This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 43%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I've set up the an Azure AD and AADDS along with a VM following the guides provided by Microsoft on the forums.
I'm trying to have an account 'Admin' be able to edit/create GPO's and User information on the Active Directory Administrative Centre on the VM (2016). On the Azure Portal the account has the 'Global Admin' Rights but when logged into the VM it's like the Account has next to no permissions.
The Account is in Domain Users and the group that gets created with the ADDS Admin group. I think in order to have the account be able to do the changes it needs to be in the Domain Admin group, but the account doesn't have the permissions to change that.
So, Is it possible to have that and/or How would it be done?
When i log onto the VM with the account and go into Active Directory Administrative Centre -> User 'Admin' -> Member Of -> Add -> "AADDS Service Administrators Group" It throws out and Error Of "Failed to save "Admin". "Failed to save the group membership for the object. Could not add member(s) to one or more ADGroup."
If i try to add the account "Admin" to 'Domain Admins' Via Powershell (Admin) it says that the account im using (Which is the account im trying to add to the domain admins) Doesn't have the right access to do that command and it will be processed at the domain Controller.
The Account is apart of the Local Administrators group, Along with the Domain Users and the AAD DC Administrators Group.
In the End, i managed to get in contact to support through email who told me that there was no way for this to be achieved as the "Domain Admins Group" was a group managed by microsoft themselves.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Thanks for following up. I was confused because I thought you were referring to your Windows Domain Admins group. https://learn.microsoft.com/en-us/sql/analytics-platform-system/create-an-aps-domain-administrator-aps?view=aps-pdw-2016-au7
They will need to be a local administrator as well. https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Hi, Thank you for a reply.
The users is already in the Administrators group. Which is the confusing thing, The only thing that i can think of is that maybe it's got permissions that over-rule the 'Admin' permissions. Could 'Domain Users' Group Do that?