Problem with Domain user as local administrator

Hello,

I have a problem with the authentication of users to access services.

I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
add a domain user as local administrator into the server and not appears on
the list, but says if it is.

If I logon on that server with the domain user works fine but does not have
administrator access because some complement is not allowed. I turned off the
UAC and so the server can access.

The problem comes when the user wants to access such a SQL and indicates
that the domain is not trusted. It does not seem to have the same permissions
as the local administrator of the machine real. The only way is to access
with the domain administrator account. Although add that account as a domain
administrator and does not have permissions.

Any ideas?

Thanks

On Tue, 18 May 2010 07:38:01 -0700, Vicente wrote:

> I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
> add a domain user as local administrator into the server and not appears on
> the list, but says if it is.

Where are you trying to add domain user to local users group? Is it on the
domain controller? If so, there are no local users on the domain
controller.
If you want to add domain users to local groups on member servers, you can
use Restricted Groups to acomplish that.

> If I logon on that server with the domain user works fine but does not have
> administrator access because some complement is not allowed. I turned off the
> UAC and so the server can access.

I don't really understand on what server you're logging onto (domain
controller or member server?), and did shutting UAC down helped to get it
working?

> The problem comes when the user wants to access such a SQL and indicates
> that the domain is not trusted. It does not seem to have the same permissions
> as the local administrator of the machine real. The only way is to access
> with the domain administrator account. Although add that account as a domain
> administrator and does not have permissions.

You can create an account in your domain, eg. SQLSrvrEngine, and then go to
the SQLServer machine and add that user to local administrators group. Then
configure your SQLServer services (SQLServerEngine, SQLServerAgent, ...) to
use that account for startup. That should do it...


--
Pozdrav
===========

Howdie!

Am 18.05.2010 16:38, schrieb Vicente:
> I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
> add a domain user as local administrator into the server and not appears on
> the list, but says if it is.

So was that "add" operation successful or not? Were you able to add the
user to the local administrator group?

> The problem comes when the user wants to access such a SQL and indicates
> that the domain is not trusted. It does not seem to have the same permissions
> as the local administrator of the machine real. The only way is to access
> with the domain administrator account. Although add that account as a domain
> administrator and does not have permissions.

For SQL specifically, I'm not sure whether just being in the local
Administrator group is sufficient to get access to all sorts of
databases. You'll still have to grant access to that user. At least
that's what I understand. From a Windows perspective, is that user an
administrator? Can you access the registry/make modifications to the system?

Cheers,
Florian

Hello,

when I add user to group member server administrators tell me that is
already added. He is apparently in the local administrators group but not
listed.

I can do logon with that user on the member server (not the Domain
Controller) and all right, but if you want to access the SQL server for
example is like being on another domain.

Thanks

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> Am 18.05.2010 16:38, schrieb Vicente:
> > I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
> > add a domain user as local administrator into the server and not appears on
> > the list, but says if it is.
>
> So was that "add" operation successful or not? Were you able to add the
> user to the local administrator group?
>
> > The problem comes when the user wants to access such a SQL and indicates
> > that the domain is not trusted. It does not seem to have the same permissions
> > as the local administrator of the machine real. The only way is to access
> > with the domain administrator account. Although add that account as a domain
> > administrator and does not have permissions.
>
> For SQL specifically, I'm not sure whether just being in the local
> Administrator group is sufficient to get access to all sorts of
> databases. You'll still have to grant access to that user. At least
> that's what I understand. From a Windows perspective, is that user an
> administrator? Can you access the registry/make modifications to the system?
>
> Cheers,
> Florian
> .
>

Hello,
I do logon with that user on the member server (not the DC) and all right,
but if you want to access the SQL server for example is like in another
domain.

UAC off was used to gain access to accessories such as MMC, but did not
solve the access to resources such as SQL.

When I use a domain user for Application Pool user, for access to SQL,
........ then not authenticate.

Thanks

"Matija Kapraljevic [Revenger]" wrote:

> On Tue, 18 May 2010 07:38:01 -0700, Vicente wrote:
>
> > I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
> > add a domain user as local administrator into the server and not appears on
> > the list, but says if it is.
>
> Where are you trying to add domain user to local users group? Is it on the
> domain controller? If so, there are no local users on the domain
> controller.
> If you want to add domain users to local groups on member servers, you can
> use Restricted Groups to acomplish that.
>
> > If I logon on that server with the domain user works fine but does not have
> > administrator access because some complement is not allowed. I turned off the
> > UAC and so the server can access.
>
> I don't really understand on what server you're logging onto (domain
> controller or member server?), and did shutting UAC down helped to get it
> working?
>
> > The problem comes when the user wants to access such a SQL and indicates
> > that the domain is not trusted. It does not seem to have the same permissions
> > as the local administrator of the machine real. The only way is to access
> > with the domain administrator account. Although add that account as a domain
> > administrator and does not have permissions.
>
> You can create an account in your domain, eg. SQLSrvrEngine, and then go to
> the SQLServer machine and add that user to local administrators group. Then
> configure your SQLServer services (SQLServerEngine, SQLServerAgent, ...) to
> use that account for startup. That should do it...
>
>
> --
> Pozdrav
> ===========
> .
>

On Tue, 18 May 2010 07:38:01 -0700, Vicente
<> wrote:

>Hello,
>
>I have a problem with the authentication of users to access services.
>
>I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
>add a domain user as local administrator into the server and not appears on
>the list, but says if it is.
>
>If I logon on that server with the domain user works fine but does not have
>administrator access because some complement is not allowed. I turned off the
>UAC and so the server can access.
>
>The problem comes when the user wants to access such a SQL and indicates
>that the domain is not trusted. It does not seem to have the same permissions
>as the local administrator of the machine real. The only way is to access
>with the domain administrator account. Although add that account as a domain
>administrator and does not have permissions.
>
>Any ideas?
>
>Thanks


I'm not sure I'm following the question 100%. Is it regarding a domain
User accessing an installed application such as SQL? If so, SQL has
its own user access list that the original user that installed SQL
would need to add and allow access within SQL. Example, if the Domain
Admin installed SQL on a member server, then a Domain User logs on
that has been added to the member server's local Administrator group,
they won't be allowed access to it until the Domain Admin logs on,
accesses SQL and adds the user account into SQL.

If the question is generally to add specific users to the local admin
group of a member server and/or desktops & workstations, a Restricted
Groups GPO can be used.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On Tue, 18 May 2010 22:30:18 +0200, "Florian Frommherz [MVP]"
<> wrote:

>Howdie!
>
>Am 18.05.2010 16:38, schrieb Vicente:
>> I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
>> add a domain user as local administrator into the server and not appears on
>> the list, but says if it is.
>
>So was that "add" operation successful or not? Were you able to add the
>user to the local administrator group?
>
>> The problem comes when the user wants to access such a SQL and indicates
>> that the domain is not trusted. It does not seem to have the same permissions
>> as the local administrator of the machine real. The only way is to access
>> with the domain administrator account. Although add that account as a domain
>> administrator and does not have permissions.
>
>For SQL specifically, I'm not sure whether just being in the local
>Administrator group is sufficient to get access to all sorts of
>databases. You'll still have to grant access to that user. At least
>that's what I understand. From a Windows perspective, is that user an
>administrator? Can you access the registry/make modifications to the system?
>
>Cheers,
>Florian

Florian,

I didn't see your response before I responded. But I agree that SQL
has it's own access controls and the user needs to be added to SQL.

Ace

Hello, to see if I can explain.

This domain may be created with all members W2008R2. They have created user
accounts without problems. It was possible to add these accounts as local
administrators on member servers, but not listed in the administrators group,
although it is possible to connect to that server with the user.

It seems like domain users do not authenticate when it is incorporated as a
SQL administrator, or to be the identity of an application pool in IIS, even
if the user has administrator rights on that member and can logon on it.

I have turn off firewall and UAC but I have not any result.


regards


"Ace Fekay [MVP - Directory Services, MCT" wrote:

> On Tue, 18 May 2010 07:38:01 -0700, Vicente
> <> wrote:
>
> >Hello,
> >
> >I have a problem with the authentication of users to access services.
> >
> >I have a domain with Windows 2008 R2 and all servers are W2008 R2. I want to
> >add a domain user as local administrator into the server and not appears on
> >the list, but says if it is.
> >
> >If I logon on that server with the domain user works fine but does not have
> >administrator access because some complement is not allowed. I turned off the
> >UAC and so the server can access.
> >
> >The problem comes when the user wants to access such a SQL and indicates
> >that the domain is not trusted. It does not seem to have the same permissions
> >as the local administrator of the machine real. The only way is to access
> >with the domain administrator account. Although add that account as a domain
> >administrator and does not have permissions.
> >
> >Any ideas?
> >
> >Thanks
>
>
> I'm not sure I'm following the question 100%. Is it regarding a domain
> User accessing an installed application such as SQL? If so, SQL has
> its own user access list that the original user that installed SQL
> would need to add and allow access within SQL. Example, if the Domain
> Admin installed SQL on a member server, then a Domain User logs on
> that has been added to the member server's local Administrator group,
> they won't be allowed access to it until the Domain Admin logs on,
> accesses SQL and adds the user account into SQL.
>
> If the question is generally to add specific users to the local admin
> group of a member server and/or desktops & workstations, a Restricted
> Groups GPO can be used.
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

On Wed, 19 May 2010 01:40:01 -0700, Vicente wrote:

> Hello,
> I do logon with that user on the member server (not the DC) and all right,
> but if you want to access the SQL server for example is like in another
> domain.

OK, so your domain authentication works. I would focus (as others already
suggested) on the error SQL Server gives you when you try to authenticate
and go from there.

Google the error SQL Server gives you when you try to authenticate and see
if there are any resolutions for your problem.

A quick google search on "SQL Server untrusted domain" came out with this:

http://social.msdn.microsoft.com/For...e-c579d1be2fa0
http://social.msdn.microsoft.com/For...5-0473b67c6715
http://social.msdn.microsoft.com/For...c-545da81c11f5

--
Pozdrav
===========

On Wed, 19 May 2010 08:51:01 -0700, Vicente
<> wrote:

>Hello, to see if I can explain.
>
>This domain may be created with all members W2008R2. They have created user
>accounts without problems. It was possible to add these accounts as local
>administrators on member servers, but not listed in the administrators group,
>although it is possible to connect to that server with the user.
>
>It seems like domain users do not authenticate when it is incorporated as a
>SQL administrator, or to be the identity of an application pool in IIS, even
>if the user has administrator rights on that member and can logon on it.
>
>I have turn off firewall and UAC but I have not any result.
>
>
>regards
>
>

I believe I understand the question a little better. Just to confirm,
you would like to use domain users to authenticate, even if the domain
user is an SQL administrator with SQL, as well as the domain user to
be used for credentials in an application pool in IIS.

Since I am not an SQL engineer, nor do I write web apps, such as .Net,
VB, Ajax, etc, I'm sorry, I am not able to help you. That question
would surely be better off if posted in the SQL forum or IIS forum,
unless someone here can offer a solution.

Ace