Can not add Domain User to Local Admin Group Win8.1

Similar Messages

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Master Data Services - Can not add new User and MDS can not Identify LOCAL Users

  Team,
  We are using  SQL Server 2008 R2 and system working since long and suddenly we observed mentioned two issues. The server MyServer is already restarted but did not help.  The MDS installed and configured on SAME Machine (MyServer).
    I  have two issues here.
  1. MDM website can not Identify the local Users (MyServer\MyUser).
  The User created on local Machine (MyServer\MyUser). I logged into MDM website using Admin login and click on User and Permission. Then I click on add and Text box appears to type UserName. Here I type "MyServer\MyUser" (MyServer\MyUser is already
  exists and working since long). Then click checkName; I received a message "No exact Match was found for MyServer\MyUser". Where as User from OTHER domain identified in MDM but could not identify ONLY the local users like "MyServer\MyUser".
  2. Can not add new user in Existing working MDM.
  I created windows user on machine (MyServer\MyUser1) and add it in UserGroup having an access to MDM. and then I tried to login to MDM using newly created user (MyServer\MyUser1) ; I see error Access Is Denied. The Permission assigned to UserGroup (not
  to individual user). The new User (MyUser1) should automatically get added in MDM once logged in. This is working for existing users in UserGroup; BUT NOT ONLY for new user (MyUser1).

  Now I Solved this problem in my case.
  I just grant again all permissions according http://msdn.microsoft.com/en-us/library/ff486994.aspx. Now all work fine.
  Hope, it will help 

• Can not add domain name Error Protected word / inappropriate language

  Can not add domain name Error Protected word /  inappropriate language        
  Provide your Domain name :
  pragatiassociates.com
  Nature of Services provided: It located in India, Punjab. Its a new firm which will be focus on supplying products to Educational Institutes in and around Punjab 
  Problem: While trying to register domain on domains.live.com it gives error that  it contains a protected word or inappropriate language.
  The website is first phase version page has been hosted. Domain was purchased on 1-Mar-2014. Please help on priority as I need the mail solutions at the earliest.
  Posted query on  Microsoft answers no reply even after 4 days.
  http://answers.microsoft.com/en-us/outlook_com/forum/oadmincenter-ocustomdom/can-not-add-domain-name-error-protected-word/1322a218-3ad2-451c-a774-ae700465f9c4?tm=1394076201617

  Saurav S --
  Does your post have anything to do with Project Online, an enterprise project management application?  If so, please elaborate.  If not, please repost your question in a more relevant user forum.  Hope this helps.
  Dale A. Howard [MVP]

• SCCM 2012 - How to add domain id to local administrator group of all clients

  SCCM 2012 - How to add domain id to local administrator group of all clients
  Hi,
  i have a domain id sccmadmin which is a part of domain admins group too.
  Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

  Hi ,
  you need to choose the second option .
  First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
  Note : Local admins accounts on the local administrators groups will not be removed.
  Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
  Step 1 : Just try to create one new group for SCCM management .
  Step 2 : Then add the SCCM account to that group.
  Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
  Why i have asked you to create a new group ?
  Because in second option , we don't have a option to add a individual user .
  Once you have created a group policy it will like below snap.
  As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
  1.gpresult /r ----> To find the which group policy is applying on user and computer object .
  2.rsop.msc ----> There you can able to find the change has been applied or not .
  3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
  4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
  5.Just check the event viewer in all the PC'S for group policy related events.
  Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
  Please feel free to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• Remotely add Domain User to local group

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim
  The ADSI commands work remotely as long as you are an administrator on the domain.
  Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
  Normally we would use AD and GP to add users to local groups.
  Your script is also incorrect.  Thisis the correct template.
  $remotepc='somepc'
  $de=[ADSI]"WinNT://$remotepc/Administrators,Group"
  $de.Add("WinNT://Domain/User")
  You should never the user to the admin group.  It is a formula for disaster.
  ¯\_(ツ)_/¯

• Add domain account in local admin in unattended

  I can use the following in unattended.xml to join user1 into domain1. Is there a way to be able to add user1 into local admin group in unattended.xml?
      <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <Identification>
                  <Credentials>
                      <Domain>domain1.com</Domain>
                      <Password>user1password</Password>
                      <Username>user1</Username>
                  </Credentials>
                  <JoinDomain>domain1.com</JoinDomain>
                  <MachineObjectOU>OU=Users,DC=domain1,DC=com</MachineObjectOU>
                  <UnsecureJoin>false</UnsecureJoin>
              </Identification>
      </component>

  Yes you can, check this:
  http://technet.microsoft.com/en-us/library/cc749246(v=ws.10).aspx

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• Fail to add domain user into local group - RPC server unavailable

  Hi all,
  I have a server-1 which is join to domain A. I need to add a domain user from domain B to my server-1 local group. I keep getting "The RPC server is unavailable" error message.
  But i try to use another server-2 which also belong to domain A and same network segment as server-1, i do not encounter this error while adding domain B user onto it.
  The problematic server-1 is a Windows 2008 R2 SP1 server. It is install with IIS and MS SQL database 2008.
  Just one thing i am guessing whether is it the cause of the problem. Before server-1 join to domain A, i did not disable windows firewall. I disable it only recently. Could this has cause the problem on my server-1?

  Let's recap to make sure I understand exactly what  you have going on:
  - Server 1 and Server 2 are both on Domain A and in the same site, behind the same firewalls
  - Adding a user from Domain B works on Server 1 but not Server 2.
  - You get an RPC error while adding Domain B's user on Server 2.
  Is Domain B on the other end of some firewall?
  - Can you do a portqry to a DC in Domain B from Server 2 (http://www.microsoft.com/en-us/download/details.aspx?id=17148)
  - Run this command: portqry -n <DomainBFQDN> -p both -o 53,135,389,3268
     - We are testing DNS, RPC, LDAP and GC.  Do you see anything come back as filtered or not listening?
  - Do the same thing from Server 1 and compare the results.
  This sounds like a connectivity problem.
  Chris Ream

• Can't add new users in Server Admin console in Server 10.1.4.

  I've run into an issue with an older OS X Server 10.1.4 running on a G4 platform. It functions as a shared file repository and I need to add new users. However, it would appear that I've developed a problem.
  When trying to add new users I get the following error:
  An error occurred in the Users & Groups module in entry point "RACMMenuItemSelected".
  A program error has occurred.
  1004
  Now, my best guess is it's a corruption somewhere. But, I don't want to go poking around the production server taking it down and up until I've got some idea where I'm going. Any suggestions on where my troubles might be? Or has anyone had this issue before, and how was it corrected? (Hopefully not by a full software reload.)
  I'd like to replace/upgrade this server, but until there's money in the budget, that's just a dream, I need to try to figure out how to fix what's here.
  Help, please?
  PowerBook G4 17   Mac OS X (10.3.9)   1.5G RAM

  No answer was found for this issue. I've finally removed the server from production and will likely reformat and reinstall for use in other production areas. Hopefully we'll be upgrading the OS at the same time.

• How to add/invite users to your admin console

  I have read the FAQ regarding this but there is no option to invite users under the 'Admin Users' section as it states in the FAQ. I have WebBasics plan but it states I am allowed to have up to 3 users yet there is no way for me to invite these users. Also if I can not add any users is it possible to change my email for this account as I actually made the website for a client.

  Hi,
  The option should be located within the admin panel via Site settings -> admin users -> invite. 
  If you are not seeing this please provide the site so we can investigate. 
  Kind regards,
  -Sidney

• How can I add new user in sharepoint list column (people or group) or in sharepoint group using loginName only

  Hi
  If I have only login name of any user like - "Donamin\login_name".
  If this user is not present in sharepoint portal.
  How can I add this user to people or group column of any list or in any  sharepoint group with permission?

  hi
  got the issue
  it should be  like this -
  string userloginname = @"DOMAIN001\vyankatesh_mujumdar"
  using (SPSite oSpSite = new SPSite(site.ID))
  using (SPWeb web = site.OpenWeb())
  try
  { SPList lst = web.Lists["TestList"];
  string userloginname = @"DOMAIN001\vyankatesh_mujumdar";
  web.EnsureUser(userloginname);
  SPUser oSPUser = web.SiteUsers[userloginname];
  SPFieldUserValue FieldValueName = new SPFieldUserValue(web, oSPUser.ID, oSPUser.LoginName);
  SPListItem oSPListItem = lst.Items.Add();
  oSPListItem["Title"] = userloginname;
  oSPListItem["People"] = FieldValueName;
  oSPListItem.Update();
  catch (Exception ex)
  ExceptionManager.LogErrorInFile("--------Exception -------", bIsLogEnabled);
  ExceptionManager.LogErrorInFile(ex.Message, bIsLogEnabled);
  ExceptionManager.LogErrorInFile(ex.Source, bIsLogEnabled);
  ExceptionManager.LogErrorInFile(ex.StackTrace, bIsLogEnabled);
  ExceptionManager.LogErrorInFile("-------------------------------------------------------", bIsLogEnabled);
  Thanks for all for the reply

• Add Local Users to the Local Admin Group

  I am looking either via GPO or Third Party Tool.  I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8.  I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
  Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
  Thank u

  > local users (Not domain Users) to this Group and then nest this Group
  > into the Local Admin Group Built-in into Windows 8
  You cannot nest local groups.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Can't add any users while logged in as the ADMIN

  Back in my post, http://discussions.apple.com/message.jspa?messageID=5314598#5314598 , I was stuck in a broken auto login, unable to get past the solid blue screen. I was able to fix that but now I can not add any new users to the accounts pane. Logged in as the ADMIN, I click on the + and nothing happens. I can not add anymore accounts. What can I do to solve this?

  It is probably some residual effect from your single user mode actions detailed in your previous post.
  Run *Repair Permissions* from Disk Utility to see if that is the cause.
  If that doesn't fix it, try deleting the com.apple.loginwindow.plist from your admin account's Library/Preferences folder.
  There is also the same file in
  HD/Library/Preferences/com.apple.loginwindow.plist
  but I am not sure about the consequences of deleting that, as I've never done it.
  Whichever you delete, log out and log back in again to re-create them.