How to log on to a Windows Server VM as a domain administrator, not a local administrator

Question

How to log on to a Windows Server VM as a domain administrator, not a local administrator

Deok Jong Moon 125

Hi there,

I'm currently following a Azure AD Domain Services tutorial (https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm) where I seem to have to log in as a domain administrator.

The thing is when I tried to use Active Directory Administrative Center on my Windows Server VM, and also Group Policy Management on the same VM, both of the programmes said things like I have to log in as a domain user.

I tried to log in to the VM through Bastion, using accounts in my ADD DC administrators group, and almost every possible ID variations based on those already existing in there, but I failed to log in, and only the local administrator account has made it through.

How could I log in as a domain administrator?

Thanks in advance.

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-03-31T08:06:58.55+00:00

Hi @Deok Jong Moon ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-03-31T08:06:58.55+00:00

Hi @Deok Jong Moon ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Givary-MSFT 35,621 Microsoft Employee Moderator

@Deok Jong Moon Thank you for reaching out to us, As I understand you have queries on the type of privileges you have with Azure AD Domain Services.

Refer to these points - Administrative tasks you can perform on a Azure ADDS managed domain.

Members of the AAD DC Administrators group are granted privileges on the managed domain that enables them to do tasks such as:

Configure the built-in group policy object (GPO) for the AADDC Computers and AADDC Users containers in the managed domain.
Administer DNS on the managed domain.
Create and administer custom organizational units (OUs) on the managed domain.
Gain administrative access to computers joined to the managed domain.

Administrative privileges you don't have on a managed domain

The managed domain is locked down, so you don't have privileges to do certain administrative tasks on the domain. Some of the following examples are tasks you can't do:

Extend the schema of the managed domain.
Connect to domain controllers for the managed domain using Remote Desktop.
Add domain controllers to the managed domain.
You don't have Domain Administrator or Enterprise Administrator privileges for the managed domain. Reference: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm#:~:text=Administrative%20tasks%20you%20can%20perform%20on%20a%20managed%20domain

Also refer to this faq of for Azure AD DS : - Do I have domain administrator privileges for the managed domain provided by Azure AD Domain Services?

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Deok Jong Moon 125 Reputation points

2023-03-10T00:04:09.0233333+00:00

Hi @Givary-MSFT ,

Thanks for the answer. By the way, the link you posted for FAQ is not set up rightly I think. The right link : https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs#do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-

Also, by the answers I've seen, it seems like I can't log in as a domain administrator(or just a domain user?) on the VM. If that is so, how can I follow the tutorial from 'Use Active Directory administrative tools' section? Active Directory Administrative Center requires me to log in to the VM as a domain administrator, not a local administrator. But your answers say that I don't have that privilege given.

I saw somewhere that user registered on ADD DC group can have domain administrative features, with which I failed to log in to my VM.

It's very confusing as to how I should be able to follow that tutorial.

I need some more help :(
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-03-13T06:43:37.8766667+00:00

Apologies for the delay response @Deok Jong Moon fell sick and couldn't respond on time, try with the Global admin credentials it has the privileges for Azure ADDS instance to perform your tasks, if doesnt help, send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" so that we can connect offline and work on this.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-03-14T03:01:04.4866667+00:00

Thanks for the update @Deok Jong Moon and the steps you followed to resolve this issue, let me know if you have any further questions.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution
Deok Jong Moon 125 Reputation points

2023-03-21T03:54:52.7466667+00:00

Thanks for the reply @Givary-MSFT :)

I solved it by right-clikcing on the Group Policy Management(or other similarly domain-user-related programmes), and selected 'Run as a different user' and typed an account information that is in AAD DC.

So, put it simply, I was logged in to the VM as a local administrator(that's why I couldn't open the programme), and tried to use the programme as a different user and it solved the accessing problem.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-03-21T06:15:39.06+00:00

@Deok Jong Moon Thank you for sharing the steps that you followed to resolve this, would request you to "Accept Answer", so that others in the community facing similar issues can easily find the solution.

Share via

How to log on to a Windows Server VM as a domain administrator, not a local administrator

1 answer

Your answer