Granting local administrative privileges to a domain account

Automatically grant administrative privileges to Windows™ domain accounts. The user account for the Storage Resource agent requires local administrative rights. Because these rights are not necessarily guaranteed for domain users in a Windows domain environment, you are shown how to grant local administrative rights to domain users. Using this procedure, you do not have to manually process each machine in the domain.

Note: These steps are for a Windows system that is a member of a Windows domain and not for the Windows Domain Primary Domain Controller.

To use Group Policy to grant local administrative privileges to a domain account, complete the following steps:

  1. On the domain controller, go to Administrative Tools > Active Directory Users and Computers (you must be running with Domain Administrator privileges).
  2. Right-click on the Organizational Unit (OU) upon which you want to apply the Group Policy. Click Properties.
  3. The Group Policy Properties panel is displayed. Select the Group Policy tab and click New to create a Group Policy.
  4. Designate a name for the new Group Policy. Select the new Group Policy and click Edit.
  5. The Group Policy Object Editor panel is displayed. Go to New Group Policy Object your_policy > Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right-click Restricted Groups, and then click Add Group.
  6. For example, name the new group Administrators. Under Properties, add the user Administrator, and the domain accounts or groups upon which you want the Group Policy in effect for. For example, you can add TPC\storageadmin, TPC\storagegroup, and TPC\TestGroup. Click OK.
  7. Add these user rights to the domain account:
    • Act as part of the operating system
    • Log on as a service
    In the Group Policy Object Editor, go to New Group Policy Object your_policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In the content pane, select "Log on as a service" and double-click. Add the domain user for whom you are granting user rights and click OK. Repeat this step for "Act as part of the operating system."
  8. The group policy is now enforced for the Organizational Unit to include the domain accounts and groups specified under the local Administrators group on each computer in the Organizational Unit. In addition, the domain user has been granted the necessary rights. To verify the user rights, log in to a domain computer and open the Computer Management console. Select Groups, double-click the Administrators group, and verify the membership of the domain users.