Solved

ACTIVE Directory server 2008R2

Posted on 2012-03-13
14
407 Views
Last Modified: 2012-08-14
I am new to active directory,i want to know how to add an administrator user in active directory 2008 R2 which have full access to database server(192.168.1.10) and sharepoint server(192.168.1.11) only but cant access other servers in active directory domain.
please tell me in detail with step by step .
0
Comment
Question by:kastro Abbasi
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
in this case for two servers I'd just add the account to the local admin group on the server

Start >> Run >> compmgmt.msc  and then add the account to the local administrators group

If it was a large group of servers I'd look at using restricted groups (group policy setting)

Thanks

Mike
0
 
LVL 7

Expert Comment

by:joensw
Comment Utility
hi
yes like Mike said just add the account to the local admin group on the server
0
 

Author Comment

by:kastro Abbasi
Comment Utility
ok
local administrator group in active directory server or database and sharepoint server.

i go to active directory server->run->compmgmt.msc->local users and groups->users-new user

thats it or there ll be some other actions.
0
 
LVL 7

Expert Comment

by:joensw
Comment Utility
hi yes
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
I was talking about on the database and sharepoint server...sorry if that was not clear

Thanks

Mike
0
 

Author Comment

by:kastro Abbasi
Comment Utility
ok

if i ll create users on both machines local administrative group,then there is any need of creating this account on active direcdtory.

for example
i have created a user name "ayaz" on both of database and sharepoint.should i create the same account on active directory.

moreover both of these machines needs each other for some of installation.i needs an administrative access.
0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
I think what Mike is driving at is putting a Domain User into the respective server local Administrators groups.  That way, you're using the same account for both (assuming that's what you want) - rather than two different accounts.  Further, the domain account can be used for single sign on to other domain resources (file/print/Exchange/etc) without admin privileges.

But... using the server local Administrators group may be over-provisioning access.  Does this use need OS-level admin to the servers hosting SQL and SharePoint?  Or are you trying to make the user an admin of the SQL and SharePoint instances only?  If the latter, then it would be better to grant the admin privs at the instance level.

And... generally best practices would indicate using an AD (domain) group for each set of privileges (there's no logical relationship between SQL admin and SharePoint admin per se).  The AD group would either be granted the appropriate privs at the instance level, or nested into the two server local Administrators groups - depending on how fine-grained you want your admin access model to be.  Then you would add the domain user account to each group.  Subsequent SQL admins (who might not always overlap SharePoint admins) would be added to the "SQL_Admin" domain group, and so on...

If you want to get a little more specific about which of these approaches suits you, I'd be happy to provide a quick "click here, then here" style walk-through.

Hope that helps!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
Dear

1) You cannot have Local Administrator on your AD server,,,,,, once you have AD install on serevr, server will become DC or RODC and all local administrator users accounts lost.

2) by default Doamin Administrator has full access to all server/computers in the network...

3) if you want to have Administrator Privillage on any server (other then your AD server) you have many options

Option 1: if you want to be a SQL or any Database administrator i would suggest you to create your own user with administrative privallage ''''' Ayaz member of SQL, or administrator Group

Option 2: if you need to have Administrator access on any application, you can have admins rights on application level...
i know many application has two levels of administrators,,,  DB & Application
0
 

Author Comment

by:kastro Abbasi
Comment Utility
i want to create an administrator user in active directory who have an access to SQL and sharepoint only.
0
 

Author Comment

by:kastro Abbasi
Comment Utility
i mean the admin user with  complete OS level access including SQL and share point on both servers.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
Dear,

1) once you install SQL server in any domain member, SQL server will automaticlly create security groups (refer to atatched),,,, SQL Sec GPif you want any user to have admins rights you can simply add user in desired security group..

Allow/deny permissions are responsibility of AD System Administrators, if you are not i would suggest to check with you AD SA  BUT  if you are SA for AD and dont know you can simple ask the SQL SA to let you know which security group has admin right then you can add any user in the group via AD.

apart from all above please make sure dont install sql on a Domain controller,, refer to
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.110).aspx
section: Installing SQL Server on a Domain Controller

for more info please look @
http://msdn.microsoft.com/en-us/library/bb500442(v=sql.110).aspx
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
Comment Utility
if you want to add Existing AD user (Ayaz) into server

Control Panel>User Accounts>Manage User Accounts>Add>Click on Browse>Type name and search> once user appears click next and assign as Administrator

same procedure if you have two servers (Sql and share point)

if you want to add  Local user (Ayaz) into server

My comoputer>Right click Manage> users>add> ayaz>ok
My comoputer>Right click Manage> Groups>Administraror>Members>add>ayaz.. ok
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
Comment Utility
i mean the admin user with  complete OS level access including SQL and share point on both servers.

I recommend using your AD user account (not local users).  I still recommend using AD groups rather than direct user membership in server local Administrators - the "one-user-at-a-time" approach doesn't scale well.

On Server 2008R2...
Start-> Run -> compmgmt.msc -> Local Users and Groups -> Groups -> Administrators -> Add -> Add

"From this location" should already show the domain of which the server is a member.  If not, you can specify the user object in DOMAIN\USER or USER@DOMAIN format.

This will grant the AD user OS-level admin access.  Depending on the SQL and SharePoint configurations, this may not be all you have to do...

For SQL 2008, look here...
http://blogs.msdn.com/b/jjameson/archive/2009/05/29/add-sysadmin-in-sql-server-2008-using-local-administrator.aspx

For SharePoint 2010, look here...
http://blog.octavie.nl/index.php/2011/11/07/creating-additional-sharepoint-2010-farm-administrators/

Hope that helps!
0
 

Author Closing Comment

by:kastro Abbasi
Comment Utility
Excellent i have implemented ntjgrnaut solution and it helps me alot.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now