Solved

Windows Server 2008 R2 Create a User Account and make the account a local admin.

Posted on 2013-01-01
18
2,447 Views
Last Modified: 2013-01-11
Hi,

I've created a User account In Active Directory on a Windows 2008 R2 Server. Curious how to give that User Local Admin Rights.

I've Tried Adding The User to the Builtin Admin Group and running the command

" GPUPDATE /F "  to update group policy's but did not work. When User installs programs gets prompted to enter Administrator credentials.  

Thank you.
0
Comment
Question by:Computers4me
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 2
  • +2
18 Comments
 
LVL 7

Expert Comment

by:armchang
ID: 38734973
You can try to disable the User Account Control as this is a system wide setting for all users every time users installs a program.

You can follow this link: Turn off UAC for Windows Server 2008 R2
0
 
LVL 40

Expert Comment

by:footech
ID: 38734977
Local admin rights to what?  Every machine, a specific one?

If you want it to be an local admin of every machine, the user either needs to be a member of a group that is already a member of the local Administrators group (like Domain Admins), or you can define the membership of the local Administrators group using group policy, where you would configure the "Restricted Groups" setting and make the user a member.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 38734978
You're not clear about what you're trying to do.

Are you trying to make a DOMAIN USER a member of the LOCAL ADMINS on a DOMAIN CONTROLLER?  If so, you CANNOT - there are no local accounts or groups on a DC.  For the user to have admin access, they need to be a domain admin.

Are you trying to make a DOMAIN USER a member of the LOCAL ADMINS on a SERVER or a WORKSTATION?  If so, then you need to put the user account in the local admins group of the machine in Computer Management.  

NOTE: once a user is in that group, they MUST logout and login again before the credentials take effect - when a user logs in a token is generated indicating what groups they are a member of - it is NOT updated.  So if you add them to the admin group, it won't take effect until they log out and log back in, generating a new token.  (A reboot, obviously) also works.

The advice to disable UAC is, in my opinion, VERY POOR - Disabling UAC, even for an experienced admin should NOT BE DONE unless it's the only possible option.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 7

Expert Comment

by:armchang
ID: 38735010
The advice to disable UAC is, in my opinion, VERY POOR - Disabling UAC, even for an experienced admin should NOT BE DONE unless it's the only possible option.
This is true but there is another way of doing it without disabling entirely. To allow admins to have a disabled UAC, you can use the group policy editor to change the settings to a: " Change this setting to Elevate Without Prompting to provide administrative privileges automatically" so that it will not be disabled to users without admin privileges.

This is the node for the policy settings: Computer Confguration\Policies\Windows Settings\Security Settings\Local Policies \Security Options
0
 

Author Comment

by:Computers4me
ID: 38735033
What I'm trying to accomplish is to Make a Domain User on a Server  have Administrator Privliages so that when that user is  logging in from a remote computer ( Connected to the domain controller) they can install programs and updates on there local machine.
0
 

Author Comment

by:Computers4me
ID: 38735042
Right now for instance when on the remote computer I can login (control alt Delete) and enter credentials of user. Every time lets say a Flash update comes up it would promp that the current user does not have sufficient Privliages to execute command.
0
 
LVL 7

Expert Comment

by:armchang
ID: 38735079
Based on your reply, if you do have set the Security settings in the server, you may have to add domain admins into the administrators on each remote machine. It will have this user in the remote PC: "DOMAIN/DomainUser" format in order for the securities to take effect. Re-login and test.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 38735174
Still not clear to me.

What I'm trying to accomplish is to Make a Domain User on a Server  have Administrator Privliages

Is the Server a Domain Controller or a Member Server?  This is hugely important and you're not telling us so far.

Every time lets say a Flash update comes up it would promp that the current user does not have sufficient Privliages to execute command.

What does this have to do with your previously stated goal (quoted first)?  Do you have Flash installed on the server?!?!?!?  RDP shouldn't care who runs it so the fact they are getting prompted for admin rights to do a flash update should be irrelevant.  UNLESS Flash is on the server.  In which case, AGAIN, IS THE SERVER A DC?

Pictures help A LOT!  Take some screen shots and post them.
0
 

Author Comment

by:Computers4me
ID: 38735186
Server is a Domain Controller.
I don't want to RDP.
 When joining a Terminal PC ( located in another office) to a Domain Controller the user account in the active directory sets the permissions on that Terminal. I just don't understand why I can't give certain Users more Permission and other users standard permissions.
0
 

Author Comment

by:Computers4me
ID: 38735225
Sorry,
just thought when I mentioned Active Directory would mean that server was a Domain Controller.
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 38735524
As per your requirement, you have to add a user to local administrators group on that specific server.

Open server manager in server, then add that AD user in "Administrators" group and then....
that's all.
0
 

Author Comment

by:Computers4me
ID: 38735630
Where in Server Manager do you do that??
0
 
LVL 40

Expert Comment

by:footech
ID: 38735641
I'm having trouble understanding you.  First you said
...when that user is  logging in from a remote computer...
which to me means that you are using a RDP connection from a remote computer to the server you're asking about.  But then you say
...I don't want to RDP...
Next, you say
When joining a Terminal PC ( located in another office) to a Domain Controller the user account in the active directory sets the permissions on that Terminal.
I just don't know how to interpret this.  I assume by Terminal PC you're not referring to a Terminal Server, but just something like a standard workstation.  But what do you mean by "joining" - joining to the domain, or just logging on to it?

However, maybe the fact that I don't understand what you're describing isn't important.  If this is a domain controller, any user that is a member of BuiltIn\Administrators should not encounter a prompt for any other credentials, though I would strongly advise that only Domain Admins should be allowed administrative permissions on any DC.  For any other workstations or servers that are members of the domain, it has already been mentioned how to make a domain user an administrator of that computer.
0
 

Author Comment

by:Computers4me
ID: 38735643
Thank you Guys for all your help. Figured out how to solve my problem.
0
 

Author Comment

by:Computers4me
ID: 38735646
I added User in Active directory to the Built-in Administrators Group didn't do anything. I Tried Addind User To Domain Admins Group Still Nothing. The I tried The Group
"Enterprise Admins" and now account is doing exactly what I needed.
0
 

Author Comment

by:Computers4me
ID: 38735669
**An update**

That's really strange. I was able to login on the computer using a users active directory credentials but none of the policies to any groups followed. So in the login window I entered:

User: (Domain) \ Userxyz
Password: ********

This login worked but no group policies followed:
user: Userxyz
Password: ******

And all the Group Policies worked so I deleted Enterprise Admins and it's still working. I can't belive it was something as crazy as that.
0
 

Author Comment

by:Computers4me
ID: 38735670
But Userxyz isn't a user on that local computer.
0
 
LVL 7

Accepted Solution

by:
armchang earned 250 total points
ID: 38736413
But Userxyz isn't a user on that local computer.

This means that the user: Userxyz was indeed created from remote server then after that it was taken into the local PC as either Domain or Enterprise Admin.

One thing you need to check though is that you need to restart the computer so that changes are fully in effect rather than just re-logging in as what I've said in my last post ID: 38735079.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remote Desktop Terminal License Issue 5 50
Active Directory permissions 5 45
Deploying MSI package with GPO 3 25
SCCM 2012 Queries 2 14
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question