Solved

ACTIVE Directory server 2008R2

Posted on 2012-03-13
14
412 Views
Last Modified: 2012-08-14
I am new to active directory,i want to know how to add an administrator user in active directory 2008 R2 which have full access to database server(192.168.1.10) and sharepoint server(192.168.1.11) only but cant access other servers in active directory domain.
please tell me in detail with step by step .
0
Comment
Question by:kastro Abbasi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37717119
in this case for two servers I'd just add the account to the local admin group on the server

Start >> Run >> compmgmt.msc  and then add the account to the local administrators group

If it was a large group of servers I'd look at using restricted groups (group policy setting)

Thanks

Mike
0
 
LVL 7

Expert Comment

by:joensw
ID: 37717162
hi
yes like Mike said just add the account to the local admin group on the server
0
 

Author Comment

by:kastro Abbasi
ID: 37717414
ok
local administrator group in active directory server or database and sharepoint server.

i go to active directory server->run->compmgmt.msc->local users and groups->users-new user

thats it or there ll be some other actions.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Expert Comment

by:joensw
ID: 37717466
hi yes
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37717481
I was talking about on the database and sharepoint server...sorry if that was not clear

Thanks

Mike
0
 

Author Comment

by:kastro Abbasi
ID: 37717577
ok

if i ll create users on both machines local administrative group,then there is any need of creating this account on active direcdtory.

for example
i have created a user name "ayaz" on both of database and sharepoint.should i create the same account on active directory.

moreover both of these machines needs each other for some of installation.i needs an administrative access.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37717995
I think what Mike is driving at is putting a Domain User into the respective server local Administrators groups.  That way, you're using the same account for both (assuming that's what you want) - rather than two different accounts.  Further, the domain account can be used for single sign on to other domain resources (file/print/Exchange/etc) without admin privileges.

But... using the server local Administrators group may be over-provisioning access.  Does this use need OS-level admin to the servers hosting SQL and SharePoint?  Or are you trying to make the user an admin of the SQL and SharePoint instances only?  If the latter, then it would be better to grant the admin privs at the instance level.

And... generally best practices would indicate using an AD (domain) group for each set of privileges (there's no logical relationship between SQL admin and SharePoint admin per se).  The AD group would either be granted the appropriate privs at the instance level, or nested into the two server local Administrators groups - depending on how fine-grained you want your admin access model to be.  Then you would add the domain user account to each group.  Subsequent SQL admins (who might not always overlap SharePoint admins) would be added to the "SQL_Admin" domain group, and so on...

If you want to get a little more specific about which of these approaches suits you, I'd be happy to provide a quick "click here, then here" style walk-through.

Hope that helps!
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718545
Dear

1) You cannot have Local Administrator on your AD server,,,,,, once you have AD install on serevr, server will become DC or RODC and all local administrator users accounts lost.

2) by default Doamin Administrator has full access to all server/computers in the network...

3) if you want to have Administrator Privillage on any server (other then your AD server) you have many options

Option 1: if you want to be a SQL or any Database administrator i would suggest you to create your own user with administrative privallage ''''' Ayaz member of SQL, or administrator Group

Option 2: if you need to have Administrator access on any application, you can have admins rights on application level...
i know many application has two levels of administrators,,,  DB & Application
0
 

Author Comment

by:kastro Abbasi
ID: 37718654
i want to create an administrator user in active directory who have an access to SQL and sharepoint only.
0
 

Author Comment

by:kastro Abbasi
ID: 37718663
i mean the admin user with  complete OS level access including SQL and share point on both servers.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718674
Dear,

1) once you install SQL server in any domain member, SQL server will automaticlly create security groups (refer to atatched),,,, SQL Sec GPif you want any user to have admins rights you can simply add user in desired security group..

Allow/deny permissions are responsibility of AD System Administrators, if you are not i would suggest to check with you AD SA  BUT  if you are SA for AD and dont know you can simple ask the SQL SA to let you know which security group has admin right then you can add any user in the group via AD.

apart from all above please make sure dont install sql on a Domain controller,, refer to
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx
section: Installing SQL Server on a Domain Controller

for more info please look @
http://msdn.microsoft.com/en-us/library/bb500442(v=sql.110).aspx
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718721
if you want to add Existing AD user (Ayaz) into server

Control Panel>User Accounts>Manage User Accounts>Add>Click on Browse>Type name and search> once user appears click next and assign as Administrator

same procedure if you have two servers (Sql and share point)

if you want to add  Local user (Ayaz) into server

My comoputer>Right click Manage> users>add> ayaz>ok
My comoputer>Right click Manage> Groups>Administraror>Members>add>ayaz.. ok
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37719319
i mean the admin user with  complete OS level access including SQL and share point on both servers.

I recommend using your AD user account (not local users).  I still recommend using AD groups rather than direct user membership in server local Administrators - the "one-user-at-a-time" approach doesn't scale well.

On Server 2008R2...
Start-> Run -> compmgmt.msc -> Local Users and Groups -> Groups -> Administrators -> Add -> Add

"From this location" should already show the domain of which the server is a member.  If not, you can specify the user object in DOMAIN\USER or USER@DOMAIN format.

This will grant the AD user OS-level admin access.  Depending on the SQL and SharePoint configurations, this may not be all you have to do...

For SQL 2008, look here...
http://blogs.msdn.com/b/jjameson/archive/2009/05/29/add-sysadmin-in-sql-server-2008-using-local-administrator.aspx

For SharePoint 2010, look here...
http://blog.octavie.nl/index.php/2011/11/07/creating-additional-sharepoint-2010-farm-administrators/

Hope that helps!
0
 

Author Closing Comment

by:kastro Abbasi
ID: 37721398
Excellent i have implemented ntjgrnaut solution and it helps me alot.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question