1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Resolved AD, problem setting up users with admin permission

Discussion in 'Networks' started by alebleicker, Sep 26, 2009.

  1. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    Hi there,
    I'm using a vmware lab here to test active directory network for mcsa certification, so I'm having a problem that actually I don't know if is a problem or limitation, but I'm trying to setup an account for a windows xp machine as an administrator on the AD, like the normal local admin account but there is no way that it can work exactly as the local admin account. My problem is that I setup the account in the admin group in the AD, so I assume it will have admin permissions on the local machine as well, right ? but it doesn't, so I don't know what I'm doing wrong, somethime it is so confusing this local admin and AD admin, seems the same thing for me, it is like the ntfs and share permissions, take some time to understand it completely.

    can you guys give me some directions please? Thank you !
     
    Last edited: Sep 27, 2009
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    If you create a user account in AD you can configure a GPO for the domain so that user account is added to the local admins group on the computer accounts in the domain.
     
    Last edited: Sep 26, 2009
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    but if not using a GPO, it is possible only to give admin permission to that account and this permission reflect locally on that computer? It is being already difficult for me to start playing with AD, so I would like to leave GPO for later as I don't have any knowledge about it yet.

    I'm trying in some way to give that account admin permission to work as a local admin account. Is it possible to do this without a GPO ? thanks
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  4. pete.grant

    pete.grant Byte Poster

    150
    9
    37
    Add the account you have created in AD to the local Administrators group on the Windows XP machine.
     
    Certifications: A+ IT Technician, CCENT, CEH, CPTS, CIW Security Analyst, ITIL v3 Foundation, Master CIW Administrator, MCITP (Windows Server 2008:SA), MCSA on Windows Server 2008, MCSA:Security on Windows Server 2003, MCTS (70-648, 70-652), Network+, SCNS, Security+, Server+
  5. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    Instead of jumping into the MCSA, why not do the MCDST? This will help you at this stage.

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  6. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    But this is what I'm trying to figure out, to use an AD account for the machine as an administrator without needing to create a local account, like, no any local user/admin, only the AD account with admin privileges, but at least for what I've done until now, doesn't matter if I add the account to the admin group, the user in that xp machine still limited :/
    but thanks for the tip anyway
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  7. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    Because there is a vacancy in my work for IT and it was offered to me if I pass some tests and prove that I gained enough experience to start working in this area, so I'm rushing into it. I'm not exactly rushing into the test itself, but to learn and test lots of support procedures to be ready for the test when it comes.
    It like a very rare chance to pay for my future courses and support my wife's studies.
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  8. pete.grant

    pete.grant Byte Poster

    150
    9
    37
    You said in your original post that you added the account into an Administrator group within AD - you need to add the account to the LOCAL Administrators group on the Windows XP machine.

    On the Windows XP machine right-click My Computer and click 'Manage' then expand 'Local Users and Groups' and then select 'Groups'. Double click on the Administrators group and add your AD user account to that group.
     
    Last edited: Sep 26, 2009
    Certifications: A+ IT Technician, CCENT, CEH, CPTS, CIW Security Analyst, ITIL v3 Foundation, Master CIW Administrator, MCITP (Windows Server 2008:SA), MCSA on Windows Server 2008, MCSA:Security on Windows Server 2003, MCTS (70-648, 70-652), Network+, SCNS, Security+, Server+
  9. MLP

    MLP Kilobyte Poster

    305
    19
    42
    To make a user a local administrator, add the domain user account to the local administrators group. We do this sometimes where I work, and the 'normal' user can do anything on the local machine that is not locked out with group policy. I.E. if we set a policy that users cannot use the run command, even as local admin, they cannot use the run command.

    To my knowledge, there is no way to add the user to the local admins group from the server, except with scripting. In theory, you can make the user a domain admin, which is automatically made a member of local admins, but this is definitely not advised, and something I would never do.

    Hope this helps

    Maria
     
    Certifications: HND Computing
    WIP: 70-680, 70-270, 70-290
  10. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Restricted Groups.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  11. MLP

    MLP Kilobyte Poster

    305
    19
    42
    Thanks for that, wasn't aware of restricted groups. You learn something new every day. Will have a play about tomorrow.
     
    Certifications: HND Computing
    WIP: 70-680, 70-270, 70-290
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    What he said....
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  13. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    ....what I said :biggrin

    Match of the Day is on soon, time for another beer! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  14. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    Thank you very much, now I got it. Was exactly what I was needing to do, thanks !!!!
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  15. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    Using the procedure of adding the domain user to local admin group worked fine, I know that is not a pratical way at work but it is for my testing labs where I'm starting to learn AD, so I need to test everything possible. thanks for the advice
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  16. alebleicker

    alebleicker Bit Poster

    13
    0
    21
    sorry if I didn't understand very well the procedure you told me, it is because it was a bit abstract for me, I'm newbie in AD, sorry
    thanks for your help guys ! i really appreciate it!
     
    Certifications: A+,N+,70-270,70-290
    WIP: MCSA
  17. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Thats ok mate, all part of the learning curve. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...