Resolved AD, problem setting up users with admin permission

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi there,
I'm using a vmware lab here to test active directory network for mcsa certification, so I'm having a problem that actually I don't know if is a problem or limitation, but I'm trying to setup an account for a windows xp machine as an administrator on the AD, like the normal local admin account but there is no way that it can work exactly as the local admin account. My problem is that I setup the account in the admin group in the AD, so I assume it will have admin permissions on the local machine as well, right ? but it doesn't, so I don't know what I'm doing wrong, somethime it is so confusing this local admin and AD admin, seems the same thing for me, it is like the ntfs and share permissions, take some time to understand it completely.

can you guys give me some directions please? Thank you !

 

but if not using a GPO, it is possible only to give admin permission to that account and this permission reflect locally on that computer? It is being already difficult for me to start playing with AD, so I would like to leave GPO for later as I don't have any knowledge about it yet.

I'm trying in some way to give that account admin permission to work as a local admin account. Is it possible to do this without a GPO ? thanks

 

Add the account you have created in AD to the local Administrators group on the Windows XP machine.

 

But this is what I'm trying to figure out, to use an AD account for the machine as an administrator without needing to create a local account, like, no any local user/admin, only the AD account with admin privileges, but at least for what I've done until now, doesn't matter if I add the account to the admin group, the user in that xp machine still limited :/
but thanks for the tip anyway

 

Because there is a vacancy in my work for IT and it was offered to me if I pass some tests and prove that I gained enough experience to start working in this area, so I'm rushing into it. I'm not exactly rushing into the test itself, but to learn and test lots of support procedures to be ready for the test when it comes.
It like a very rare chance to pay for my future courses and support my wife's studies.

 

You said in your original post that you added the account into an Administrator group within AD - you need to add the account to the LOCAL Administrators group on the Windows XP machine.

On the Windows XP machine right-click My Computer and click 'Manage' then expand 'Local Users and Groups' and then select 'Groups'. Double click on the Administrators group and add your AD user account to that group.

 

To make a user a local administrator, add the domain user account to the local administrators group. We do this sometimes where I work, and the 'normal' user can do anything on the local machine that is not locked out with group policy. I.E. if we set a policy that users cannot use the run command, even as local admin, they cannot use the run command.

To my knowledge, there is no way to add the user to the local admins group from the server, except with scripting. In theory, you can make the user a domain admin, which is automatically made a member of local admins, but this is definitely not advised, and something I would never do.

Hope this helps

Maria

 

Restricted Groups.

 

Thanks for that, wasn't aware of restricted groups. You learn something new every day. Will have a play about tomorrow.

 

Thank you very much, now I got it. Was exactly what I was needing to do, thanks !!!!

 

Using the procedure of adding the domain user to local admin group worked fine, I know that is not a pratical way at work but it is for my testing labs where I'm starting to learn AD, so I need to test everything possible. thanks for the advice

 

sorry if I didn't understand very well the procedure you told me, it is because it was a bit abstract for me, I'm newbie in AD, sorry
thanks for your help guys ! i really appreciate it!