4

I am running Windows Server 2003. There are a couple of user accounts that I would like to promote to Administrator accounts. I've tried several ways to do so, but I am still relatively new to setting up a server. If anyone has any ideas on how to go about promoting these users, I thank you in advance.

EDIT: I should probably mention that this a domain controller. I didn't realize that this changed the answer I was looking for. I apologize, like I said before I am new to the world of servers.

EDIT #2: I've added the users to the Administrator group like most of the answer recommended, but the users don't seem to have admin rights yet. I think this might be because they are also in the Domain Users group, which I can't seem to be able to remove them from.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Adam P
  • 141
  • 1
  • 1
  • 4
  • What is your goal in giving these users additional access? Do they need to be able to do something in particular? For whatever they need, do they need to have this access across your entire domain (all servers and workstations), or just on this single domain controller? – Paul Kroon Nov 26 '10 at 22:40

5 Answers5

4

When in computer management instead of going to "users" go to the "groups" section. Open up the administrator group and add the users to that group.

Edit:

You should be able to open up Administrative Tools -> Computer Manager -> Expand Local Users and Groups and find the group section - UNLESS there is some sort of domain policy not allowing you to see this group. It's entirely possible YOU are not a local administrator of that machine and therefore unable to see or make these changes?

If you want to do it at the domain level:

You need to log into the domain controller and open up users and groups and add the people to the domain admins group (IF you want them to be domain administrators)

Dave Holland
  • 1,898
  • 1
  • 13
  • 18
  • 1
    There is no groups section. I think this has something to do with the fact that my server is a domain controller. I've updated my original post. – Adam P Nov 24 '10 at 20:22
  • 1
    I've added the users to the Administrator group but they do not appear to have admin privileges. I think this is because they are also in the Domain Users group, which I don't seem to be able to remove them from. – Adam P Nov 25 '10 at 04:00
  • Domain users shouldn't be denying any access. You can be members of both local administrators and domain users and still be a local administrator. How are you determining that they don't have the privileges? – Dave Holland Nov 25 '10 at 19:19
1

I'll start by saying you should make sure you need these users to be Administrators, especially if this is a server. This gives them the ability to break things much more easily, so it's best to just delegate the specific access needed rather than give them full Administrator access.

If it's definitely necessary, you can click Start->Run and then type "lusrmgr.msc" (assuming this is not a domain controller). You'll see Users and Groups on the left, and if you go into Groups you'll see the Administrators group. If you are working in a Windows domain, I'd suggest creating a group in Active Directory to add into this Administrators group, and then add all of your users to that new group. This will make it easier to manage as it is not difficult to forget which users have direct membership to the local admin group. If that's not your situation, just go ahead and add the users to the Administrators group.

Paul Kroon
  • 2,250
  • 1
  • 16
  • 20
  • I've added the users to the Administrator group but they do not appear to have admin privileges. I think this is because they are also in the Domain Users group, which I don't seem to be able to remove them from. – Adam P Nov 25 '10 at 03:59
0

When promoting a server to a DC, the computer local groups are converted to Domain Builtin groups. Adding the users to the Domain\Builtin administrators group will make them domain admins by virtue of nested group membership.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I've added the users to the Administrator group but they do not appear to have admin privileges. I think this is because they are also in the Domain Users group, which I don't seem to be able to remove them from. – Adam P Nov 25 '10 at 03:58
0

I think there's two Builtin Active Directory groups you might want to consider adding these users to based on what tasks you'd like them to perform. The groups are the Server Operators group and the Administrators group. Look below for more detailed information about what rights each group would afford users. I pulled from the information from this site.

Server Operators:
On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.

Administrators:
Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Additional Information:
You can add a user to a group from the Windows 2003 Server by opening Active Directory Users and Computers (ADUC). The quickest way to open ADUC is by going to Start, Run, and running the command "dsa.msc". With ADUC open, browse to a users to modify, right click, select properties, go to the "Member Of" tab and choose "Add". In the window that opens, type in the name of the group you'd like to add them to and press Ok.

I hope you find the information helpful.

CurtM
  • 2,960
  • 1
  • 17
  • 11
  • I've added the users to the Administrator group but they do not appear to have admin privileges. I think this is because they are also in the Domain Users group, which I don't seem to be able to remove them from. – Adam P Nov 25 '10 at 03:59
  • The permissions are additive, so their membership in domain users is not a problem. How are you testing whether or not they have proper permissions? A couple of tips. One, the users will need to login after you change their permissions to have their rights updated within their current session. Also, running gpresult /r will show which groups the user has in permission to in the active session. The group membership result in gpresult should match what you see in the properties screen within ADUC. – CurtM Nov 25 '10 at 04:32
0

Had the same problem an hour ago. Add the user to Domain Admins group on DC, and Doamin Admins should have the right to be admins on domain computers. It worked for me 5 minutes ago.

csikiati
  • 21
  • 1
  • 5
  • 2
    It's really not a good idea to make users domain admins if they only need to be admin on certain computers. I recommend you undo that urgently. – John Gardeniers Oct 12 '12 at 09:35
  • I know that. In my case I needed a Domain Admin, because setting up local users on dozens of servers of the fleet to be local Admins for one specific persons just wouldn't worth the time. – csikiati Oct 12 '12 at 10:11
  • @csikiati: It's not really that hard to grant a list of users, or groups, local admin, but not Domain, privileges. That's the kind of things that GPOs were designed to do. – Scott Pack Oct 13 '12 at 21:13