Solved

ACTIVE Directory server 2008R2

Posted on 2012-03-13
14
410 Views
Last Modified: 2012-08-14
I am new to active directory,i want to know how to add an administrator user in active directory 2008 R2 which have full access to database server(192.168.1.10) and sharepoint server(192.168.1.11) only but cant access other servers in active directory domain.
please tell me in detail with step by step .
0
Comment
Question by:kastro Abbasi
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37717119
in this case for two servers I'd just add the account to the local admin group on the server

Start >> Run >> compmgmt.msc  and then add the account to the local administrators group

If it was a large group of servers I'd look at using restricted groups (group policy setting)

Thanks

Mike
0
 
LVL 7

Expert Comment

by:joensw
ID: 37717162
hi
yes like Mike said just add the account to the local admin group on the server
0
 

Author Comment

by:kastro Abbasi
ID: 37717414
ok
local administrator group in active directory server or database and sharepoint server.

i go to active directory server->run->compmgmt.msc->local users and groups->users-new user

thats it or there ll be some other actions.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 7

Expert Comment

by:joensw
ID: 37717466
hi yes
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37717481
I was talking about on the database and sharepoint server...sorry if that was not clear

Thanks

Mike
0
 

Author Comment

by:kastro Abbasi
ID: 37717577
ok

if i ll create users on both machines local administrative group,then there is any need of creating this account on active direcdtory.

for example
i have created a user name "ayaz" on both of database and sharepoint.should i create the same account on active directory.

moreover both of these machines needs each other for some of installation.i needs an administrative access.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37717995
I think what Mike is driving at is putting a Domain User into the respective server local Administrators groups.  That way, you're using the same account for both (assuming that's what you want) - rather than two different accounts.  Further, the domain account can be used for single sign on to other domain resources (file/print/Exchange/etc) without admin privileges.

But... using the server local Administrators group may be over-provisioning access.  Does this use need OS-level admin to the servers hosting SQL and SharePoint?  Or are you trying to make the user an admin of the SQL and SharePoint instances only?  If the latter, then it would be better to grant the admin privs at the instance level.

And... generally best practices would indicate using an AD (domain) group for each set of privileges (there's no logical relationship between SQL admin and SharePoint admin per se).  The AD group would either be granted the appropriate privs at the instance level, or nested into the two server local Administrators groups - depending on how fine-grained you want your admin access model to be.  Then you would add the domain user account to each group.  Subsequent SQL admins (who might not always overlap SharePoint admins) would be added to the "SQL_Admin" domain group, and so on...

If you want to get a little more specific about which of these approaches suits you, I'd be happy to provide a quick "click here, then here" style walk-through.

Hope that helps!
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718545
Dear

1) You cannot have Local Administrator on your AD server,,,,,, once you have AD install on serevr, server will become DC or RODC and all local administrator users accounts lost.

2) by default Doamin Administrator has full access to all server/computers in the network...

3) if you want to have Administrator Privillage on any server (other then your AD server) you have many options

Option 1: if you want to be a SQL or any Database administrator i would suggest you to create your own user with administrative privallage ''''' Ayaz member of SQL, or administrator Group

Option 2: if you need to have Administrator access on any application, you can have admins rights on application level...
i know many application has two levels of administrators,,,  DB & Application
0
 

Author Comment

by:kastro Abbasi
ID: 37718654
i want to create an administrator user in active directory who have an access to SQL and sharepoint only.
0
 

Author Comment

by:kastro Abbasi
ID: 37718663
i mean the admin user with  complete OS level access including SQL and share point on both servers.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718674
Dear,

1) once you install SQL server in any domain member, SQL server will automaticlly create security groups (refer to atatched),,,, SQL Sec GPif you want any user to have admins rights you can simply add user in desired security group..

Allow/deny permissions are responsibility of AD System Administrators, if you are not i would suggest to check with you AD SA  BUT  if you are SA for AD and dont know you can simple ask the SQL SA to let you know which security group has admin right then you can add any user in the group via AD.

apart from all above please make sure dont install sql on a Domain controller,, refer to
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx
section: Installing SQL Server on a Domain Controller

for more info please look @
http://msdn.microsoft.com/en-us/library/bb500442(v=sql.110).aspx
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 37718721
if you want to add Existing AD user (Ayaz) into server

Control Panel>User Accounts>Manage User Accounts>Add>Click on Browse>Type name and search> once user appears click next and assign as Administrator

same procedure if you have two servers (Sql and share point)

if you want to add  Local user (Ayaz) into server

My comoputer>Right click Manage> users>add> ayaz>ok
My comoputer>Right click Manage> Groups>Administraror>Members>add>ayaz.. ok
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37719319
i mean the admin user with  complete OS level access including SQL and share point on both servers.

I recommend using your AD user account (not local users).  I still recommend using AD groups rather than direct user membership in server local Administrators - the "one-user-at-a-time" approach doesn't scale well.

On Server 2008R2...
Start-> Run -> compmgmt.msc -> Local Users and Groups -> Groups -> Administrators -> Add -> Add

"From this location" should already show the domain of which the server is a member.  If not, you can specify the user object in DOMAIN\USER or USER@DOMAIN format.

This will grant the AD user OS-level admin access.  Depending on the SQL and SharePoint configurations, this may not be all you have to do...

For SQL 2008, look here...
http://blogs.msdn.com/b/jjameson/archive/2009/05/29/add-sysadmin-in-sql-server-2008-using-local-administrator.aspx

For SharePoint 2010, look here...
http://blog.octavie.nl/index.php/2011/11/07/creating-additional-sharepoint-2010-farm-administrators/

Hope that helps!
0
 

Author Closing Comment

by:kastro Abbasi
ID: 37721398
Excellent i have implemented ntjgrnaut solution and it helps me alot.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question