Add User As Local Administrator On Domain Controller

I recently was settting up a new Microsoft SharePoint 2010 machine and had promoted the machine to a domain controller before creating my SharePoint admin accounts.  I needed to add several of my accounts to the local Administrators group.  Unfortunately after you promote a server to a domain controller you can no longer access the GUI for Local Users and Groups.  Instead I had to use the command line to add the users.

Open a command promt using the "Run as administrator" function and then run the following command.

net localgroup Administrators /add {domain}\{user}

Note: do not include the {} brackets.

Comments

  1. I too benefited from this article. Thanks random blog guy!

    ReplyDelete
  2. Used this, and it sort of worked - it added the account to the domain group "Administrators", not the local Administrators group...

    ReplyDelete
  3. Thanks, just what the doctor ordered.

    ReplyDelete
  4. Worked like a charm!! thanks muchly!

    Theresa

    ReplyDelete
  5. I, too, used this method on a 2003 and 2008 DC; both times all it did was add the domain user to the domain\Administrator's group. There no longer is a local administrator account or administrators group on a DC.

    ReplyDelete
  6. i completely agree with Andrew , there is no local users database on Domain controllers.

    ReplyDelete
  7. You cannot add a domain user account to the local administrators group on domain controllers. The same holds true for populating the local admins group via the Restricted Groups feature in Group Policies. As stated in the comments either method will result in adding the domain user to the Domain group Builtin\Administrators, which will then grant that user administrative permissions to Active Directory.

    You can, however, setup local administrators on Read Only DCs (RODCs)on Windows 2008 DCs and higher. This will grant local permissions to the Server without granting advanced AD permissions. RODCs were designed primarily for remote offices where a local user can be granted permissions to administer the local DC and patch the server.

    Here is a good article on RODCs:
    http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Thank you very much!
    You just saved my day

    ReplyDelete
  10. Would recommend you remove or edit your post, as it is somewhat misleading in its current form. As others have stated there is no local admins group on a DC. Thanks.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. but it adds to the domain administrators group i want to add in local administrator group.

    ReplyDelete
  13. What a Muppet. DON'T DO THIS ANYONE. It adds the user to domain\administrators (good group)

    ReplyDelete
  14. Local Administrator may not be a good group to add users to on a domain controller, however for other purposes, like Event Log Reader and the like, this worked well.

    You can run command 'net localgroup' to display all groups and chose the one that's best suited for a service account's least privilege access.

    ReplyDelete
  15. THERE ARE NO LOCAL GROUPS ON DOMAIN CONTROLLERS!

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Many people mistook the question. Rick is not asking about creating local users in a DC. He is asking about adding domain users to the local "Administrators" group. This can also be done using the GUI (Go to Control Panel -> User account --> Manage user account) and then add users. Only domain users can be added. This is similar to the command Rick mentioned:

    #net localgroup Administrators /add Domain\user

    ReplyDelete
  18. No Ajeesh, you mistook the article.

    The article quite clearly states "Local Users and Groups" which is the name of the Windows Management console that is removed when a server is promoted to a Domain Controller.

    THERE IS NO LOCAL ADMINISTRATORS GROUP.

    This articles purpose at this point is to troll innocent internet users and compromise domain security. Goodness knows what hot water some unfortunate sysadmin is going to get themselves into by following the inctructions here.

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. You are wrong Adam, there are local groups on a domain controller...they're just hidden. This command works and I was walked through doing this very thing by Microsoft to add Exchange Trusted Subsystem domain group to local administrators group. You can use the same command to view the local group membership and it does not match the domain administrators group.

    ReplyDelete
  21. Hi Tom. You're wrong sir. DCs do not have local users or groups. Sorry - never has and never will.


    On an RWDC Domain Controller (not an RODC), examine for yourself the Domain\Administrators group. Then compare it to the output of running 'net localgroup administrators' - look for yourself.

    ReplyDelete
  22. Yes Tom, the command will "work" in that you will get no errors and your user will become an administrator on the DC, however they will become an administrator on the DC because you have just made them an administrator of the entire domain. I really recommend that everybody that believes that they are doing no harm by following this article carry out the command in a lab environment and see what happens, just check the membership of the administrators on the domain.
    I look after a number of large corporate domains, having created some of them from the ground up, I'm not an app dev that plays at being a sys admin.

    ReplyDelete
  23. Adam Bushill is correct.

    Anytime you use the powershell or CMD commands to add a user to a group on a domain you are in fact adding them to the equivalent group in Active Directory Users and Computers. It doesn't give them Administrator rights to JUST that DC. It gives them Administrator rights to every device in the organization essentially. While not AS permissive as domain admin its a close second.

    The same is true of all other groups, RDP, event Log etc, it grants that permission globally within the environment.

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. This in fact adds the user to the domain administrators group rather than local, so is a dangerous thing to do that I would not recommend. Nice try though!

    ReplyDelete
  26. This does work, but by adding it to the local administrators group of a DC, it gives that person domain admin powers on the DC's domain. Further, it does not show up in the global domain admins group.
    As far as you closed minded youngsters, I am a 4-time MCSE, certed in NT4, 2000, 2003, 2008. This has worked since NT4 days, and continues to work today. Just because you don't see it in a GUI doesn't mean it's not possible.

    ReplyDelete
  27. Sorry to say, but then it shows how MS certifications are useless... It adds the account to the domain period builtin administrators group, which is totally visible in the ADUC mmc. If you did not see this group during all your braindump sessions, well, you should find another job. So basically, as stated previously, it will give a little bit less than domain admins privileges because you don't have admin rights on every computers part of the domain, but it will give you full control over AD and all the DCs, which is certainly not the intended goal.

    ReplyDelete
  28. Surprised this post hasn't been removed. You've essentially made your SharePoint accounts domain administrators.

    ReplyDelete
  29. This comment has been removed by the author.

    ReplyDelete
  30. Thanks, now my C-Level guys don't get frustrated when they want to install Winamp

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete
  32. It looks like the command does add the user to Administrators group and the Domain Admin group when you check AD right afterwards.

    I've removed Domain Admin from the user (Since that one group is the skeleton key to the castle), and going to see how far the Administrators group reaches out.

    Right now, it seems that Administrators might be weak enough for these users who need maintenance access without giving up everything. Investigating though.

    ReplyDelete
  33. This appears to be a working solution, but somewhat modified:

    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Admin/HowToDesignateADomainUserToManageARODC.html

    1. Open powershell or command prompt on DC (run as administrator although not sure if that's required).
    2. Run dsmgmt.exe
    3. Type Local Roles and hit enter (no need for quotes)
    4. add "DOM\userorgroup" Administrators

    This worked for me and did not add the group/user to the Domain Admins or Administrators group on the directory.

    ReplyDelete
  34. Hi,
    The above works only you have RODC it will not work in the Writable DC.
    Infact the above statement holds true if the server is promoted to DC the local user/group would be now managed through our Active Directory console.
    Also for your information - The two default GPOs, Default Domain Policy and Default Domain Controller Policy, don't have any Restricted Groups configured by default either.
    Only the last option is you can use delegated permissions for fulfilling your needs.

    Thanks all.

    Regards,
    Sumeet M.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This information is meaningful and magnificent which you have shared here about the addon domain. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. how to add addon domain in cpanel

    ReplyDelete
  37. This comment has been removed by the author.

    ReplyDelete
  38. On the off chance that you need to go about things the easy way, you should converse with everybody you know. It is just about a conviction that at any rate a couple of your companions have employed nearby movers previously. Nothing talks as profoundly of an organization as an individual proposal, so ask however many individuals as you can. You may even need to get on Facebook and put the inquiry to the entirety of your companions on there, regardless of whether you may not know everybody in your rundown just as you would wish. Sacramento Office Movers

    ReplyDelete
  39. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. brand names on sale

    ReplyDelete
  40. Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging.. names for businesss

    ReplyDelete
  41. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. https://hostinglelo.in/

    ReplyDelete
  42. Wow, What an Outstanding post. I found this too much informatics. It is what I was seeking for. I would like to recommend you that please keep sharing such type of info.If possible, Thanks. creative business names

    ReplyDelete
  43. On the off chance that you can concoct a decent, new domain name that hasn't been enrolled at this point, it should cost you around $10 each year.https://onohosting.com/

    ReplyDelete
  44. Thankyou for this wondrous post, I am glad I observed this website on yahoo. https://onohosting.com/

    ReplyDelete
  45. It also conditions the hair, making it healthier and easier to handle. The product comes in a 2 oz bottle, intended for single use. Use a small amount of shampoo and massage it into your scalp thoroughly to receive the best outcome. It is also important that you avoid the use of any styling products on your hair and that you do not cover your hair. The shampoo's effects will persist for 24 hours, which is more than enough time to pass a hair drug test. A normal specific gravity value will range between 1 Visit: https://www.urineworld.com/

    ReplyDelete
  46. When we refer to an Internet posting service, which facilitates a simplistic accessibility of websites belonging to companies or individuals through the world wide web, we call it a web hosting service. Web hosting has become a major business today, where some organizations or web sites lease or sell space on their server to interested clients. In countries like Latin America and France, the web hosts, through a process called co-location, can provide data center space and Internet connectivity for other servers in their data center. https://hostinglelo.in/

    ReplyDelete
  47. your content is very inspiring and appriciating I really like it please visit my site for Satta King Result also check Satta king 24X7 and also check sattaking and for quick result check my site Satta matka and for super fast result check Satta king

    ReplyDelete
  48. birthday wishes for colleagues . Hope these birthday wishes for colleagues and coworkers will help you to write a sweet birthday message and images.

    ReplyDelete
  49. Great article. Very informative blog post. Really thank you! Really Great.
    upload carousel to instagram from pc

    ReplyDelete
  50. Stampa Prints is one of the best packaging companies in the market. We provide a dynamic range of creative ideas for the packaging boxes of your product range.

    ReplyDelete
  51. The material of these soapboxes is 100% recycled paper. Well, this could explain its eco-friendly feature. It will be a real problem when you need to design a custom soap box for sale. You could get our variety of Custom Soap Packaging Boxes at competitive prices to improve the beauty of your soap products!
    Custom Soap Packaging Boxes

    ReplyDelete
  52. Bears are big animals, with big feet and short, stocky legs. These nocturnal or diurnal mammals have extraordinary senses of hearing, sight, and smell. Because they are awkward walkers, they are often mistaken for clumsy animals. But keep a look out – they can move fast when threatened.

    ReplyDelete
  53. Youstable India's best cheap web site hosting provides Website Builder, cpanel, FREE SSL Certificate etc with unlimited cheap web hosting plans.

    ReplyDelete
  54. Great things you’ve always shared with us. Just keep writing this kind of posts.The time which was wasted in traveling for tuition now it can be used for studies.Thanks Emergency electrician

    ReplyDelete

  55. To keep the control center from timing out each time a grammatical error is given it vital to turn the "ip domain-lookup" off. Now it is vital to specify that main mistakes executed at the "client mode" and "advantaged executive mode" will cause an opportunity to happen, https://onohosting.com/

    ReplyDelete
  56. For reputational purposes, effectiveness in managing official correspondence and to safeguard the security of entrepreneurs exchanging from home, organizations frequently utilize an outsider address as their enrolled office address.https://hostinglelo.in/

    ReplyDelete
  57. Get Unlimited Money, Unlimited Primogens, Unlimited Platinmods, Unlimited Virtual currency. Genshin impact Mod APK Unlocked Everything.

    ReplyDelete
  58. and you ought to take care of your responsibilities to expect come by unmistakable outcomes with your SEO endeavors. https://onohosting.com/

    ReplyDelete
  59. I read your post and this blog is very good. You have good knowledge on this. This post really impressed me. Thank you for sharing your knowledge with all of us. It consultants melbourne

    ReplyDelete
  60. I usually skip blog posts, but I had to take a moment to acknowledge the quality of this write-up. Very impressive!
    Foundation cosmetics

    ReplyDelete
  61. Hats off to the writer of this blog post! I'm not easily impressed, but the quality of writing and the interesting perspective kept me hooked from start to finish.
    Dubai City Tour

    ReplyDelete
  62. I'm hooked! This blog is a rare find - informative, enjoyable, and the writing style is just brilliant. It's become my go-to for quality content.
    Education consultancy

    ReplyDelete

Post a Comment

Popular posts from this blog

Calling Dataverse Web API in PowerShell using Client Credentials

Windows Server 2008R2 VMs Shut Down After 1 to 2 Hours