mr-kenny
asked on
Windows 2008 R2: AD, no local Admin rights
Hi,
I have two Windows Server 200 R2 in my Hyper-V Test environment. One has the role of a Domain Controller and the other is a normal server. In the AD I've created a User and added him to the Domain Admins. I've joined the other Server to the Domain and added my AD User to the local Admin Group but when I login with my AD user I have no Admin rights.
I have no Idea why. Maybe the problem has something to do with the User Access Control Policy on the DC? I have no Idea what else I can try to make my AD User having Admin rights on the Server (by the way, when I login with my AD User on the DC everything works fine: I have Admin rights on the DC, but not on the other server).
I would be happy for some suggestions what I can try to make this work.
I have two Windows Server 200 R2 in my Hyper-V Test environment. One has the role of a Domain Controller and the other is a normal server. In the AD I've created a User and added him to the Domain Admins. I've joined the other Server to the Domain and added my AD User to the local Admin Group but when I login with my AD user I have no Admin rights.
I have no Idea why. Maybe the problem has something to do with the User Access Control Policy on the DC? I have no Idea what else I can try to make my AD User having Admin rights on the Server (by the way, when I login with my AD User on the DC everything works fine: I have Admin rights on the DC, but not on the other server).
I would be happy for some suggestions what I can try to make this work.
ASKER
I can logon on the second server but if I try to open Computer Management for example windows tells me "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item. I can't disable UAC for the Domain User under "User Accounts", "Change User Account Control Settings" because I can't access it.
Can you logon as the domain administrator account on the second server?
ASKER
yes I can logon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
when I do a "whoami /groups" I see "BUILTIN\Administrators Group used for deny only".
If I disable or enable the Goup Policy on the DC it works sometimes and sometimes not. Also if I change something on the UAC Policy, it works sometime but I can't tell why.
If I disable or enable the Goup Policy on the DC it works sometimes and sometimes not. Also if I change something on the UAC Policy, it works sometime but I can't tell why.
ASKER
This worked, thanks. I guess the reason why this not worked the first time I've joined to the Domain, was the duplicate SID I had because of the VHD copies.
What are you attempting to do on the second server? Can you logon? Do you have UAC enabled on the second server?