deane_barker
asked on
Unable to add domain account to local Administrator group
I am trying to add a domain account to the local Administrators group on a Windows XP Pro workstation. My network is Windows 2000 / Active Directory.
On a the workstation:
Administrative Tools > Computer Management > Local Users and Groups > Groups
I open the Administrator group, then press "Add..." The only thing in the "From this location" box is the local machine I'm working on, so I press the "Locations" button. In the resulting window, there is no other option to select from. The only icon in that window is the local machine.
Consequently, I cannot add a domain account to the local Administrators group.
Notes:
-- The computer has been added to the domain. Active directory is completely aware of the machine and it functions normally in the domain aside from this issue.
-- Domain admins are administrators on this computer, so I know the computer knows what the domain is and can authenticate against it.
-- When I open the Administrators group and it displays the members of that group, there are two icons. One is the standard User icon for the local Admininstrator account. The other is the same icon with a question mark in front of it and a name like: "S-1-5-21-1615..." etc. (it's quite long). I'm assuming this second icon is for the Domain Admin group.
Deane
On a the workstation:
Administrative Tools > Computer Management > Local Users and Groups > Groups
I open the Administrator group, then press "Add..." The only thing in the "From this location" box is the local machine I'm working on, so I press the "Locations" button. In the resulting window, there is no other option to select from. The only icon in that window is the local machine.
Consequently, I cannot add a domain account to the local Administrators group.
Notes:
-- The computer has been added to the domain. Active directory is completely aware of the machine and it functions normally in the domain aside from this issue.
-- Domain admins are administrators on this computer, so I know the computer knows what the domain is and can authenticate against it.
-- When I open the Administrators group and it displays the members of that group, there are two icons. One is the standard User icon for the local Admininstrator account. The other is the same icon with a question mark in front of it and a name like: "S-1-5-21-1615..." etc. (it's quite long). I'm assuming this second icon is for the Domain Admin group.
Deane
Justin C
Try adding the user as username@domain.com, or domain\username. That should do it.
ASKER
> Try adding the user as username@domain.com, or domain\username. That should do it.
It instantly comes back and says:
"The object named "[domain]\[user]" is not from a domain listed in the Select Location dialog box, and is therefore not valid."
Either of the formats you suggested give this same result. It prompts me to search for the object, but, again, the only location it will search in is the local machine.
Deane
It instantly comes back and says:
"The object named "[domain]\[user]" is not from a domain listed in the Select Location dialog box, and is therefore not valid."
Either of the formats you suggested give this same result. It prompts me to search for the object, but, again, the only location it will search in is the local machine.
Deane
ASKER
The KB suggested is for adding a global group to a local group. I don't want to add a group, just a domain user.
Also, it doesn't address the underlying problem: why can't the system search the domain? It strikes me that it should be able to show me objects on the domain, beyond the local machine.
Deane
Also, it doesn't address the underlying problem: why can't the system search the domain? It strikes me that it should be able to show me objects on the domain, beyond the local machine.
Deane
what are you logged on to the machine as?
What happens if you try from the command prompt?
net localgroup administrators domain\domainuser /add
net localgroup administrators domain\domainuser /add
GUI (Windows 2000/XP)
Right Click on "My Computer"
Select "Manage"
Right Click on "Computer Management (Local)"
Select "Connect To Another Computer..."
Enter "COMPUTER01"
Expand "Local Users and Groups"
Expand "Groups"
Double-Click on "Administrators" in the Right-Hand Pane
Select "Add..."
Type "MYDOMAIN\JOEU" into the appropriate edit box
Press "Check Names"
Right Click on "My Computer"
Select "Manage"
Right Click on "Computer Management (Local)"
Select "Connect To Another Computer..."
Enter "COMPUTER01"
Expand "Local Users and Groups"
Expand "Groups"
Double-Click on "Administrators" in the Right-Hand Pane
Select "Add..."
Type "MYDOMAIN\JOEU" into the appropriate edit box
Press "Check Names"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> what are you logged on to the machine as?
A domain admin. This group is in the local administrators group -- must have been automatically added when I joined the machine to the domain.
> What happens if you try from the command prompt?
> net localgroup administrators domain\domainuser /add
"System error 1789 has occurred. The trust relationship between this workstation and the primary domain failed."
> GUI (Windows 2000/XP)
> Right Click on "My Computer"
> Select "Manage"
> Right Click on "Computer Management (Local)"
> ..
I've done this sequence several times. When I press check names it immediately pops the box telling that it can't find that object and do I want to search for it. However, the only local I am allowed to search is on the local machine. (Notably, I can connect to the other computer just fine.)
> Is the system added to the domain?
Yes, two proofs:
(1) It appears in the "computers" container in Active Directory.
(2) The domain admins groups is a member of the local administrators group. I did not explicitly do this, but I believe this happens automatically when the machine is added to the domain.
Deane
A domain admin. This group is in the local administrators group -- must have been automatically added when I joined the machine to the domain.
> What happens if you try from the command prompt?
> net localgroup administrators domain\domainuser /add
"System error 1789 has occurred. The trust relationship between this workstation and the primary domain failed."
> GUI (Windows 2000/XP)
> Right Click on "My Computer"
> Select "Manage"
> Right Click on "Computer Management (Local)"
> ..
I've done this sequence several times. When I press check names it immediately pops the box telling that it can't find that object and do I want to search for it. However, the only local I am allowed to search is on the local machine. (Notably, I can connect to the other computer just fine.)
> Is the system added to the domain?
Yes, two proofs:
(1) It appears in the "computers" container in Active Directory.
(2) The domain admins groups is a member of the local administrators group. I did not explicitly do this, but I believe this happens automatically when the machine is added to the domain.
Deane
2 things to check for your 2 proofs:
1. Check that the computer account is not disabled.
2. You said the Domain Admins SID was in the local admin group, not the actual account name, right? When you right-click My Computer and go to Properties->Computer Name, does is show the computer name as "computer.domain.com" and under that where it says "Domain:" does the correct domain name show up? I ask because computers can be dropped or removed from a domain and the changes made when it was originally added will still be there(the domain admin SID), and the computer account isn't automatically removed, so you'd still see the account in AD.
1. Check that the computer account is not disabled.
2. You said the Domain Admins SID was in the local admin group, not the actual account name, right? When you right-click My Computer and go to Properties->Computer Name, does is show the computer name as "computer.domain.com" and under that where it says "Domain:" does the correct domain name show up? I ask because computers can be dropped or removed from a domain and the changes made when it was originally added will still be there(the domain admin SID), and the computer account isn't automatically removed, so you'd still see the account in AD.
ASKER
> Check that the computer account is not disabled.
There is nothing to indicate it is disabled. If I right-click on the computer icon, one of the options I get is "Disable account..." This seems to indicate that the account is enabled currently.
> does is show the computer name as "computer.domain.com"
> and under that where it says "Domain:" does the correct domain name show up?
Yes, both of these are true.
Although, this does beg another question. I had Small Business Server 4.5 running Windows NT, and I upgraded to Small Business Server 2000 running Windows 2000. Under NT, my domain was named "SFCOMMERCIAL." Now my domain seems to be named "siouxfallscommercial.com.
Also, when I was looking to see if the workstation was disable, I noticed the checkbox "Trust computer for delegation" on the Properties page of the computer icon ("General" tab) was NOT checked. Given by trust-related error above, would this make a difference?
Deane
There is nothing to indicate it is disabled. If I right-click on the computer icon, one of the options I get is "Disable account..." This seems to indicate that the account is enabled currently.
> does is show the computer name as "computer.domain.com"
> and under that where it says "Domain:" does the correct domain name show up?
Yes, both of these are true.
Although, this does beg another question. I had Small Business Server 4.5 running Windows NT, and I upgraded to Small Business Server 2000 running Windows 2000. Under NT, my domain was named "SFCOMMERCIAL." Now my domain seems to be named "siouxfallscommercial.com.
Also, when I was looking to see if the workstation was disable, I noticed the checkbox "Trust computer for delegation" on the Properties page of the computer icon ("General" tab) was NOT checked. Given by trust-related error above, would this make a difference?
Deane
Did you upgrade in place or create a new domain and migrate to it? SFCOMMERCIAL itself looks like a NetBIOS name, the new domain using Win2K uses DNS in place(or alongside) of NetBIOS(WINS) for name resolution. DNS requires a Fully Qualified Domain Name(FQDN) for a zone, something ending in .com, .org, .local, .whatever, which is where you get the ".com.local" domain name from. Without knowing your system's configuration, the fact that the old NetBIOS domain name and the new DNS domain name aren't the same seems odd, are you able to ping each domain name? Check you DNS records, you may have an alias linking the two names to the same domain or you could have DNS setup to forward NetBIOS lookup requests to a WINS server. If that's not the case and you aren't sure where the differing names are coming from, I'd try removing and rejoining the computer to the Win2K domain.
ASKER
I have been able to "fix" the problem by removing and re-adding the machines to the domain. Points go to BloodRed for first questioning whether or not the machines were added to the domain correctly.
This has, however, brought up another issue. I'll post in a new question.
Deane
This has, however, brought up another issue. I'll post in a new question.
Deane
ASKER
Here's the new question for the follow-up problem:
https://www.experts-exchange.com/questions/20832989/Removing-and-Readding-Machines-To-and-From-the-Domain-Resets-User-Profiles.html
https://www.experts-exchange.com/questions/20832989/Removing-and-Readding-Machines-To-and-From-the-Domain-Resets-User-Profiles.html
I have been have a problem very close to the one described here. I have a Win2K Server setup as PDC / AD. All my users have accounts on the PDC. Most of the workstation were Win98 and now we have begun replacing them with WinXP Pro. I want add the domain user account to each machine to give each user full access to their own c:\ to install programs, updates, etc... (just as the issue above mentioned).
When I go right click c:\ --> properties --> security, then click add, the location only shows the local machine name. I have added and removed the machine from the domain several times via right click my computer --> computer name --> network id (and just the change button)... I have tried adding the domain users in the control panel user manager, through the computer manager --> users and groups, and through the system properties --> network id... sometimes the domain user will show up under the user manager, but it does not show up when I go to the security properties of drive c:\.
I was able to get this to work on one WinXP machine... I followed the exact same steps on two others, and when I click the locations button in the security properties of drive c:\, it only list the local machine. Why can I not browse the domain?
Help please.
twospoons@hotmail.com
When I go right click c:\ --> properties --> security, then click add, the location only shows the local machine name. I have added and removed the machine from the domain several times via right click my computer --> computer name --> network id (and just the change button)... I have tried adding the domain users in the control panel user manager, through the computer manager --> users and groups, and through the system properties --> network id... sometimes the domain user will show up under the user manager, but it does not show up when I go to the security properties of drive c:\.
I was able to get this to work on one WinXP machine... I followed the exact same steps on two others, and when I click the locations button in the security properties of drive c:\, it only list the local machine. Why can I not browse the domain?
Help please.
twospoons@hotmail.com
Did you check you SRV records.. I am having the same problem and i Just noticed that my SRV records are missing. I just added them and i am going to see if that helps. If any one else is having this problem let me know at josh@rblconsulting.net
I just fixed mine and it was defentaly the SRV record
How to recreate SRV records:
1. add an srv record to the DNS zone
2. stop the netlogon service
3. delete netlogon.dns and netlogon.dnb
4. start netlogon service
you should be good after that
How to recreate SRV records:
1. add an srv record to the DNS zone
2. stop the netlogon service
3. delete netlogon.dns and netlogon.dnb
4. start netlogon service
you should be good after that
I know this is an old topic - but for the sake of completeness and because I kept finding this topic whenever I googled this problem as I was pulling my hair out.
Another solution to this problem, and the normal reason for it is that your w2k or 2003 server your DHCP server is not set to "Always dynamically update DNS A and PTR records".
This is set in admin tools - DHCP - properties on your server - DNS tab.
You might as well check the last entry "Dynamically update DNS A and PTR records for DHCP clients that do not request updates" so that anything that grabs an address via DHCP gets a corresponding entry in DNS.
No restarting needed as the change is accepted dynamically, and the next time clients get an ip address from DHCP they appear in DNS and the SID's on the workstation appear enumerated as Domain\Group and you can now merrily add domain groups or users to the workstation.
Another solution to this problem, and the normal reason for it is that your w2k or 2003 server your DHCP server is not set to "Always dynamically update DNS A and PTR records".
This is set in admin tools - DHCP - properties on your server - DNS tab.
You might as well check the last entry "Dynamically update DNS A and PTR records for DHCP clients that do not request updates" so that anything that grabs an address via DHCP gets a corresponding entry in DNS.
No restarting needed as the change is accepted dynamically, and the next time clients get an ip address from DHCP they appear in DNS and the SID's on the workstation appear enumerated as Domain\Group and you can now merrily add domain groups or users to the workstation.
I am having the same problem, and these are thecircumstances. I am not using DNS or DHCP from the windows 2003 server. I am using DNS and DHCP from the Linksys router (small network) because the router tends to not let people browse the Internet unless it provides the IP address <--Mystery to me.
Anyway, how do you get around this problem if you are not using the DNS and DHCP from the Windows 2003 PDC?
Anyway, how do you get around this problem if you are not using the DNS and DHCP from the Windows 2003 PDC?
I'd look at fixing the issue with the linksys...!
If its not too disruptive to your network I'd try using DHCP and DNS on the 2003 server.
I've had problems with a home flavour router (a netgear) giving the same IP address to multiple workstations hung off a daisy chained hub rather than connected to the internal switch. But if they have static IPs or assigned by another DHCP server they can communicate through the router quite happily! An ipconfig /release and then a /renew would also eventually get an IP they could use the internet with.
Just a thought!
If its not too disruptive to your network I'd try using DHCP and DNS on the 2003 server.
I've had problems with a home flavour router (a netgear) giving the same IP address to multiple workstations hung off a daisy chained hub rather than connected to the internal switch. But if they have static IPs or assigned by another DHCP server they can communicate through the router quite happily! An ipconfig /release and then a /renew would also eventually get an IP they could use the internet with.
Just a thought!
Just my 2 cents but I was able to duplicate the problem by having my forward lookup zone not properly named in DNS. I had home.xyz.com instead of xyz.com. I created a new record, & deleted the home.xyz.com record. Everything worked after that. SID stopped displaying numbers / letters & I logged in instantly instead of a 5 minute hang.
Hope it helps someone else.
Hope it helps someone else.
Just incase this may help someone - What resolved my issue was the post be stevenlewis
from command promp I used this (It worked for both adding a user and a group):
net localgroup administrators "mydomain\Domain Users" /add
just had to add quotes because Domain Users has a space.
from command promp I used this (It worked for both adding a user and a group):
net localgroup administrators "mydomain\Domain Users" /add
just had to add quotes because Domain Users has a space.
Just had this problem myself. Turned out the computer was not pointing to proper dns server. Ip address and dns had been entered manually.....pointed to correct dns server ip and it fixed the problem. No reboot needed.
Okay - here's one way around this problem...
Bring up the computer account in Active Directory (Client Computer or just "Computers" off of the Main Service Managment page in SBS).
Select the workstation in question - Select Computer Management (right click or select from menu on left). Select Local users & groups -
Now to let the user have admin rights on the local machine, I only add them to the Administrators group on that machine (actually most my users are only in the local "Power Users" group to limit them from doing "too" much damage)- I do not add them as a local user - this prevents them from having two profiles setup on the local machine - they would always logon via the domain (on lan or even disconnected). Again, this is my preference to solve the multiple profiles setup locally.
...anyway Select Workstation->Compute Managementr->Local Users and Groups->(your group in question):
Add user from domain.
Close/Apply - and your done!
Of course you can add them as a local user also...
Paul Kurr
Bring up the computer account in Active Directory (Client Computer or just "Computers" off of the Main Service Managment page in SBS).
Select the workstation in question - Select Computer Management (right click or select from menu on left). Select Local users & groups -
Now to let the user have admin rights on the local machine, I only add them to the Administrators group on that machine (actually most my users are only in the local "Power Users" group to limit them from doing "too" much damage)- I do not add them as a local user - this prevents them from having two profiles setup on the local machine - they would always logon via the domain (on lan or even disconnected). Again, this is my preference to solve the multiple profiles setup locally.
...anyway Select Workstation->Compute Managementr->Local Users and Groups->(your group in question):
Add user from domain.
Close/Apply - and your done!
Of course you can add them as a local user also...
Paul Kurr
I have also corrected this problem by making sure the DNS on the client PC is the IP address of the AD server.
Same here... just solved this problem by correcting DNS to point to IP of the AD.
I had the same problem and assigned the first DNS server as the domain controller (NIC TC/PIP settings) , rebooted and then rejoined. It mysterious saw the domain.local now and everything worked. Hope that helps