Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

grant local admin on Windows 2003 server

Status
Not open for further replies.
rockjockb

rockjockb

MIS
Sep 19, 2003
53
US
I want to do the equivalent in Windows 2000 where one would right click on My Computer>Manage>Local Users and Groups, then add a domain user to the local Administrators group.

I have a program that accesses Exchange, so I cannot add the user account to Domain Admins, etc. because it will restrict access to the Exchange mailboxes. So I need to effectively make the domain user a local admin on the domain controller. Note that I have already gone to the Group Policy Object Editor>Default Domain Controllers Policy>Computer Configuration>Windows Settings>Security Settings>Local Policy>User Rights Assignment and granted Logon Locally, Logon as a Service, etc, etc to the user account. I did a gpupdate and rebooted three times after to make sure the policy updates took, but it did not work. Now I am getting a Can't logon interactively error, but I am sure I can fix that...it's the former that I am concerned about.

TIA for your help.
 
Sort by date Sort by votes
I have granted them specific admin priviledges for Exchange, but I need local admin priv's to install and run the program.

I did fix the "...can't logon interactively...." issue. I need this account to have local admin priv's, though. I have granted all admin priv's, incl. logon locally, logon as a service, add/remove drivers, etc. in the default group policy for domain controllers, but when I run the setup program, it is denied from accessing the registry.

I'll take any suggestions, even if you think it sounds stupid...please.

tia
 
Upvote 0 Downvote
Update:

I got past part of this by adding the user account to the Server Operators group. I now need to give the user Logon as a Service privaledges, which I did in the Default Domain GPO, but it is not taking effect. I also edited the GptTmpl.inf file, but that didn't fix it either.

I am so close I can taste it. Any contribution appreciated.
 
Upvote 0 Downvote
For all those who care or didn't know, in Windows Server 2003, adding a user to the builtin/administrators group gives the same effect as local admin without the consequences of being locked out of certain Exchange features. I do not believe that this was the case in Win2k Server, and certainly was not the case in WinNT Server.
 
Upvote 0 Downvote
rockjokb said:
I have a program that accesses Exchange, so I cannot add the user account to Domain Admins, etc. because it will restrict access to the Exchange mailboxes. So I need to effectively make the domain user a local admin on the domain controller.
Click to expand...

There are no "local admins" on a domain controller... You may have discovered another "undocumented feature" of the new OS... congratulations!!

JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."

 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top