Wednesday, June 30, 2010

Add User As Local Administrator On Domain Controller

I recently was settting up a new Microsoft SharePoint 2010 machine and had promoted the machine to a domain controller before creating my SharePoint admin accounts.  I needed to add several of my accounts to the local Administrators group.  Unfortunately after you promote a server to a domain controller you can no longer access the GUI for Local Users and Groups.  Instead I had to use the command line to add the users.

Open a command promt using the "Run as administrator" function and then run the following command.

net localgroup Administrators /add {domain}\{user}

Note: do not include the {} brackets.

36 comments:

Ian Ippolito said...

Worked like a charm. Thanks!
Ian

Jon said...

I too benefited from this article. Thanks random blog guy!

csilvest said...

Used this, and it sort of worked - it added the account to the domain group "Administrators", not the local Administrators group...

Sander Ligtenberg said...

Thanks, just what the doctor ordered.

tgreene5 said...

Worked like a charm!! thanks muchly!

Theresa

Andrew Steele said...

I, too, used this method on a 2003 and 2008 DC; both times all it did was add the domain user to the domain\Administrator's group. There no longer is a local administrator account or administrators group on a DC.

Amir Khalili said...

i completely agree with Andrew , there is no local users database on Domain controllers.

Ed Bratter said...

You cannot add a domain user account to the local administrators group on domain controllers. The same holds true for populating the local admins group via the Restricted Groups feature in Group Policies. As stated in the comments either method will result in adding the domain user to the Domain group Builtin\Administrators, which will then grant that user administrative permissions to Active Directory.

You can, however, setup local administrators on Read Only DCs (RODCs)on Windows 2008 DCs and higher. This will grant local permissions to the Server without granting advanced AD permissions. RODCs were designed primarily for remote offices where a local user can be granted permissions to administer the local DC and patch the server.

Here is a good article on RODCs:
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

TrevorK said...
This comment has been removed by the author.
Amit Rahat said...

Thank you very much!
You just saved my day

stwil said...

Would recommend you remove or edit your post, as it is somewhat misleading in its current form. As others have stated there is no local admins group on a DC. Thanks.

rmittler said...

This worked for me!

abu_backer007 said...
This comment has been removed by the author.
abu_backer007 said...

but it adds to the domain administrators group i want to add in local administrator group.

Adam Bushill said...

What a Muppet. DON'T DO THIS ANYONE. It adds the user to domain\administrators (good group)

Nicholas Kellam said...

Local Administrator may not be a good group to add users to on a domain controller, however for other purposes, like Event Log Reader and the like, this worked well.

You can run command 'net localgroup' to display all groups and chose the one that's best suited for a service account's least privilege access.

Adam Bushill said...

THERE ARE NO LOCAL GROUPS ON DOMAIN CONTROLLERS!

Unknown said...
This comment has been removed by the author.
Ajeesh said...

Many people mistook the question. Rick is not asking about creating local users in a DC. He is asking about adding domain users to the local "Administrators" group. This can also be done using the GUI (Go to Control Panel -> User account --> Manage user account) and then add users. Only domain users can be added. This is similar to the command Rick mentioned:

#net localgroup Administrators /add Domain\user

stalks said...

No Ajeesh, you mistook the article.

The article quite clearly states "Local Users and Groups" which is the name of the Windows Management console that is removed when a server is promoted to a Domain Controller.

THERE IS NO LOCAL ADMINISTRATORS GROUP.

This articles purpose at this point is to troll innocent internet users and compromise domain security. Goodness knows what hot water some unfortunate sysadmin is going to get themselves into by following the inctructions here.

Tom Heller said...
This comment has been removed by the author.
Tom Heller said...

You are wrong Adam, there are local groups on a domain controller...they're just hidden. This command works and I was walked through doing this very thing by Microsoft to add Exchange Trusted Subsystem domain group to local administrators group. You can use the same command to view the local group membership and it does not match the domain administrators group.

Unknown said...

Hi Tom. You're wrong sir. DCs do not have local users or groups. Sorry - never has and never will.


On an RWDC Domain Controller (not an RODC), examine for yourself the Domain\Administrators group. Then compare it to the output of running 'net localgroup administrators' - look for yourself.

Adam Bushill said...

Yes Tom, the command will "work" in that you will get no errors and your user will become an administrator on the DC, however they will become an administrator on the DC because you have just made them an administrator of the entire domain. I really recommend that everybody that believes that they are doing no harm by following this article carry out the command in a lab environment and see what happens, just check the membership of the administrators on the domain.
I look after a number of large corporate domains, having created some of them from the ground up, I'm not an app dev that plays at being a sys admin.

Jordan Benzing said...

Adam Bushill is correct.

Anytime you use the powershell or CMD commands to add a user to a group on a domain you are in fact adding them to the equivalent group in Active Directory Users and Computers. It doesn't give them Administrator rights to JUST that DC. It gives them Administrator rights to every device in the organization essentially. While not AS permissive as domain admin its a close second.

The same is true of all other groups, RDP, event Log etc, it grants that permission globally within the environment.

Charlie Evatt said...
This comment has been removed by the author.
Charlie Evatt said...

This in fact adds the user to the domain administrators group rather than local, so is a dangerous thing to do that I would not recommend. Nice try though!

Hurry said...

Leave IT..or learn to listen to your peers

RDecarte said...

This does work, but by adding it to the local administrators group of a DC, it gives that person domain admin powers on the DC's domain. Further, it does not show up in the global domain admins group.
As far as you closed minded youngsters, I am a 4-time MCSE, certed in NT4, 2000, 2003, 2008. This has worked since NT4 days, and continues to work today. Just because you don't see it in a GUI doesn't mean it's not possible.

Stephen Roux said...

Sorry to say, but then it shows how MS certifications are useless... It adds the account to the domain period builtin administrators group, which is totally visible in the ADUC mmc. If you did not see this group during all your braindump sessions, well, you should find another job. So basically, as stated previously, it will give a little bit less than domain admins privileges because you don't have admin rights on every computers part of the domain, but it will give you full control over AD and all the DCs, which is certainly not the intended goal.

Shelley Della-Valle said...

Surprised this post hasn't been removed. You've essentially made your SharePoint accounts domain administrators.

Shelley Della-Valle said...
This comment has been removed by the author.
munky82 said...

Thanks, now my C-Level guys don't get frustrated when they want to install Winamp

Xander Calderon said...
This comment has been removed by the author.
Xander Calderon said...

It looks like the command does add the user to Administrators group and the Domain Admin group when you check AD right afterwards.

I've removed Domain Admin from the user (Since that one group is the skeleton key to the castle), and going to see how far the Administrators group reaches out.

Right now, it seems that Administrators might be weak enough for these users who need maintenance access without giving up everything. Investigating though.

Miles Lott said...

This appears to be a working solution, but somewhat modified:

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Admin/HowToDesignateADomainUserToManageARODC.html

1. Open powershell or command prompt on DC (run as administrator although not sure if that's required).
2. Run dsmgmt.exe
3. Type Local Roles and hit enter (no need for quotes)
4. add "DOM\userorgroup" Administrators

This worked for me and did not add the group/user to the Domain Admins or Administrators group on the directory.