Re: ADUC & SBS groups

Dave,

Yes, it showed the computer was a member of the domain (DomainName.Local)
and I was logged into the workstation with the domain administrator account
(I agree, I should have gotten a fairly obvious error otherwise).

Another thing that failed too was when I tried to add an individual user to
the local administrators group (DomainName\User) which of course follows
along with the group failing to resolve.

Unfortunately I don't have ready access to the server again until this
Friday but I ended up adding the group to the proper SBS group and after
going thru the wizards I was able to add the domain users and groups.

This server had major problems and due to that I'm rebuilding the server for
my client this weekend. I'm wondering if not being able to add the domain
user/groups when it was under AD is due to some of the problems.

One thing I failed to mention (and i expect this may have been a major part)
is the domain name on the server was different than the domain name on the
workstations even though they were able to join the server okay??!!! It
looked as if someone renamed the domain but didn't do it correctly.

Domain name on server: synagogue.local
Domain name on workstations: SHUL

I know, I know, it goes against everything I know about servers and domains!

Brian

On the workstation, if you go to CP -> System and flip to the Computer Name
tab, does it say the computer is a member of the domain? Are you logged
into the workstation with an admin account? It seems like you'd get a
fairly obvious error if you tried to modify the local Administrators group
from a non-admin account, but in any case that won't work.

Just on the very off chance it would make a difference, what if you log into
the SBS and go to AD Users and Computers. R-click the computer -> Manage,
and try to add Domain Users there just as you're trying to do it on the
local PC. And another last resort weird thing to check - on the
workstation, CP -> Windows Firewall. Does it say it's using the domain
settings at the bottom of the General tab? On the Exceptions tab, are there
any exceptions that show that they're applied from group policy?

I just added domain\domain users to the local administrators group on this
PC just as you described, so whatever the problem is, it's not your
procedure that's at fault.


"Brian Elkins" <BrianElkins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:101BF685-FFC5-4BBA-8D30-8F9DCDDDA3BE@xxxxxxxxxxxxxxxx
"I tried typing the following in Object Types: DomainName\Domain Users
but
it wouldn't resolve."

Excuse me, I meant in the area "Enter the object names."

I understand about the OU containers and the implementation of policies
now.
Thank you.

Let me see if I can explain a little better about what I experienced with
AD.

I was taking one of the predefined groups "Domain Users" and trying to
add
it to the local administrators group on the workstation (I was
experimenting
and I realize in a real life scenario this is POOR security management!).

The Location was set to the workstation name and I was unable to change
it
even though I was logged onto the domain. Since I couldn't change it (I
wish
there was a browse button there) I tried typing the following in Object
Types: DomainName\Domain Users but it wouldn't resolve.

I'm questioning whether the workstation was truly joined to the domain
even
though I was logging onto it (at least it appeared that I was).

MyBusiness and SBSComputers are both OUs. That means that a policy
applied
at MyBusiness will effect anything located anywhere under that, while
one
applied at SBSComputers will only apply to items contained in the
SBSComputers OU. The easiest way to tell an OU from a container is
that the
icons are different - when you look at them in the Group Policy
Management
Console, the containers look just like regular folders, while the OUs
have a
fancier icon.

I'm not sure what you're referring to about wanting to add domain
groups to
the workstation, and I agree that you should be able to perform normal
functions as long as the workstation belongs to the domain, regardless
of
where it's located. Can you give a fuller description of what you're
trying
to do? (If you're trying to do something like add a security group to
an
ACL, please make sure that in the box that pops up to add it, the
Object
Types includes users and groups, and the Locations is set to your
domain
rather than the local PC).

You can move items around in AD just by r-clicking them and choosing
Move.
If you're experimenting or testing on anything in AD or group policy, I
recommend taking written notes for undo purposes in case you get
unexpected
results. (I've blown up enough stuff to have learned this pretty
well).


"Brian Elkins" <BrianElkins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D62D678A-A934-4EB7-9FD8-71578EAD6DF1@xxxxxxxxxxxxxxxx
Dave,

Thank you for the quick reply.

When you say the latter is an OU, "\MyBusiness\SBSComputers" is the
OU,
correct?

Also, when I was experimenting the other day I placed the workstation
name
in "ADUC\DomainName.Local\Computers" without knowing better. I was
able
to
join the workstation to the domain yet I was unable to add any Domain
groups
to the workstation.

I'm a bit confused on that point. If I was able to join the domain
it
seems
as if I should have been able to add Domain groups.

Brian


The former is an Active Directory container, while the latter is an
OU
(Organizational Unit). You can't apply group policies to a
container, so
only domain-wide policies will apply to computers located in
domain\computers.

Also, the Add Computer wizard in SBS places the computers in the
latter
location (the OU). I recommend only adding computers with that
wizard,
not
directly in AD. And, in the absence of a reason to move them, I'd
leave
them where SBS expects them to be. If you do have a reason to move
them -
say, to separate desktops from laptops - I recommend creating
another OU
under MyBusiness\Computers. Let SBS create them as and where it
prefers,
then go into AD Users and Computers afterward and move them to the
other
OU.

FWIW, I leave all the computers in that OU, and if I need to apply
group
policies more granularly, I do it with security filtering. Others
do it
the
other way - multiple OUs - which is equally valid.

"Brian Elkins" <BrianElkins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:351E5955-6E50-4C1B-9721-58FA561B92AC@xxxxxxxxxxxxxxxx
Can someone please explain to me what is the difference between
placing
a
workstation in:

"ADUC\DomainName.Local\Computers"

vs.

"ADUC\DomainName.Local\MyBusiness\SBSComputers"

Thank you for any help.

Brian Elkins









.