Remotely add Domain User to local group

Similar Messages

• Fail to add domain user into local group - RPC server unavailable

  Hi all,
  I have a server-1 which is join to domain A. I need to add a domain user from domain B to my server-1 local group. I keep getting "The RPC server is unavailable" error message.
  But i try to use another server-2 which also belong to domain A and same network segment as server-1, i do not encounter this error while adding domain B user onto it.
  The problematic server-1 is a Windows 2008 R2 SP1 server. It is install with IIS and MS SQL database 2008.
  Just one thing i am guessing whether is it the cause of the problem. Before server-1 join to domain A, i did not disable windows firewall. I disable it only recently. Could this has cause the problem on my server-1?

  Let's recap to make sure I understand exactly what  you have going on:
  - Server 1 and Server 2 are both on Domain A and in the same site, behind the same firewalls
  - Adding a user from Domain B works on Server 1 but not Server 2.
  - You get an RPC error while adding Domain B's user on Server 2.
  Is Domain B on the other end of some firewall?
  - Can you do a portqry to a DC in Domain B from Server 2 (http://www.microsoft.com/en-us/download/details.aspx?id=17148)
  - Run this command: portqry -n <DomainBFQDN> -p both -o 53,135,389,3268
     - We are testing DNS, RPC, LDAP and GC.  Do you see anything come back as filtered or not listening?
  - Do the same thing from Server 1 and compare the results.
  This sounds like a connectivity problem.
  Chris Ream

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• SCCM 2012 - How to add domain id to local administrator group of all clients

  SCCM 2012 - How to add domain id to local administrator group of all clients
  Hi,
  i have a domain id sccmadmin which is a part of domain admins group too.
  Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

  Hi ,
  you need to choose the second option .
  First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
  Note : Local admins accounts on the local administrators groups will not be removed.
  Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
  Step 1 : Just try to create one new group for SCCM management .
  Step 2 : Then add the SCCM account to that group.
  Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
  Why i have asked you to create a new group ?
  Because in second option , we don't have a option to add a individual user .
  Once you have created a group policy it will like below snap.
  As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
  1.gpresult /r ----> To find the which group policy is applying on user and computer object .
  2.rsop.msc ----> There you can able to find the change has been applied or not .
  3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
  4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
  5.Just check the event viewer in all the PC'S for group policy related events.
  Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
  Please feel free to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• How to add domain users in RDP in Windows 2012R2

  I just setup Windows 2012 R2 standard server, need to setup domain users to access server via RDP.
  I have read many articles about it, and created a group policy, also add domain users group and individual domain user in Remote Desktop Users. Each user has local workstation administrator privileges.
  When log in to windows 7 pro, domain users still got error as the screenshot below. (administrator can RDP to server). Any one has an idea?

  On DC server:
  Run gpedit.msc
  Browse to Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment
  Edit "Allow log on through terminal services"
  Add domain users/groups
  Run gpupdate /force

• Difference between AD domain user and local user

  Hello, I think the title is self explanatory. I am trying to figure out difference between AD domain user and local user. SAP Help wasnt very helpful.
  Thanks.

  Hi,
  It's about where the user accounts are kept. Domain users are users that are entered into the domain users group on a domain controller. These domain users can be centrally managed at the server. Whereas the local users are the users created in the local system.
  In BPC, you can select users from either of them or in combination as well. However, If you want to make change in the local user credentials, you need to login to the system in which the user has been created and make the changes there. On the other hand, changes to domain users can be made from any domain connected machine with the right software and the necessary rights. The changes only need to be made once.
  Hope this helps.

• Domain users and local users can't login to reporting service web environment

  Hello,
  We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
  We can only login with the buildin/administrator account on the local url: http://servername/reports
  How can we allow login with domain users on other report manager url's?

  Below link may be helpful,
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
  Regards, RSingh

• Regarding : How to add a user to portal group with the help of webdynpro .

  Hii ,
  I am working on an application in which with the help of an action( Button)  we r adding a user in Ztable in R/3 , as well as  group in portal.
  The user r successfully creating in Ztable but from portal side No user is assigned to Portal group.
  I need coding solution for " How to add a user to portal group with help of webdynpro"
  Any usefull link will also do.
  Pls anyone have any solution ??
  Thnks in advance.
  Rewards r waiting for u .

  Hi,
  Use UME api to add user to portal group.
  Using UME API:
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d562b7-1405-2a10-dfa3-b03148a9bd19
  Regards,
  Naga

• Add grid user to dba group

  Hello,
  After RAC installation, We are facing some cluster issues. After investigation, Oracle support suggested to add the grid user to the dba group. We missed to add the grid user to the dba user in most of the nodes. This is Linux Redhat 5.
  How can I add grid user to dba group and keep the grid user belonging to the other linux groups? what 's the correct command?
  Thanks,
  Diego

  Hi,
  As root:
  #### check before
  id  grid
  #### Change It
  usermod -a -G dba grid
  #### Check after
  id gridLevi Pereira

• Trying to add a user to a Group thru JNDI. Insuffficient Access Rights

  I am trying to add a user to a group using JNDI with,
  DirContext.modifyAttributes()
  I have set up the tree structure outside the default cn=Users setup and defined the Group as auxiliary class.
  I haven't set up any Access Controls. But it fails with "Ldap Error code 50. Insufficient Access Rights".
  If I try to add the same user using the uniquemember attribute to the group I am interested in, it works fine in Directory Manager and Generic Ldap browser. I even tried setting up the JNDI user credentials to "orcladmin" still doesn't work. Any idea??

  Maybe the example code from OID developers guide gives an idea
  http://download-west.oracle.com/docs/cd/A97329_03/manage.902/a95193/smplcode.htm#637267
  --Olaf                                                                                                                                                                                                                                                                                                                                       

• Wlst add a user to a group

  Hi,
  I have problems with wlst to add a user to a group
  The method "addMemberToGroup" of the security MBean DefaultAuthenticator doesn't seem to be accessible from wlst.
  Here's the part of the code (note that the group and user already exist, i am sure of it)
  myusername="BIGREZADMIN"
  group="BigRezAdministrators"
  cd("/")
  cd("weblogic.security.providers.authentication.DefaultAuthenticator/Security:Name=myrealmDefaultAuthenticator")
  try:
  cmo.addMemberToGroup(group,myusername)
  except Exception:
  dumpStack()
  And what I get:
  AttributeError: addMemberToGroup
  Also tried like this:
  cd("weblogic.security.providers.authentication.DefaultAuthenticator/Security:Name=myrealmDefaultAuthenticator")
  objs =jarray.array([group,myusername],java.lang.Object)
  strs =jarray.array(["java.lang.String","java.lang.String"],java.lang.String)
  try:
  invoke('addMemberToGroup',objs,strs)
  except WLSTException:
  dumpStack()
  and here's what I get:
  [java] weblogic.management.ManagementRuntimeException: javax.management.OperationsException: no such operation: addMemberToGroup
  I have also tried inverting attributes of the addMemberToGroup without success. The createUser("user","password","desc") and createGroup("group","desc") work fine but I don't manage
  to add a user to a group with WLST.
  Am I doing it the wrong way?
  Thanks,
  Luc

  Hello Luc,
  I am able to easily add a user to a group w/o a problem. I did this,
  connect("weblogic","weblogic")
  cd("SecurityConfiguration/mydomain")
  cd("weblogic.security.providers.authentication.DefaultAuthenticator/Security:Name=myrealmDefaultAuthenticator")
  cmo.createUser("foo","weblogic","foo-1")
  cmo.createGroup("mygroup","hello")
  cmo.addMemberToGroup("mygroup","foo")
  Thats it, did not get any exception. Try printing the cmo to see if the
  cmo is currectly populated.
  Thanks,
  -satya
  Luc Dewavrin wrote:
  Hi,
  I have problems with wlst to add a user to a group
  The method "addMemberToGroup" of the security MBean DefaultAuthenticator doesn't seem to be accessible from wlst.
  Here's the part of the code (note that the group and user already exist, i am sure of it)
  myusername="BIGREZADMIN"
  group="BigRezAdministrators"
  cd("/")
  cd("weblogic.security.providers.authentication.DefaultAuthenticator/Security:Name=myrealmDefaultAuthenticator")
  try:
  cmo.addMemberToGroup(group,myusername)
  except Exception:
  dumpStack()
  And what I get:
  AttributeError: addMemberToGroup
  Also tried like this:
  cd("weblogic.security.providers.authentication.DefaultAuthenticator/Security:Name=myrealmDefaultAuthenticator")
  objs =jarray.array([group,myusername],java.lang.Object)
  strs =jarray.array(["java.lang.String","java.lang.String"],java.lang.String)
  try:
  invoke('addMemberToGroup',objs,strs)
  except WLSTException:
  dumpStack()
  and here's what I get:
  [java] weblogic.management.ManagementRuntimeException: javax.management.OperationsException: no such operation: addMemberToGroup
  I have also tried inverting attributes of the addMemberToGroup without success. The createUser("user","password","desc") and createGroup("group","desc") work fine but I don't manage
  to add a user to a group with WLST.
  Am I doing it the wrong way?
  Thanks,
  Luc

• VBS: Add domain user and group to local administrators

  I have a piece of VBS code that I have modified that basically adds a specified domain user and group to the PCs local Administrators group. It works on Windows 7, but not on Windows 8 at all.
  Call AddUserToGroup("./Administrators", "myDomain.net/NetworkAdminis")
  Call AddUserToGroup("./Administrators", "myDomain.net/Domain Admins")
  Call addDomainUser("myDomain", "myUserGroup")
  Sub AddUserToGroup(local, domain)
  Dim objLocalGroup
  Dim objDomainGroup
  Dim server
  For Each server in servers
  Set objLocalGroup = GetObject("WinNT://" & local & ",group")
  Set objDomainGroup = GetObject("WinNT://" & domain & ",group")
  With objLocalGroup
  .Add(objDomainGroup.AdsPath)
  .SetInfo
  End With
  Next
  Set objLocalGroup = Nothing
  Set objDomainGroup = Nothing
  End Sub
  Sub addDomainUser(strDomain, strUser)
  Dim strComputer
  Dim objWshNet
  Dim objGroup
  Dim objUser
  Set objWshNet = CreateObject("WScript.Network")
  strComputer = objWshNet.ComputerName
  Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
  Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
  If Not objGroup.IsMember(objUser.ADsPath) Then
  objGroup.Add (objUser.ADsPath)
  End If
  Set objWshNet = Nothing
  Set objGroup = Nothing
  Set objUser = Nothing
  End Sub
  I have debugged the code line by line using VBA's IDE and there seems to be no error condition firing. It executes all lines, but it is not adding the users and groups as it did with Windows 7 and below. The script is being run as local administrator.

  Hi,
  The first step is to comment out your On Error Resume Next line and try again.
  Don't retire TechNet! -
  (Don't give up yet - 13,225+ strong and growing)

• Urgent Help needed! ADSI can't add local user to local group when there are variables

  Hi friends
  it about 8 hours i am working on following simple code but no result. i feel i am loosing my eyes
  i need to use a code within my PS script to add a Local user to the built-in "Users" Local Group in windows 7 , 8, 2012....
  the following code which the username is not related with any variable works fine.
  $computer = [ADSI]"WinNT://."
  $user = $computer.Create("User","MyLocaluser")
  $user.setinfo()
  $user.SetPassword("P@ssw0rd")
  $Group = [ADSI]"WinNT://./Users,Group"
  $Group.Add("WinNT://MyLocaluser,user")
  but in the 2 following scenarios (which Variables enter into codes), doesn't work: (for simplicity & be easier to read, i have bolded the only differences in my 3 scenarios for you
  Scenario1:
  $computer = [ADSI]"WinNT://."
  $user = $computer.Create("User","MyLocaluser")
  $user.setinfo()
  $user.SetPassword("P@ssw0rd")
  $Group = [ADSI]"WinNT://./Users,Group"
  $Group.Add("WinNT://$user,user")
  i checked, user is created but is doesn't become member of local "Users" group
  Scenario2 (which is my Real Scenario):
  $myVMnumber = read-host "enter your VMnumber"
  $computer = [ADSI]"WinNT://."
  $user = $computer.Create("User","MyLocalUser$MyVMnumber") ----># for example on VM2, will be created as "MyLocalUser2"
  $user.setinfo()
  $user.SetPassword("$MyVMnumber") # ---> so that the password of MyLocaluser be the digit 2
  $Group = [ADSI]"WinNT://./Users,Group"
  $Group.Add("WinNT://$user,user")
  what change should make to the code?
  Many thanks in advanced

  Is there some reason why you are posting the same question in multiple forums?
  I gave you the exact answer and a copy of tested code.
  Someone needs to merge these two threads:
  https://social.technet.microsoft.com/Forums/en-US/98ab1abd-ef62-4b95-b70c-a6f0120a155e/unable-to-add-local-usr-to-local-group-via-adsi?forum=winserverpowershell
  ¯\_(ツ)_/¯
  no it's the same powershell forum not multiple forums
  i had posed my question in previous threat
  https://social.technet.microsoft.com/Forums/en-US/98ab1abd-ef62-4b95-b70c-a6f0120a155e/unable-to-add-local-usr-to-local-group-via-adsi?forum=winserverpowershell
  but at the middle of the scenario, no one continue to investigate on my problem, so i started new threat to investigate on the rest of the problem, but finally you answered it & now this threat can be closed up
  many thanks for your helps. 

• Difference between Domain\Domain Users and Everyone Group in SharePoint

  Hi,
  In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
  Thanks
  srabon

  Hi All,
  Domain Users, Authenticated Users, or Everyone
  Domain Users
  The Domain Users is the only real group of the 3 listed above.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
  Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the  default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
  Because Domain Users is generally considered the most secure group of the three listed above.
  Authenticated Users
  Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group and cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain. 
  Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain
  other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account. 
  Everyone group
  The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka
  anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
  LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
  Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
  -Ivan