none
Administrator vs. Domain Administrator

    Question

  • Hi,

    I notice that when I use the actual administrator account vs domain administrator I have more rights  (less UAC popups and under the domain admin account I can't save a login script).

    What are the differences between the two and can I give a domain admin account the same rights as the main admin account?

    Thanks!
    Allen
    Monday, May 11, 2009 11:47 PM

Answers

  • Hi,

    Thanks for the post.

      Let’s perform the following steps to assign a logon script.

    1.    Put the script files into the %SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts folder.

    2.    Open GPMC (Group Policy Management Console), open the appropriate Group Policy (domain or OU).

    3.    To find the logon script settings start by clicking Edit, then navigate to the User Configuration, expand the Windows Settings folder, Scripts and Logon.

    4.    From the Logon Scripts window, click Add, in the Script Name dialog box, click Browse.

    5.    Navigate to the %SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts folder and find the script file.

    6.    Refresh the Group Policy.

    7.    Now check if the script file can be run properly on each client machine.

    If this issue still cannot be fixed with the above suggestion, please configure a logon script to open NotePad.exe for test. Does it work?

    Meanwhile, please also collect the GPMC report for check:

    How to collect the GPMC report:

    =======================

    1.  Open Group Policy Management.  

    2.  Right click the problematic group policy object and select Save Report.

    Use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the requested files and then give me the download address.

     

    Hope this helps.

    Tuesday, May 12, 2009 5:38 AM
  • Hi,

     

    Thanks for the update.

     

    Actually, this issue is caused to UAC. Please understand that only the built-in Administrator account can edit and save the script file in Windows Server 2008/Windows Vista if the UAC is enabled.

     

    In this case, if you would like to edit and save the script file with the Non built-in Administrator account; please refer to the following steps.

     

    1.    Run Notepad program under Administrator User Credentials (Right click the Notepad.exe and select Run as administrator)

    2.    Click File->Open, navigate to the location that stores the script file and then edit it.

     

    Hope this helps.

    • Marked as answer by Chakotay2 Thursday, May 14, 2009 12:37 PM
    Thursday, May 14, 2009 10:48 AM

All replies

  • Hello,

    The Administrator account administer computer/domain and have complete and unrestricted access to the computer/domain where as the Domain administrator have unrestricted access for just the domain. Yes, you can give Domain Admin account same rights as the main admin account by adding  the Domain Admins to the Administrators Group
    Isaac Oben MCITP:EA, MCSE
    Tuesday, May 12, 2009 1:49 AM
  • Hmmmm... I am still missing something here... I only have one domain... and I added that user (that was in the domain admins group) to be a member of Administrators as well.  Still can't edit and then save login scripts...

    Getting popup box that says:

    Cannot create the
    \\ccwtech.com\SysVol\ccwtech.com\Policies\{2D1D11-BDBC-40-51-ABAA-888AD8419E7D\User\Scripts\Logon\Logon.vbs file.

    Make sure the path and file name are correct.

    I am going into Computer settings, logon script under GP Editor so I would think it should be the correct path...  Seems like maybe I don't have permissions to write to that directory but as domain admin and admin shouldn't I be able to?  NTFS shows that domain admins would have full control....

    But also one thing I noticed is that under this profile, when I open that area up, the script isn't even in that directory, it's in \\ccwtech.com\sysvol\scripts

    Not sure whats going on.... is this normal?
    Tuesday, May 12, 2009 2:17 AM
  •   Are you talking about the built-in Administrator account as opposed to a domain account with admin privilege?

        Under VIsta/Server 2008 these are not equal, because of UAC. A domain account with admin privilege will require elevation to perform some tasks. It does not run with elevated privilege by default. 
    Bill
    Tuesday, May 12, 2009 2:50 AM
  • Yes, I think... basically I can live with the UAC difference... I just can't edit the script under this user... That's my real issue I suppose.

    Allen

    Tuesday, May 12, 2009 3:17 AM
  • Allen,

    Go to your C:\Windows\Sysvol  and right click properties, security tab and make sure Administrators or the User in question have full control

    Also for GPO on logon\logoff script you have to go to User Configuration\Windows Settings\Scripts (Logon\Logoff) and if yo clickk on either, it should as for a location to add from..

    Or you can have individual user logon Script and enter path under user Profile tab (Which you  might place under Sysvol\scripts)
    Isaac Oben MCITP:EA, MCSE
    Tuesday, May 12, 2009 4:00 AM
  • Gave permissions and still no change, still same error that it can't save the file.

    Oh, and I mis-spoke earlier, It is within USER configuration that I am (and have been) doing the login scripts... So I had that part right I guess.
    Tuesday, May 12, 2009 4:49 AM
  • Hi,

    Thanks for the post.

      Let’s perform the following steps to assign a logon script.

    1.    Put the script files into the %SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts folder.

    2.    Open GPMC (Group Policy Management Console), open the appropriate Group Policy (domain or OU).

    3.    To find the logon script settings start by clicking Edit, then navigate to the User Configuration, expand the Windows Settings folder, Scripts and Logon.

    4.    From the Logon Scripts window, click Add, in the Script Name dialog box, click Browse.

    5.    Navigate to the %SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts folder and find the script file.

    6.    Refresh the Group Policy.

    7.    Now check if the script file can be run properly on each client machine.

    If this issue still cannot be fixed with the above suggestion, please configure a logon script to open NotePad.exe for test. Does it work?

    Meanwhile, please also collect the GPMC report for check:

    How to collect the GPMC report:

    =======================

    1.  Open Group Policy Management.  

    2.  Right click the problematic group policy object and select Save Report.

    Use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the requested files and then give me the download address.

     

    Hope this helps.

    Tuesday, May 12, 2009 5:38 AM
  • That's the ticket!  Thanks... Why does it default to the other directory when you click show files vs the directory that you had me put the script in?  Seems counter intuitive to me... but thanks for the help!
    Thursday, May 14, 2009 9:14 AM
  • Hi,

     

    Thanks for the update.

     

    Actually, this issue is caused to UAC. Please understand that only the built-in Administrator account can edit and save the script file in Windows Server 2008/Windows Vista if the UAC is enabled.

     

    In this case, if you would like to edit and save the script file with the Non built-in Administrator account; please refer to the following steps.

     

    1.    Run Notepad program under Administrator User Credentials (Right click the Notepad.exe and select Run as administrator)

    2.    Click File->Open, navigate to the location that stores the script file and then edit it.

     

    Hope this helps.

    • Marked as answer by Chakotay2 Thursday, May 14, 2009 12:37 PM
    Thursday, May 14, 2009 10:48 AM
  • Awesome, thanks for that explaination... that makes sense as far as why I was getting the behavior I did... Thank you.
    Thursday, May 14, 2009 12:37 PM
  • Hi,

     

    I am so glad to hear the issue has been resolved.

     

    If you have any question in the future, you’re welcomed to this forum.

    Friday, May 15, 2009 1:04 AM
  • Hello Miles, i have similar problem. I want to add another administrator account in active directory with the same privileges as built in admin. I have tried many combinations, like ading users i created in domain admins group, ading the same user in local administrator group.etc...but nothing worked

    here are some typical problems i have on xp client machine (this machine is member of domain)

     

    1.not able to change network properties

    2. not able to acces desktop properties.etc...

    is it possible to give other user (except built in administrator) full control over: domain, client machines..etc?

    regards

     

     

     

     

     

    Friday, August 13, 2010 7:50 AM