Re: NT4->2003 Computer Account Migration Problem

"Frances [MSFT]" <v-franhe@xxxxxxxxxxxxx> wrote
> 1. What do you mean by "I can't join the computer to the domain."?
> By default, Authenticated Users have the right to add 10 workstations to
> the domain. So a win2k3 domain user can join the computer to the win2k3
> domain.
Right. However during the migration process, the workstation was given a
name with the prefix "xx". We had specified this was to be used for any
computers that already existed. Yet a computer with this name did not exist.

I think the rest of the questions were answered by the fact that domain
admins are not given local admin rights by default, but I'll answer the rest
of your questions.

> 2. How do you know the computer is not joined to the win2k3 domain?
I have admin rights to the OU where the computer is located in the AD. Yet
when I got to the windows to change the computer's name, it says that
administrative rights are required. So its not recognize my authority within
the domain.

> Do you mean after the computer migration, if you enter the win2k3 domain
> admin's username and password, you can successful log on the machine?
Yes

> What if you use a win2k3 domain user account?
Doesn't work. It says I do not have sufficient privledges or something like
that.

> If you can't logon, what message do you get?
The problem is not that I can't log on, its that I can't join the computer
to the domain with its new name.

> add the user or group accounts to the "Add Workstations to the Domain"
User
> Right in the Default Domain Controllers Policy".
I found the setting you are talking about. However I cannot change it at
this point. We need to assign this ability to different accounts depending
on the OU. I'll have to investigate that further.

> As for your concern that when you log in using your account in the 2003
> domain, you do not have admin rights on the computer, it is normal. Since
> domain admin is not by default the workstation's local admin. However, a
> domain user should have rights to join the computer to the domain.
By default in our NT domain, the domain admins group has admin rights on the
local computer. Is there a way to make this happen by default in 2003?

Thanks!

Brian


.

Relevant Pages

  • Re: Privileges
    ... You stated that you created both a local user and a domain user and ... My assumption is that this is a Windows XP machine in a Windows 2000 ... What are you checking to see if the user has admin rights? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: xp pro, granting domain user access to local resources?
    ... You can test this by adding the domain user to the local Administrators ... I don't have any issues granting the domain user admin rights on the ... Sysinternals tool using RunAs & providing valid local admin credentials. ... I have a USB scanner installed on one computer, ...
    (microsoft.public.windowsxp.security_admin)
  • local admin rights for domain user on member server ?
    ... local admin rights for domain user on member server? ... I have a windows 2000 domain running AD. ... I need a domain user to have full admin ... local list so I can allocate ADMIN rights to this user. ...
    (microsoft.public.win2000.security)
  • Re: can not login local machine interactively.
    ... And what about the ADUC properties? ... admin rights / works on the servers/domain. ... some of our domain user try to login the workstation. ... local security setting> user Right assignment>select logon locally Even ...
    (microsoft.public.windowsxp.general)