question

47451047 avatar image
0 Votes"
47451047 asked DaisyZhou-MSFT answered

How to give admin rights through a group.

Hello. On the local computer in the Administrators group, there is a group AdminKYA

I want to give admin rights to the support group. I include users in the adminKYA group, but the user still does not have administrator rights and I have to manually include the user in the Administrators group. For example Kudritsky. Why doesn't this work through groups? The user is listed in the group adminKYA

109269-1.png


windows-server-2019
1.png (26.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @47451047,

Here is my suggest.

Test 1
You can try to add another user into group adminKYA and then check if the new user in group adminKYA has local administrator right on one machine.

Test 2
Please add group adminKYA to local Administrators group via Preference\Control Pannel Settings\Local Users and Groups GPO.

110897-g1.png


110907-g2.png

Then check if the user in group adminKYA has local administrator right on one machine.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



g1.png (21.6 KiB)
g2.png (17.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten edited

Hi @47451047 ,

after adding the user Kudritsky in the group AdminKYA the user should log-off and login again.

This way the new group membership of the user will be in his access token.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

47451047 avatar image
0 Votes"
47451047 answered

The user is in the group. His membership has been renewed. He has been in this group for over a month.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @47451047,

Thank you for posting here.

Based on the description, I understand as below:

When the user Kudritsky is in group adminKYA and adminKYA is in the local Administrators group, the user Kudritsky has no admin rights, but when you add the user Kudritsky into local Administrators group manually, the user Kudritsky has admin rights, is it right?

If so, would you please confirm the following information:

1-Is this machine you mentioned in the workgroup or in the domain?
2-Is the user Kudritsky a local user on this machine? Or it is a domain user?
3-Is the group adminKYA a local group on this machine? Or it is a domain group?
4-Based on "Why doesn't this work through groups? ", how did you see it does not work through groups?



Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

47451047 avatar image
0 Votes"
47451047 answered

When the user Kudritsky is in group adminKYA and adminKYA is in the local Administrators group, the user Kudritsky has no admin rights, but when you add the user Kudritsky into local Administrators group manually, the user Kudritsky has admin rights, is it right?

Yes.

1-Is this machine you mentioned in the workgroup or in the domain? - domain
2-Is the user Kudritsky a local user on this machine? Or it is a domain user? - domain user
3-Is the group adminKYA a local group on this machine? Or it is a domain group? domain group
4-Based on "Why doesn't this work through groups? ", how did you see it does not work through groups? the credentials do not apply for any actions that require admin rights

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @47451047,

Thank you so much for your confirmation.

How did you add the user Kudritsky to group adminKYA and add the group adminKYA to the local Administrators group? Manually or via GPO?

Please check if you configured the following GPO on this domain-joined machine?

Computer Configuration\Preferences\Control Pannel Settings\Local Users and Groups
110079-policy.png

Or Computer Configuration\Windows Settings\Restricted Groups
110050-po.png

On this machine:
Log on using Domain Administrator account,
Open CMD(run as Administrator),
Type gpresult /h C:\gpo.html and click Enter.
Open gpo.html and check if there are two gpo settings under "Computer Details".


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.





policy.png (65.5 KiB)
po.png (50.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

47451047 avatar image
0 Votes"
47451047 answered DaisyZhou-MSFT commented

I have settings like you have in the first image. As in the second, I don't apply this policy. What is it for?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @47451047,

Thank you for your repy.

How did you add the user Kudritsky to group adminKYA?

How did you add the group adminKYA to the local Administrators group? Manually or via GPO?

Please check the member in group adminKYA?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
47451047 avatar image
0 Votes"
47451047 answered DaisyZhou-MSFT commented

How did you add the user Kudritsky to group adminKYA? - active directory users and computers

How did you add the group adminKYA to the local Administrators group? Manually or via GPO? - Like your first image(GPO)

Please check the member in group adminKYA? - YYes, he is a member of the group

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @47451047,

Thank you for your reply.

You should sign out and sign in again using user Kudritsky to check if it helpful.

Also, please check if the same issue occurs on other domain machines?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



0 Votes 0 ·
47451047 avatar image
0 Votes"
47451047 answered

You should sign out and sign in again using user Kudritsky to check if it helpful. - It doesn't help.
Also, please check if the same issue occurs on other domain machines? - The problem on all machines

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.