security group has admin right then you can add any user in the group via AD.

apart from all above please make sure dont install sql on a Domain controller,, refer to
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx
section: Installing SQL Server on a Domain Controller

for more info please look @
http://msdn.microsoft.com/en-us/library/bb500442(v=sql.110).aspx
0
 
Syed_M_UsmanCommented:
if you want to add Existing AD user (Ayaz) into server

Control Panel>User Accounts>Manage User Accounts>Add>Click on Browse>Type name and search> once user appears click next and assign as Administrator

same procedure if you have two servers (Sql and share point)

if you want to add  Local user (Ayaz) into server

My comoputer>Right click Manage> users>add> ayaz>ok
My comoputer>Right click Manage> Groups>Administraror>Members>add>ayaz.. ok
0
 
netjgrnautCommented:
i mean the admin user with  complete OS level access including SQL and share point on both servers.

I recommend using your AD user account (not local users).  I still recommend using AD groups rather than direct user membership in server local Administrators - the "one-user-at-a-time" approach doesn't scale well.

On Server 2008R2...
Start-> Run -> compmgmt.msc -> Local Users and Groups -> Groups -> Administrators -> Add -> Add

"From this location" should already show the domain of which the server is a member.  If not, you can specify the user object in DOMAIN\USER or USER@DOMAIN format.

This will grant the AD user OS-level admin access.  Depending on the SQL and SharePoint configurations, this may not be all you have to do...

For SQL 2008, look here...
http://blogs.msdn.com/b/jjameson/archive/2009/05/29/add-sysadmin-in-sql-server-2008-using-local-administrator.aspx

For SharePoint 2010, look here...
http://blog.octavie.nl/index.php/2011/11/07/creating-additional-sharepoint-2010-farm-administrators/

Hope that helps!
0
 
kastro AbbasiAuthor Commented:
Excellent i have implemented ntjgrnaut solution and it helps me alot.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now