locked
Can't make Domain User a Local Admin

    Question

  • Hi Folks,

    I'll speed through this pretty fast so as not to bore you.. I'm not a domain/server admin so this is likely me making a mistake, although it does sound like a bug.

    Both servers are 2008 R2

    1. Setup DC with DCPROMO, Fixed IP Address
    2. Setup another Server, Fixed IP Address and DNS of the DC
    3. Create a basic User on DC in AD
    4. Test Login on the member for the Domain User works okay - it does
    5. On an Admin account on the member I add the Domain User to local administrators group.

    After clicking Apply the domain user disappears from the window (leaving just Administrator). If I try to re-add it says that the user is already part of the Administrators Group. When I log on as the domain user I find that it has no administration rights.

    This is just for personal development purposes, not for production so best practises . The setup is running on Hyper-V R2, Windows Server 2008 R2 64bit VHD (Eval) x2.

    I don't think this sounds right, has anyone else seen this or provide any recommendations.

    Cheers,
    Cakes
    Wednesday, December 02, 2009 12:04 PM

Answers

  • Hi Guys,

    Success! It turns out (and I realise how) that both VMs (DC and Member) had the same SID. So I downloaded the evaluation as an ISO rather than VHD, installed, changed to static ip and DNS of the DC, and added the member to the domain then added a domain user into the administrators group first time, no problems. So although I had been taking the right steps the problem was I was daft enough to duplicate the VHDs and bring them online thinking changing the machine name was enough. As it happens I found a copy of newsid 4.1 and gave it a test run on the 'bad' member, after a few minutes it crashed, restarted the machine, and then BSOD. No biggy now but good to note. I'll have a look at how SYSPREP works incase I ever need it.

    Many thanks for all your replies, very much appreciated the advice.

    Cheers!
    Cakes
    • Marked as answer by Cakes Friday, December 04, 2009 6:19 PM
    Friday, December 04, 2009 6:19 PM

All replies

  • Hi Cake,

    On Step5 that you explain, what computer you add the account on client computer, Server or other ? which one ?
    Thana
    Thursday, December 03, 2009 3:34 AM
  • I need clarification.

    1. Is the second computer (your # 2) not a DC and joined to the domain?

    2. What user added the domain user to the local Administrators group on the second computer?

    3. Is the domain user logging into the second computer?

    4. How do you know the domain user does not have administrator rights on the second computer?

    Richard Mueller


    MVP ADSI
    Thursday, December 03, 2009 3:39 AM
  • Hi Guys,

    I'll refer to the DC as DC, and the second server as Member to make it a bit less confusing.

    Richard..

    1. Yes the member is just a flat install of Server 2008 R2 (an MS VHD), and joined to the domain successfully 'Welcome to the Domain xx'

    2. The domain user is added to the Administrators group on the member by the Administrator Login (the default 'Administrator' login you get with the VHD)

    3. The domain user can log on to the member successfully

    4. The domain user has no permissions to perform administrative tasks, ie it can not add new users - it can not enter computer management etc, nor can it install applications (SQL Server), I'll dig out the exact message when i return tonight.


    ThanaPha..

    1. The Domain user is created succesfully on the DC as a basic user, and I can log on to the Member with that Domain user.

    The problem's recreatable by simply having 1 DC, 1 Member Server, create the domain user in AD on the DC, then attempting to add that Domain user to administrators group on the Member with the members Administrator login. When you add it in to the group it'll show in the window, click Apply and it'll disappear, try to add it again and it'll say that the user has already been added. Log on with that Domain user and it does not have administrator privileges.

    Thanks for your replies, will update shortly after attempt number 10.


    Cakes
    Thursday, December 03, 2009 11:11 AM
  • An important point. On new OS's (like Vista, Win7, Windows Server 2008) when you logon with administrator privileges (and account that is a member of the local Administrators group, for example), this does not mean you can perform any tasks. You must use the "Run as administrator" feature. For example, when you run a setup program you must right click the executable and select "Run as administrator". When I run command line utilities that require admin privileges I right click a shortcut to cmd.exe and select "Run as administrator" to start a command prompt with sufficient privileges. Otherwise the process will run with limited privileges and many things will fail.

    Finally, at a command prompt on the computer you can check local group membership. For example:

    net user <username>

    will show everything about the user, including domain group membership and local group membership.

    There still may be something going on, if when you view membership it seems to disappear. But the only process I know that will do that is Group Policy Restricted Groups. This is used to manage sensitive group memberships by policy, but I am unaware of any such policy being enforced by default. If you had done it you would know about it.

    Richard Mueller


    MVP ADSI
    Thursday, December 03, 2009 4:51 PM
  • Hi cakes,

    Please capture pictures of this problem so that we could better understand this situation. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload screenshots and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, December 04, 2009 10:37 AM
    Moderator
  • Hi Guys,

    Success! It turns out (and I realise how) that both VMs (DC and Member) had the same SID. So I downloaded the evaluation as an ISO rather than VHD, installed, changed to static ip and DNS of the DC, and added the member to the domain then added a domain user into the administrators group first time, no problems. So although I had been taking the right steps the problem was I was daft enough to duplicate the VHDs and bring them online thinking changing the machine name was enough. As it happens I found a copy of newsid 4.1 and gave it a test run on the 'bad' member, after a few minutes it crashed, restarted the machine, and then BSOD. No biggy now but good to note. I'll have a look at how SYSPREP works incase I ever need it.

    Many thanks for all your replies, very much appreciated the advice.

    Cheers!
    Cakes
    • Marked as answer by Cakes Friday, December 04, 2009 6:19 PM
    Friday, December 04, 2009 6:19 PM