Re: Cannot Add Domain Accounts to Local Admin Group

From: Someone (anonymous_at_discussions.microsoft.com)
Date: 03/29/04 

Date: Mon, 29 Mar 2004 06:59:04 -0800

I have the same issue here, and I checked the DHCP
information, it had both local DNS ip, and ISP DNS ip
addresses. Are you saying we should totally remove all
ISP DNS ip addresses from the DHCP server. Thanks
>-----Original Message-----
>JT,
>
>You are well advised to not make any user account a
member of the Domain
>Admins. That would give those with a little bit of
knowledge access to just
>about everything. Not a really good situation in most
cases. I have found
>out over the years that there is always one ( at
least! ) who tries to go a
>bit too far!
>
>In the TCP/IP configuration on each client computer are
the DNS entries set
>to the *internal* DNS Server and NOT to the ISP's DNS
Server IP Address(es)?
>I would assume that each client computer is receiving
the IP Address lease
>from a DHCP Server ( either SBS2000 or a Firewall-type
device ). Do an
>ipconfig /all on several of the clients where you are
getting this error and
>look specifically at the DNS entry. It *must* be the
local DNS Server and
>not the ISP.
>
>See if that helps.
>
>Cary
>
><anonymous@discussions.microsoft.com> wrote in message
>news:14f9b01c4158e$3c5d3fe0$a501280a@phx.gbl...
>> Cary,
>>
>> Thank You for the speedy reply. I am trying to add
>> domain user accounts into the Local Administrators
group
>> on several XP and Win2K systems. I get an error
>> staing "the domain does not exist or cannot be
located".
>> No changes have been made to DNS, WINS, or DHCP. There
>> is only the default GPO implemented. If I add the user
>> to the Domain Admins group, they have full access to
the
>> local system, but I really would like to avoid that
>> senerio.
>>
>> Since I only work there on Saturday's I cannot
>> troubleshoot as I would like. I'll be sure to check
the
>> articles you advised.
>>
>> Thanks again. I really appreciate your advisments!
>> JT
>> >-----Original Message-----
>> >JT,
>> >
>> >To what 'local admin group' are you referring? And
>> where - on the
>> >WIN2000/WINXP clients or on the SBS2000 Server?
>> >
>> >My guess is that you are referring to your clients.
Do
>> you know if the
>> >Group Policy 'Restricted Groups' has been implemented.
>> This could have
>> >something to do with your issue. Take a look at the
>> following MSKB Article:
>> >
>> >http://support.microsoft.com/?id=320065
>> >http://support.microsoft.com/?id=320045
>> >http://support.microsoft.com/?id=228496
>> >http://support.microsoft.com/?id=279301
>> >
>> >By default, the 'Domain Admins' group is a member of
the
>> local
>> >'Administrators' group on each client system. The use
>> of the 'Restricted
>> >Groups' GPO can be used to make sure that no other
user
>> account/group
>> >account can be added to the local 'Administrators'
>> group. Initially, when
>> >applying this GPO all members of the
>> local 'Administrators' group were
>> >replaced by whatever group you indicated in the GPO (
>> typically the 'Domain
>> >Admins' group ). However, there was a later fix for
>> this that 'merged' the
>> >group that you were using in the GPO with the current
>> members of the local
>> >'Administrators' group. Please see the following MSKB
>> Article:
>> >
>> >http://support.microsoft.com/?id=810076
>> >
>> >Does this help you? Also, what error message are you
>> receiving when
>> >attempting to do this? And how are you trying to do
>> this?
>> >
>> >HTH,
>> >
>> >Cary
>> >
>> >
>> >"JT" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:14fe201c41587$ff569890$a401280a@phx.gbl...
>> >> I periodiacally support a small business with SBS
2000.
>> >> I cannot add Domain accounts into the local admin
>> group.
>> >> I was able to do this several weeks ago. I recently
>> >> completed Windows Updates, and feel this may be my
>> >> issue.
>> >>
>> >> Any others with this problem?
>> >>
>> >> Thanks,
>> >> JT
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: DHCP IP lease renewal ok, but a new PC can not obtain an IP ("An e
    ... I guess the problem seen with DHCP from PC's is a symptom of another ... Note that both robert and tina are blade servers within the save blade ... Connection-specific DNS Suffix. ... I.e. DNS servers has their own IP as the first DNS server and another as ...
    (microsoft.public.windows.server.networking)
  • RE: Remote Access Issue
    ... the DHCP server do not update the A record for the ... Click DNS ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Static IP timestamp
    ... I just tested this withWindows 2003 DNS. ... When I had built a few servers for a customer and let them auto register, they had a timestamp and the scavenge checkbox was checked. ... Unless you are seeing something going on that is affecting your environment, the default settings work fine, at least they do for me for all of my customers and installations I've worked in that I've set scavenging and forced DHCP to own the records so it can update the records it had registered at lease refresh time. ...
    (microsoft.public.windows.server.dns)
  • Re: Active Directory Integrated DNS-DHCP -> DHCP computers with Pen Ic
    ... Active Lease, DNS dynamic update pending. ... available for lease by the DHCP server. ... It may mean that if it is stuck on the pencil icon, it means it cannot update the record in DNS because it already exists and DHCP server does not own the record, the client machine does, and therefore the DHCP server cannot update the record. ... How to configure DNS dynamic updates in Windows Server 2003. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS record does not show remote access client IP
    ... DHCP, then gives them out as needed, and is using it's own name. ... I checked "register the connection's address in DNS" and retry, ... result on DHCP active address - just RRAS server name, ... Once you set DHCP to force register everything, you should also set it so DHCP owns the record it registers into DNS. ...
    (microsoft.public.windows.server.dns)