Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1647
  • Last Modified:

granting local admin privileges fails using Computer Management, works using Control Panel

If anyone can explain why the following is true, I'd greatly appreciate it.  I've already wasted an embarrasing amount of time trying to get this working and only solved it by sheer accident.  But I have no idea why it works and would like to know in order to avoid making a similar mistake in the future.

We have a W2K DC, one domain and handful of W2K Pro workstations connected.  Everything works fine.  I've made virtually no changes to the default security policies (mostly out of ignorance).  I wanted to grant local admin privileges to myself and one other user, since we both do development.

Went to the individual PCs, logged in as admin, fired up Computer Management > User & Groups and tried adding the two of us as domain users to the Adminstrators group.  Double-click on Administrators group, click Add and either one of two things happens.  Either the Look In drop-down was disabled so I couldn't add domain users or else after picking the domain and user account and hitting OK, I get the following error message:

"Processing of xxx failed with the following error: the specified domain either does not exist or could not be contacted".  

Of course, I can still browse all the users in the domain it can't find, so it clearly knows about it and can see it.  I also have access to all the server resources, can log in as a domain user, etc.  Thinking there was some security policy being applied (maybe there is?), I hunted around for awhile and didn't come up with anything.  Again, we don't USE security policies since it's such a small network.  I finally just gave up on it.

Today, I happened to notice the User& Password icon under Control Panel and opened it up on a whim.  I was able to add both domain users to the local admin group without a problem.  And they show up in the Computer Management console (although can't be changed, see above).

So what exactly is the difference between these two approaches?

I thought the Computer Management console was exactly the same thing.  If not, what is it meant for?
  • 3
  • 3
  • 2
  • +1
2 Solutions
Rich RumbleSecurity SamuraiCommented:
They should be, the same. The MMC snap-in or right-clicking My Computer and going to manage, or using the control panel Users icon, should all lead you to the same places  really. Which Admin did you sign in as? Local or Domain? Shouldn't make any real difference, except when you sign in as Local-Admin (local pc's Admin account) and you go to add a user to the Admin group, that is on a domain, you may be prompted for a Username and password. That should be the only difference in the process.  When a PC is joined to a domain, the DomainAdmin is by default added to the local Admin group of the PC. Any account in the Domain Admin's group on the DC's will of course be an admin on any PC where domain admin's are in the local admin group :) weeeeee.

Did you try the Advanced button? then hit Find...?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
You have to be member of the local admin group to add more members.

As RICHRUMBLE commented there's a difference in which account you are using when logging on, local or domain?

Try the following:
1. Login as domain administrator
2. Start / Run
3. Input CMD
4. Press ENTER
6. Press ENTER

You have to logon as one of the mentioned present members to solve your problem.
Logoff and logon again.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
There could be a difference in your domain policy (not added any), and your local policies (did you add any?)

Yes I know, domain policy allways overrules local policy, but I'm not quite sure about a restriction in local policy, and the same restriction NOT set in domain policy ???

So try to find out...

Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

"the specified domain either does not exist or could not be contacted" is probably a DNS problem. Are you suffering from long logon times as well?
The most important stuff in short: Make sure all your domain members (including the DNS server itself!) use *only* your internal DNS server; for internet lookups to work, delete the root zone (".") in your DNS as well and configure forwarders.
Here are some more details about this:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS

Windows 2000 DNS and Active Directory Information and Technical Resources

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000

HOW TO: Configure DNS for Internet Access in Windows 2000

Setting Up the Domain Name System for Active Directory

Troubleshooting Common Active Directory Setup Issues in Windows 2000

How to Verify the Creation of SRV Records for a Domain Controller
DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
(Verifies that the Domain Name Service (DNS) infrastructure is sufficient for the Windows 2000 Active Directory)
Rich RumbleSecurity SamuraiCommented:
The "domain cannot be contacted" thing is DNS and WINS, as winblows will try to contact a DC with wins (netbios) queries if DNS fails... well if you have your network settings set to do this. It can be disabled in your network TCP/IP settings. (advanced, wins tab). Sometimes it's hard to account for that error, DNS will resolve as well as Wins but it will occur anyway. If your not using a wins server then it is a DNS failure, still typically even with out a specified wins server the broadcasts will be answered.
zdigrizAuthor Commented:
Sorry for the lag, everyone.  My email was inadvertently flagging stuff from EE as already read.

To respond to the previous comments and questions:


1.  This is a fresh install of W2K Pro w/SP4.  The DC is also running W2K SP4
2.  I'm logging onto the machine as local admin, but had the same problem logging on as a domain admin
3.  Running the NET GROUP ADMINISTRATORS command verifies that "adminstrator" (my local admin) is part of the group
4.  We're running WINS to identify the server; DNS for TCP/IP requests.  Both are served by the DC.  I don't think DNS is an issue as I have access to all other network resources, internet, etc.

> The "domain cannot be contacted" thing is DNS and WINS, as winblows will try to contact a DC with wins (netbios) queries > if DNS fails... well if you have your network settings set to do this. It can be disabled in your network TCP/IP settings.
> (advanced, wins tab). Sometimes it's hard to account for that error, DNS will resolve as well as Wins but it will occur
> anyway. If your not using a wins server then it is a DNS failure, still typically even with out a specified wins server the
> broadcasts will be answered.

This is an interesting thought, though.  I'm thinking our DNS server might not be resolving internal DNS requests properly.  I recall having some difficulty setting it up initially and since we were falling back to WINS with just the one server to identify, never bother to verify it was working.  If it's working properly with WINS, I'd never have known the DNS requests were failing.

I'll check that later this afternoon as well checking Group Policy restrictions.  Thanks everyone!

http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
Yep, everythings on SP4 and using a aclui.dll dated from 2003.

> Did you try the Advanced button? then hit Find...?
Umm, where is the Advanced | Find button?

Rich RumbleSecurity SamuraiCommented:
Opps... I've been using XP for too long... but it's in managment in XP as well as when you are adding people to the NTFS pemissions

Click Add, "Advanced..." is at the bottom left then you can click "find now"  anyway sorry about that.
zdigrizAuthor Commented:
Well, there's definitely a problem with the DNS server - apparently I'm not using one.  ;-)

This server used to be in an office with 15+ machines and was running DNS.  Apparently, after it worked it's way my into my private setup, I removed DNS entirely (not entirely sure why) and am just using the DNS servers from our ISP.  Which of course knows absolutely nothing about local.mobileiq.biz which is the domain all the workstations are connected through.  

I'd gotten so used to the NetBios name for the server (PC012), I just added it to the local LMHOST file on the three machines I use regularly nowadays.  It's a little bit odd that I've never come across a need to access the server through "local.mobileiq.biz" after more than a year, but...

From my original question, that seems to imply the two different paths use different name resolution methods.  Even after adding "local.mobileiq.biz" to the workstations LMHOST file, the MMC snap-in generates the same error, although it can now be pinged from the workstation.

I'm reluctant to install and configure DNS on the server just to test my theory about name resolution, but I'm satisfied it would work if I did and would fix my problem.  It worked under the previous configuration.  With that in mind, I'm going to split the points between oBda and richrumble (if I can), otherwise to oBda for a slightly quicker response.

Wow - I just noticedboth of you guys are side by side in the rankings.  Thanks again for the help.


Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now