We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


granting local admin privileges fails using Computer Management, works using Control Panel

zdigriz asked
Medium Priority
Last Modified: 2013-12-04
If anyone can explain why the following is true, I'd greatly appreciate it.  I've already wasted an embarrasing amount of time trying to get this working and only solved it by sheer accident.  But I have no idea why it works and would like to know in order to avoid making a similar mistake in the future.

We have a W2K DC, one domain and handful of W2K Pro workstations connected.  Everything works fine.  I've made virtually no changes to the default security policies (mostly out of ignorance).  I wanted to grant local admin privileges to myself and one other user, since we both do development.

Went to the individual PCs, logged in as admin, fired up Computer Management > User & Groups and tried adding the two of us as domain users to the Adminstrators group.  Double-click on Administrators group, click Add and either one of two things happens.  Either the Look In drop-down was disabled so I couldn't add domain users or else after picking the domain and user account and hitting OK, I get the following error message:

"Processing of xxx failed with the following error: the specified domain either does not exist or could not be contacted".  

Of course, I can still browse all the users in the domain it can't find, so it clearly knows about it and can see it.  I also have access to all the server resources, can log in as a domain user, etc.  Thinking there was some security policy being applied (maybe there is?), I hunted around for awhile and didn't come up with anything.  Again, we don't USE security policies since it's such a small network.  I finally just gave up on it.

Today, I happened to notice the User& Password icon under Control Panel and opened it up on a whim.  I was able to add both domain users to the local admin group without a problem.  And they show up in the Computer Management console (although can't be changed, see above).

So what exactly is the difference between these two approaches?

I thought the Computer Management console was exactly the same thing.  If not, what is it meant for?
Watch Question

Rich RumbleSecurity Samurai
Top Expert 2006

They should be, the same. The MMC snap-in or right-clicking My Computer and going to manage, or using the control panel Users icon, should all lead you to the same places  really. Which Admin did you sign in as? Local or Domain? Shouldn't make any real difference, except when you sign in as Local-Admin (local pc's Admin account) and you go to add a user to the Admin group, that is on a domain, you may be prompted for a Username and password. That should be the only difference in the process.  When a PC is joined to a domain, the DomainAdmin is by default added to the local Admin group of the PC. Any account in the Domain Admin's group on the DC's will of course be an admin on any PC where domain admin's are in the local admin group :) weeeeee.

Did you try the Advanced button? then hit Find...?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
You have to be member of the local admin group to add more members.

As RICHRUMBLE commented there's a difference in which account you are using when logging on, local or domain?

Try the following:
1. Login as domain administrator
2. Start / Run
3. Input CMD
4. Press ENTER
6. Press ENTER

You have to logon as one of the mentioned present members to solve your problem.
Logoff and logon again.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
There could be a difference in your domain policy (not added any), and your local policies (did you add any?)

Yes I know, domain policy allways overrules local policy, but I'm not quite sure about a restriction in local policy, and the same restriction NOT set in domain policy ???

So try to find out...

Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.

Most Valuable Expert 2019
Most Valuable Expert 2018
Unlock this solution and get a sample of our free trial.
(No credit card required)
DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
(Verifies that the Domain Name Service (DNS) infrastructure is sufficient for the Windows 2000 Active Directory)
Rich RumbleSecurity Samurai
Top Expert 2006
Unlock this solution and get a sample of our free trial.
(No credit card required)


Sorry for the lag, everyone.  My email was inadvertently flagging stuff from EE as already read.

To respond to the previous comments and questions:


1.  This is a fresh install of W2K Pro w/SP4.  The DC is also running W2K SP4
2.  I'm logging onto the machine as local admin, but had the same problem logging on as a domain admin
3.  Running the NET GROUP ADMINISTRATORS command verifies that "adminstrator" (my local admin) is part of the group
4.  We're running WINS to identify the server; DNS for TCP/IP requests.  Both are served by the DC.  I don't think DNS is an issue as I have access to all other network resources, internet, etc.

> The "domain cannot be contacted" thing is DNS and WINS, as winblows will try to contact a DC with wins (netbios) queries > if DNS fails... well if you have your network settings set to do this. It can be disabled in your network TCP/IP settings.
> (advanced, wins tab). Sometimes it's hard to account for that error, DNS will resolve as well as Wins but it will occur
> anyway. If your not using a wins server then it is a DNS failure, still typically even with out a specified wins server the
> broadcasts will be answered.

This is an interesting thought, though.  I'm thinking our DNS server might not be resolving internal DNS requests properly.  I recall having some difficulty setting it up initially and since we were falling back to WINS with just the one server to identify, never bother to verify it was working.  If it's working properly with WINS, I'd never have known the DNS requests were failing.

I'll check that later this afternoon as well checking Group Policy restrictions.  Thanks everyone!

http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
Yep, everythings on SP4 and using a aclui.dll dated from 2003.

> Did you try the Advanced button? then hit Find...?
Umm, where is the Advanced | Find button?

Rich RumbleSecurity Samurai
Top Expert 2006

Opps... I've been using XP for too long... but it's in managment in XP as well as when you are adding people to the NTFS pemissions

Click Add, "Advanced..." is at the bottom left then you can click "find now"  anyway sorry about that.


Well, there's definitely a problem with the DNS server - apparently I'm not using one.  ;-)

This server used to be in an office with 15+ machines and was running DNS.  Apparently, after it worked it's way my into my private setup, I removed DNS entirely (not entirely sure why) and am just using the DNS servers from our ISP.  Which of course knows absolutely nothing about local.mobileiq.biz which is the domain all the workstations are connected through.  

I'd gotten so used to the NetBios name for the server (PC012), I just added it to the local LMHOST file on the three machines I use regularly nowadays.  It's a little bit odd that I've never come across a need to access the server through "local.mobileiq.biz" after more than a year, but...

From my original question, that seems to imply the two different paths use different name resolution methods.  Even after adding "local.mobileiq.biz" to the workstations LMHOST file, the MMC snap-in generates the same error, although it can now be pinged from the workstation.

I'm reluctant to install and configure DNS on the server just to test my theory about name resolution, but I'm satisfied it would work if I did and would fix my problem.  It worked under the previous configuration.  With that in mind, I'm going to split the points between oBda and richrumble (if I can), otherwise to oBda for a slightly quicker response.

Wow - I just noticedboth of you guys are side by side in the rankings.  Thanks again for the help.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.