No Admin permissions in VM

Introduction

Accountable, Privileged and Advanced Members have 'Admin' permissions within a VM. These roles have administrator permission within a VM that allows them to install software and run software as administrator. In rare cases however, VMs can be deployed without the correct Admin permissions even though users have one of the above-mentioned roles assigned. When trying to run or open software as administrator, it will ask for a username and password. It will look something like this:

Note that this is normal if you have been assigned a role that is not Accountable, Privileged or Advanced Member.

When this happens, there are generally two options:

1. Delete the VM and deploy a new VM. This is the fastest option if there is nothing important installed on the VM.

1. Add the MYDRE\[ACRONYM]-Admins group back to the VM.
   

Below we will describe how to perform the second option.

Steps to verify

1. The first step is to check your role in the Workspace. Go to the Members tab. If you're not Accountable, Privileged or Advanced Member then this is working as intended. If you have one of the three roles described above, continue with the next steps.
   
2. Check whether the [Acronym]-Admins group is indeed missing from the VM. Within the VM, find the magnifying glass on the bottom left and type lusrmgr.msc.
   

1. Double click on Groups and then Administrators. Check whether MYDRE\[ACRONYM]-Admins is present in the list. There should be four groups in total. Replace [ACRONYM] with the acronym of your Workspace. For example, my Workspace is dws-1178-SMOKE. Therefore, the group MYDRE\SMOKE-Admins must be present. If not, you won't have Admin permissions in the VM. It will look like this (note the [ACRONYM]-Admins group is missing):
   

Steps to remediate

1. Please contact the local Support Team through a ticket. Provide at least the following information:
1. Name of the Workspace in dws-xxx-YYY format.
2. Name of the affected VM in dwsxxxYYYserverz format.
3. Role in the Workspace.
   
4. Permission for the anDREa Support Team to turn on the VM and execute the script to re-add the Admins group.
   

For transparency, we will add the steps performed by the anDREa Support Team:

1. Turn on the affected VM in the Azure Portal. You don't have to connect to the VM.
2. On the left hand side, under the Operations menu, you can find Run command.
   

1. Click on RunPowershellScript.
   

1. In the text box type the following:
   

1. Add-LocalGroupMember -Name "Administrators" -Member 'MYDRE\[ACRONYM]-Admins'
   
2. Get-LocalGroupMember -Group "Administrators"

1. Replace [ACRONYM] with the acronym of the Workspace. In the example, the acronym is SMOKE.
   
2. The output verifies whether the group has been added properly.
   

1. Turn off the VM.

• Related Articles

• Managing and monitoring your VM

  From within the myDRE web portal, you can find a Manage and monitor VM menu that provides links directly to your VM in the Azure portal and Azure app. Within the Azure portal or app, you can start, stop and reset the VM, as well as analyze its ...

• Change the timezone in a VM

  Generally this is not something you want to do! Consider the following: an Azure VM is allocated to you. This VM is not running locally, but runs in a Microsoft Azure Data Center. It is common practice to use UTC-time for cloud resources, this ...

• Azure Bastion to connect to your VM

  Introduction Azure Bastion is a service that enables RDP connection through your browser. myDRE offers Azure Bastion as an optional service, read more here. How you can connect to your VM though Azure Bastion can be found in articles Windows VMs and ...

• Z:-drive not available in newly created VM from image

  Bug description A VM based on an image does not mount the Z-drive for those who were part of the VM from which the image was created. However this is visible: Related to: Create VM-templates for your Workspace Creating VM images for Shared Gallery ...

• VM Deployments release note

  Week number 23, 2024 Summary of Key Changes We have introduced VM logging for multiple VM operations in User Portal Successful/Failed VM Deployment (Windows/Linux) Remove VM Generalize VM Improvements Authorized workspace members can now view VM logs ...