question

Connection-4294 avatar image
0 Votes"
Connection-4294 asked ·

Global Admin account lacks permissions to do anything on VM

I've set up the an Azure AD and AADDS along with a VM following the guides provided by Microsoft on the forums.

I'm trying to have an account 'Admin' be able to edit/create GPO's and User information on the Active Directory Administrative Centre on the VM (2016). On the Azure Portal the account has the 'Global Admin' Rights but when logged into the VM it's like the Account has next to no permissions.

The Account is in Domain Users and the group that gets created with the ADDS Admin group. I think in order to have the account be able to do the changes it needs to be in the Domain Admin group, but the account doesn't have the permissions to change that.

So, Is it possible to have that and/or How would it be done?

When i log onto the VM with the account and go into Active Directory Administrative Centre -> User 'Admin' -> Member Of -> Add -> "AADDS Service Administrators Group" It throws out and Error Of "Failed to save "Admin". "Failed to save the group membership for the object. Could not add member(s) to one or more ADGroup."

If i try to add the account "Admin" to 'Domain Admins' Via Powershell (Admin) it says that the account im using (Which is the account im trying to add to the domain admins) Doesn't have the right access to do that command and it will be processed at the domain Controller.

The Account is apart of the Local Administrators group, Along with the Domain Users and the AAD DC Administrators Group.

azure-virtual-machinesazure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Connection-4294 avatar image
1 Vote"
Connection-4294 answered ·

In the End, i managed to get in contact to support through email who told me that there was no way for this to be achieved as the "Domain Admins Group" was a group managed by microsoft themselves.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for following up. I was confused because I thought you were referring to your Windows Domain Admins group. https://docs.microsoft.com/en-us/sql/analytics-platform-system/create-an-aps-domain-administrator-aps?view=aps-pdw-2016-au7

0 Votes 0 · ·
MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Thank you for a reply.

The users is already in the Administrators group. Which is the confusing thing, The only thing that i can think of is that maybe it's got permissions that over-rule the 'Admin' permissions. Could 'Domain Users' Group Do that?

0 Votes 0 · ·