Domain user or local administrator permission

Similar Messages

• Domain users and local users can't login to reporting service web environment

  Hello,
  We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
  We can only login with the buildin/administrator account on the local url: http://servername/reports
  How can we allow login with domain users on other report manager url's?

  Below link may be helpful,
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
  Regards, RSingh

• SCCM 2012 - How to add domain id to local administrator group of all clients

  SCCM 2012 - How to add domain id to local administrator group of all clients
  Hi,
  i have a domain id sccmadmin which is a part of domain admins group too.
  Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

  Hi ,
  you need to choose the second option .
  First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
  Note : Local admins accounts on the local administrators groups will not be removed.
  Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
  Step 1 : Just try to create one new group for SCCM management .
  Step 2 : Then add the SCCM account to that group.
  Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
  Why i have asked you to create a new group ?
  Because in second option , we don't have a option to add a individual user .
  Once you have created a group policy it will like below snap.
  As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
  1.gpresult /r ----> To find the which group policy is applying on user and computer object .
  2.rsop.msc ----> There you can able to find the change has been applied or not .
  3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
  4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
  5.Just check the event viewer in all the PC'S for group policy related events.
  Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
  Please feel free to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• How to add first log on user to local administrator group

  Hi All,
  When first time user log in to system, i need to add that particular user to local administrator group?
  How to achieve it using vbscript?
  Thanks
  Divakar

  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯
  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯

• Difference between AD domain user and local user

  Hello, I think the title is self explanatory. I am trying to figure out difference between AD domain user and local user. SAP Help wasnt very helpful.
  Thanks.

  Hi,
  It's about where the user accounts are kept. Domain users are users that are entered into the domain users group on a domain controller. These domain users can be centrally managed at the server. Whereas the local users are the users created in the local system.
  In BPC, you can select users from either of them or in combination as well. However, If you want to make change in the local user credentials, you need to login to the system in which the user has been created and make the changes there. On the other hand, changes to domain users can be made from any domain connected machine with the right software and the necessary rights. The changes only need to be made once.
  Hope this helps.

• Active Sync does not start as domain user with no Administrator rights.

  Hi all,
  Searched the forums and the net but can't find anything about this.
  Situation:
  In a domain where users only have standard users rights I installed on a PC as a domain admin Active Sync 4.5
  When I logon as a user the Active Sync software can not be started.
  I disabled the firewall and even set full rights permission on the Active Sync directory both didn't help out.
  When I m logged on as this user I can choose to Start the program as a different user.
  This only works when I Start it with the domain administrator account.
  I hope that I do not have to give that information to this user to make this software work.....
  Anyone had the same problems? Anyone a idea?
  Thx in advance.
  Kind regards,
  Aartjan

  try this:
  1. make sure you install "activesync" from local harddisk (not from network), and do not delete the setup file after
  installation
  2. local in as "local administrator" and connect your PDA and make sure it can sync, I did not create a profile and just leave PDA connect as "guest" for now
  3. log off and re-login as "domain user", connect with USB should work
  4. if they still cannot communicate, run "ActiveSync" from start menu
  it works for me

• Remotely add Domain User to local group

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim
  The ADSI commands work remotely as long as you are an administrator on the domain.
  Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
  Normally we would use AD and GP to add users to local groups.
  Your script is also incorrect.  Thisis the correct template.
  $remotepc='somepc'
  $de=[ADSI]"WinNT://$remotepc/Administrators,Group"
  $de.Add("WinNT://Domain/User")
  You should never the user to the admin group.  It is a formula for disaster.
  ¯\_(ツ)_/¯

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Fail to add domain user into local group - RPC server unavailable

  Hi all,
  I have a server-1 which is join to domain A. I need to add a domain user from domain B to my server-1 local group. I keep getting "The RPC server is unavailable" error message.
  But i try to use another server-2 which also belong to domain A and same network segment as server-1, i do not encounter this error while adding domain B user onto it.
  The problematic server-1 is a Windows 2008 R2 SP1 server. It is install with IIS and MS SQL database 2008.
  Just one thing i am guessing whether is it the cause of the problem. Before server-1 join to domain A, i did not disable windows firewall. I disable it only recently. Could this has cause the problem on my server-1?

  Let's recap to make sure I understand exactly what  you have going on:
  - Server 1 and Server 2 are both on Domain A and in the same site, behind the same firewalls
  - Adding a user from Domain B works on Server 1 but not Server 2.
  - You get an RPC error while adding Domain B's user on Server 2.
  Is Domain B on the other end of some firewall?
  - Can you do a portqry to a DC in Domain B from Server 2 (http://www.microsoft.com/en-us/download/details.aspx?id=17148)
  - Run this command: portqry -n <DomainBFQDN> -p both -o 53,135,389,3268
     - We are testing DNS, RPC, LDAP and GC.  Do you see anything come back as filtered or not listening?
  - Do the same thing from Server 1 and compare the results.
  This sounds like a connectivity problem.
  Chris Ream

• Need to provide local administrator access without domain administrator rights

  Hi All,
  I need to provide local admin access to one account in windows environment without providing domain administrator rights.
  Windows 2008 DC. Desktops : windows 7
  So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
  Need suggestions.

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SQL 2012 sp2 "The permissions granted to user 'DOMAIN\user' are insufficient ..."

  1st let me set the tone by admitting I am not real familiar with SQL, I'm more of an Operations Admin. So this is not a new question I think, although I am having difficulty finding an applicable solution.  Using SQL Server 2012 sp2 on a Windows
  2012R2 server.  This is configured to be a SCOM DB server; while on the SQL server itself I open IE and attempt to go to the following URL http://scomsql/reportserver_SCOM I get the
  following error.
  Reporting Services Error
  The permissions granted to user 'DOMAIN\user' are insufficient for performing this operation. (rsAccessDenied) Get Online Help
  SQL Server Reporting Services
  I have looked at the Reporting Services Config. Mgr. and it looks like the Report Mgt. URL is set for port 80 and no SSL is configured.  The rsreportserver.config file has the SecureConnectionLevel set to "0"
  My domain account is listed under Security\Logins and holds the 'Server Roles' of public and sysadmin, 'User Mapping' is DBO for the 'ReportServer$SCOM' and 'ReportServer$SCOMTempDB' and the role membership shows db_owner and public for these as well.
  Any assistance with getting this working would be greatly appreciated.
  # When I wrote this script only God and I knew what I was doing. # Now, only God Knows!

  Hi Wasisname,
  The Reporting Services error rsAccessedDenied occurs when a user does not have permission to perform an action. To troubleshooting this issue, please make sure that you have sufficient permission and the report server name is correct.
  In fact, reporting Services uses role-based security to grant user access to a report server, and there are two types of roles: Item-level roles and System-level roles. On a new installation, only local administrators have access to a report server. In order
  to grant access to visit the URL http://server:port/ReportServer to users, a local administrator must create a role assignment to define the tasks a user can perform. To solve this problem, please refer to the
  following steps:
  Start Report Manager by going to URL
  http://scomsql/reportserver_SCOM.
  Click Site Settings at the top right of the page.
  Click Security in the left pane.
  If a role assignment already exists for the user, click Edit.
  Otherwise, click New Role Assignment. In user, enter the user account.
  Select appropriate access, and then click Apply.
  The issue may be caused by the UAC or Internet Explorer security setting, please try to follow this steps:
  1. Open the Internet options of the IE and add the report server URL into trusted site in the Security tab.
  2. Run the IE as administrator.
  Besides, if the user need to have access to reports, folders, models and shared data sources, we can assign Item-level roles on the root node (the Home folder) or on specific folders or items.
  For more information about Configuring a Native Mode Report Server for Local Administration, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb630430(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.
  Wendy Fu
  TechNet Community Support

• Windows 2012 : A domain user who does not belong to the Administrators group can change the passwords

  Hello,
  Can a domain user
  that does not belong to the Administrators group,
  be able to change your password ?
  I tried to create a domain user account
  without administrative access. This user account have
  permission to access Windows Server
  2012 via Remote Desktop.
  I tried to access the same account
  to the Active Directory Users and Computers,
  i was amazed, because the user account it can  changed
  the password for multiple accounts,
  included one administrator account.
  Best regards,
  Ricardo

  Hi Ricardo, 
  I agree with Martin, we can check the membership about this user account. Besides, we can refer to following steps to check the memberships:
  Start the ADUC on windows 2012.
  Right-click the user account and select
  Properties, then click the Member Of tab.
  Check which group is the user account belongs to.
  In addition, i suggest you create a new user account, and check if the new account can change other user’s password.
  Best Regards,
  Erin

• Allow Windows AD domain user to access and manage objects in Oracle 11g

  Hi,
  I'm using Oracle 11g on Windows environments, XP, server 2003 etc.
  If I use a domain user (user1) maintained on domain server (adsvr.company.com) to manage Oracle objects in DB server (dbsvr), do I have to assign user1 as member of administrator on DB server (dbsvr)?
  I'm asking this because my software vendor requires for it but our security policy doesn't allow us to assign normal domain user (user1) to administrator group on local machine (dbsvr).
  If I have to assign user1 to administrator group on dbsvr, please point me which document says so.
  Thank you in advance.
  Jeffrey

  Looks like some left-over processes keeping a hold on configuration files.
  Manually kill the left-over processes and start the DB Console.
  Refer:
  How To Identify and Remove an Agent or DBConsole Processes From a Windows Server (Note 785772.1)
  Refer this as well:
  EMCA Troubleshooting Tips
  http://docs.oracle.com/cd/E11882_01/server.112/e25494/dbcontrol.htm#ADMIN13444
  HTH
  Mani

• How to unlock local administrator accounts

  Hi all,
  I have a XP machine that is a member of Win2008 domain and the local
  administrator account is locked out
  whenerver i restart xp machine automaticaly locked out admin accounts.
  how to unlock the xp or windows 7 machines local admin accounts over gpo.
  Regards,
  Udaiyar

  How to unlock local administrator account
  Using CMD (Adminstrator)First
  you’ll need to open a command prompt in administrator (Ctrl + X + A in Windows 8).
  Then, run the following command to unlock the account.
  net user administrator /active:yes
  Then, log out and you’ll now see the Administrator account as a choice.
  To lock this account again, type
  the following command:
  net use administrator /active:no
  http://www.suctips.com/2014/02/how-to-enable-local-administrator.html