Add permissions for local workstation client
in [Windows Servers]
|
Prev: new forest domain setup not allowing domain logins
Next: Doesn't file sharing really need "NetBios over TCP" in Win2000/XP?
From: Terry on 4 Mar 2010 07:45 Administrator I want to give a domain user administrative rights to the local machine. I go to users and groups select the administrators group, click add, and select from the "Entire Directory" sub: "domain.local" select the user I need to add. However on a Small Business Server Domain; a local workstation logged in as the Domain Administrator if I want to give a domain user administrative rights to the local machine. I go to users and groups select the administrators group, click add, there is NO “Entire Directory sub: domain.local” only the local machine name. Thus I cannot add a domain user to the administrator group on the local machine. Is this unique to Small Business Server or is there a problem with the network. If this is a network error, can I assume it is a DNS or NetBios error?
From: Chris M on 4 Mar 2010 09:04 On 04/03/2010 12:45, Terry wrote: > Administrator I want to give a domain user administrative rights to the local > machine. I go to users and groups select the administrators group, click add, > and select from the "Entire Directory" sub: "domain.local" select the user I > need to add. > > However on a Small Business Server Domain; a local workstation logged in as > the Domain Administrator if I want to give a domain user administrative > rights to the local machine. I go to users and groups select the > administrators group, click add, there is NO “Entire Directory sub: > domain.local” only the local machine name. > Thus I cannot add a domain user to the administrator group on the local > machine. > > Is this unique to Small Business Server or is there a problem with the > network. If this is a network error, can I assume it is a DNS or NetBios > error? It's because it's a domain controller. Domain Controllers have no concept of 'local groups', at least in 2003 and below anyway. 2008 does have something called Role Separation which allows you to make people local administrators of DCs but I believe that they need to be RODCs in order for this to work. There is a domain-level BUILTIN\Administrators group but adding someone to this group this is not the same thing as making them a local admin of the domain controller itself. -- Chris M.
From: Ace Fekay [MVP-DS, MCT] on 4 Mar 2010 11:05 "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:59DB2990-521A-496A-9B8D-A34F41435426(a)microsoft.com... > Administrator I want to give a domain user administrative rights to the local > machine. I go to users and groups select the administrators group, click add, > and select from the "Entire Directory" sub: "domain.local" select the user I > need to add. > > However on a Small Business Server Domain; a local workstation logged in as > the Domain Administrator if I want to give a domain user administrative > rights to the local machine. I go to users and groups select the > administrators group, click add, there is NO âEntire Directory sub: > domain.localâ only the local machine name. > Thus I cannot add a domain user to the administrator group on the local > machine. > > Is this unique to Small Business Server or is there a problem with the > network. If this is a network error, can I assume it is a DNS or NetBios > error? Did you select "Change Location" to choose the domain instead of the local machine? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
From: Chris M on 4 Mar 2010 11:10 On 04/03/2010 14:04, Chris M wrote: > On 04/03/2010 12:45, Terry wrote: >> Administrator I want to give a domain user administrative rights to >> the local >> machine. I go to users and groups select the administrators group, >> click add, >> and select from the "Entire Directory" sub: "domain.local" select the >> user I >> need to add. >> >> However on a Small Business Server Domain; a local workstation logged >> in as >> the Domain Administrator if I want to give a domain user administrative >> rights to the local machine. I go to users and groups select the >> administrators group, click add, there is NO “Entire Directory sub: >> domain.local” only the local machine name. >> Thus I cannot add a domain user to the administrator group on the local >> machine. >> >> Is this unique to Small Business Server or is there a problem with the >> network. If this is a network error, can I assume it is a DNS or NetBios >> error? > > It's because it's a domain controller. Domain Controllers have no > concept of 'local groups', at least in 2003 and below anyway. 2008 does > have something called Role Separation which allows you to make people > local administrators of DCs but I believe that they need to be RODCs in > order for this to work. > > There is a domain-level BUILTIN\Administrators group but adding someone > to this group this is not the same thing as making them a local admin of > the domain controller itself. > Ignore my post - I misread your original post and assumed you were logging into the SBS server itself. Never mind! -- Chris M.
From: Terry on 4 Mar 2010 17:42
Yes, I selected change location. I could only see the "local" machine not the entire directory. I have a screen shot of the "select" location if needed. "Ace Fekay [MVP-DS, MCT]" wrote: > "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:59DB2990-521A-496A-9B8D-A34F41435426(a)microsoft.com... > > Administrator I want to give a domain user administrative rights to the local > > machine. I go to users and groups select the administrators group, click add, > > and select from the "Entire Directory" sub: "domain.local" select the user I > > need to add. > > > > However on a Small Business Server Domain; a local workstation logged in as > > the Domain Administrator if I want to give a domain user administrative > > rights to the local machine. I go to users and groups select the > > administrators group, click add, there is NO “Entire Directory sub: > > domain.local†only the local machine name. > > Thus I cannot add a domain user to the administrator group on the local > > machine. > > > > Is this unique to Small Business Server or is there a problem with the > > network. If this is a network error, can I assume it is a DNS or NetBios > > error? > > > Did you select "Change Location" to choose the domain instead of the local machine? > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. > > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 > Microsoft Certified Trainer > Microsoft MVP - Directory Services > > If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. > . > |