Re: Cannot Add Domain Accounts to Local Admin Group

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 03/29/04

Next message: tropicos: "Windows Explorer Wont Copy Files Anymore."
Previous message: anonymous_at_discussions.microsoft.com: "Re: Cannot Add Domain Accounts to Local Admin Group"
In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot Add Domain Accounts to Local Admin Group"
Next in thread: Someone: "Re: Cannot Add Domain Accounts to Local Admin Group"
Reply: Someone: "Re: Cannot Add Domain Accounts to Local Admin Group"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 29 Mar 2004 08:11:21 -0500

JT,

You are well advised to not make any user account a member of the Domain
Admins. That would give those with a little bit of knowledge access to just
about everything. Not a really good situation in most cases. I have found
out over the years that there is always one ( at least! ) who tries to go a
bit too far!

In the TCP/IP configuration on each client computer are the DNS entries set
to the *internal* DNS Server and NOT to the ISP's DNS Server IP Address(es)?
I would assume that each client computer is receiving the IP Address lease
from a DHCP Server ( either SBS2000 or a Firewall-type device ). Do an
ipconfig /all on several of the clients where you are getting this error and
look specifically at the DNS entry. It *must* be the local DNS Server and
not the ISP.

See if that helps.

Cary

<anonymous@discussions.microsoft.com> wrote in message
news:14f9b01c4158e$3c5d3fe0$a501280a@phx.gbl...
> Cary,
>
> Thank You for the speedy reply. I am trying to add
> domain user accounts into the Local Administrators group
> on several XP and Win2K systems. I get an error
> staing "the domain does not exist or cannot be located".
> No changes have been made to DNS, WINS, or DHCP. There
> is only the default GPO implemented. If I add the user
> to the Domain Admins group, they have full access to the
> local system, but I really would like to avoid that
> senerio.
>
> Since I only work there on Saturday's I cannot
> troubleshoot as I would like. I'll be sure to check the
> articles you advised.
>
> Thanks again. I really appreciate your advisments!
> JT
> >-----Original Message-----
> >JT,
> >
> >To what 'local admin group' are you referring? And
> where - on the
> >WIN2000/WINXP clients or on the SBS2000 Server?
> >
> >My guess is that you are referring to your clients. Do
> you know if the
> >Group Policy 'Restricted Groups' has been implemented.
> This could have
> >something to do with your issue. Take a look at the
> following MSKB Article:
> >
> >http://support.microsoft.com/?id=320065
> >http://support.microsoft.com/?id=320045
> >http://support.microsoft.com/?id=228496
> >http://support.microsoft.com/?id=279301
> >
> >By default, the 'Domain Admins' group is a member of the
> local
> >'Administrators' group on each client system. The use
> of the 'Restricted
> >Groups' GPO can be used to make sure that no other user
> account/group
> >account can be added to the local 'Administrators'
> group. Initially, when
> >applying this GPO all members of the
> local 'Administrators' group were
> >replaced by whatever group you indicated in the GPO (
> typically the 'Domain
> >Admins' group ). However, there was a later fix for
> this that 'merged' the
> >group that you were using in the GPO with the current
> members of the local
> >'Administrators' group. Please see the following MSKB
> Article:
> >
> >http://support.microsoft.com/?id=810076
> >
> >Does this help you? Also, what error message are you
> receiving when
> >attempting to do this? And how are you trying to do
> this?
> >
> >HTH,
> >
> >Cary
> >
> >
> >"JT" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:14fe201c41587$ff569890$a401280a@phx.gbl...
> >> I periodiacally support a small business with SBS 2000.
> >> I cannot add Domain accounts into the local admin
> group.
> >> I was able to do this several weeks ago. I recently
> >> completed Windows Updates, and feel this may be my
> >> issue.
> >>
> >> Any others with this problem?
> >>
> >> Thanks,
> >> JT
> >
> >
> >.
> >

Next message: tropicos: "Windows Explorer Wont Copy Files Anymore."
Previous message: anonymous_at_discussions.microsoft.com: "Re: Cannot Add Domain Accounts to Local Admin Group"
In reply to: anonymous_at_discussions.microsoft.com: "Re: Cannot Add Domain Accounts to Local Admin Group"
Next in thread: Someone: "Re: Cannot Add Domain Accounts to Local Admin Group"
Reply: Someone: "Re: Cannot Add Domain Accounts to Local Admin Group"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: sbs2003 and adding a user
... Please try to logon a new computer with an old good user account, ... the printer be installed correct? ... Extend to Client Computers node, ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
Re: Login Failures
... The only other thing I see is DCOM errors being generated by the client ... What is the user account "msmith"? ... please check the SBS Server and the client computer from ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
RE: The COM+ Event System detected an inconsistency in its internal state
... client twice and get error 4614. ... Logon with another Domain User Account. ... Log on into Windows XP with the account which can log on successfully. ...
(microsoft.public.windows.server.sbs)
RE: SBS Client Application Launcher error
... client computer with the user account, ... Please logon one workstation with the user account and manually run the ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
RE: Migrating Win 2000 Server to Win 2003 Server
... | but the client computer must join new domain again. ... ADMT will migrate local profile of clients. ... The user account is user1, the client XP is called ClientXP. ...
(microsoft.public.windows.server.migration)