Solved

granting local admin privileges fails using Computer Management, works using Control Panel

Posted on 2004-04-07
9
1,638 Views
Last Modified: 2013-12-04
If anyone can explain why the following is true, I'd greatly appreciate it.  I've already wasted an embarrasing amount of time trying to get this working and only solved it by sheer accident.  But I have no idea why it works and would like to know in order to avoid making a similar mistake in the future.

We have a W2K DC, one domain and handful of W2K Pro workstations connected.  Everything works fine.  I've made virtually no changes to the default security policies (mostly out of ignorance).  I wanted to grant local admin privileges to myself and one other user, since we both do development.

Went to the individual PCs, logged in as admin, fired up Computer Management > User & Groups and tried adding the two of us as domain users to the Adminstrators group.  Double-click on Administrators group, click Add and either one of two things happens.  Either the Look In drop-down was disabled so I couldn't add domain users or else after picking the domain and user account and hitting OK, I get the following error message:

"Processing of xxx failed with the following error: the specified domain either does not exist or could not be contacted".  

Of course, I can still browse all the users in the domain it can't find, so it clearly knows about it and can see it.  I also have access to all the server resources, can log in as a domain user, etc.  Thinking there was some security policy being applied (maybe there is?), I hunted around for awhile and didn't come up with anything.  Again, we don't USE security policies since it's such a small network.  I finally just gave up on it.

Today, I happened to notice the User& Password icon under Control Panel and opened it up on a whim.  I was able to add both domain users to the local admin group without a problem.  And they show up in the Computer Management console (although can't be changed, see above).

So what exactly is the difference between these two approaches?

I thought the Computer Management console was exactly the same thing.  If not, what is it meant for?
0
Comment
Question by:zdigriz
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10780020
They should be, the same. The MMC snap-in or right-clicking My Computer and going to manage, or using the control panel Users icon, should all lead you to the same places  really. Which Admin did you sign in as? Local or Domain? Shouldn't make any real difference, except when you sign in as Local-Admin (local pc's Admin account) and you go to add a user to the Admin group, that is on a domain, you may be prompted for a Username and password. That should be the only difference in the process.  When a PC is joined to a domain, the DomainAdmin is by default added to the local Admin group of the PC. Any account in the Domain Admin's group on the DC's will of course be an admin on any PC where domain admin's are in the local admin group :) weeeeee.

Did you try the Advanced button? then hit Find...?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
GL!
-rich
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10781431
You have to be member of the local admin group to add more members.

As RICHRUMBLE commented there's a difference in which account you are using when logging on, local or domain?

Try the following:
1. Login as domain administrator
2. Start / Run
3. Input CMD
4. Press ENTER
5. Input NET LOCALGROUP ADMINISTRATORS
6. Press ENTER

You have to logon as one of the mentioned present members to solve your problem.
Logoff and logon again.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10781449
There could be a difference in your domain policy (not added any), and your local policies (did you add any?)

Yes I know, domain policy allways overrules local policy, but I'm not quite sure about a restriction in local policy, and the same restriction NOT set in domain policy ???

So try to find out...

Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

0
 
LVL 82

Accepted Solution

by:
oBdA earned 125 total points
ID: 10782011
"the specified domain either does not exist or could not be contacted" is probably a DNS problem. Are you suffering from long logon times as well?
The most important stuff in short: Make sure all your domain members (including the DNS server itself!) use *only* your internal DNS server; for internet lookups to work, delete the root zone (".") in your DNS as well and configure forwarders.
Here are some more details about this:

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Windows 2000 DNS and Active Directory Information and Technical Resources
http://support.microsoft.com/?kbid=298448

HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
http://support.microsoft.com/?kbid=316341

HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?kbid=300202

Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675

Troubleshooting Common Active Directory Setup Issues in Windows 2000
http://support.microsoft.com/?kbid=260371

How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10782216
DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
(Verifies that the Domain Name Service (DNS) infrastructure is sufficient for the Windows 2000 Active Directory)
http://support.microsoft.com/default.aspx?scid=kb;en-us;265706
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 10783424
The "domain cannot be contacted" thing is DNS and WINS, as winblows will try to contact a DC with wins (netbios) queries if DNS fails... well if you have your network settings set to do this. It can be disabled in your network TCP/IP settings. (advanced, wins tab). Sometimes it's hard to account for that error, DNS will resolve as well as Wins but it will occur anyway. If your not using a wins server then it is a DNS failure, still typically even with out a specified wins server the broadcasts will be answered.
-rich
0
 

Author Comment

by:zdigriz
ID: 10805615
Sorry for the lag, everyone.  My email was inadvertently flagging stuff from EE as already read.

To respond to the previous comments and questions:

richrumble:

1.  This is a fresh install of W2K Pro w/SP4.  The DC is also running W2K SP4
2.  I'm logging onto the machine as local admin, but had the same problem logging on as a domain admin
3.  Running the NET GROUP ADMINISTRATORS command verifies that "adminstrator" (my local admin) is part of the group
4.  We're running WINS to identify the server; DNS for TCP/IP requests.  Both are served by the DC.  I don't think DNS is an issue as I have access to all other network resources, internet, etc.

> The "domain cannot be contacted" thing is DNS and WINS, as winblows will try to contact a DC with wins (netbios) queries > if DNS fails... well if you have your network settings set to do this. It can be disabled in your network TCP/IP settings.
> (advanced, wins tab). Sometimes it's hard to account for that error, DNS will resolve as well as Wins but it will occur
> anyway. If your not using a wins server then it is a DNS failure, still typically even with out a specified wins server the
> broadcasts will be answered.

This is an interesting thought, though.  I'm thinking our DNS server might not be resolving internal DNS requests properly.  I recall having some difficulty setting it up initially and since we were falling back to WINS with just the one server to identify, never bother to verify it was working.  If it's working properly with WINS, I'd never have known the DNS requests were failing.

I'll check that later this afternoon as well checking Group Policy restrictions.  Thanks everyone!

> http://support.microsoft.com/default.aspx?scid=kb;EN-US;272576 maybe? are you patched to SP2 on all your win2k
Yep, everythings on SP4 and using a aclui.dll dated from 2003.

> Did you try the Advanced button? then hit Find...?
Umm, where is the Advanced | Find button?

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10805695
Opps... I've been using XP for too long... but it's in managment in XP as well as when you are adding people to the NTFS pemissions

Click Add, "Advanced..." is at the bottom left then you can click "find now"  anyway sorry about that.
-rich
0
 

Author Comment

by:zdigriz
ID: 10808136
Well, there's definitely a problem with the DNS server - apparently I'm not using one.  ;-)

This server used to be in an office with 15+ machines and was running DNS.  Apparently, after it worked it's way my into my private setup, I removed DNS entirely (not entirely sure why) and am just using the DNS servers from our ISP.  Which of course knows absolutely nothing about local.mobileiq.biz which is the domain all the workstations are connected through.  

I'd gotten so used to the NetBios name for the server (PC012), I just added it to the local LMHOST file on the three machines I use regularly nowadays.  It's a little bit odd that I've never come across a need to access the server through "local.mobileiq.biz" after more than a year, but...

From my original question, that seems to imply the two different paths use different name resolution methods.  Even after adding "local.mobileiq.biz" to the workstations LMHOST file, the MMC snap-in generates the same error, although it can now be pinged from the workstation.

I'm reluctant to install and configure DNS on the server just to test my theory about name resolution, but I'm satisfied it would work if I did and would fix my problem.  It worked under the previous configuration.  With that in mind, I'm going to split the points between oBda and richrumble (if I can), otherwise to oBda for a slightly quicker response.

Wow - I just noticedboth of you guys are side by side in the rankings.  Thanks again for the help.

Cheers,
Chris
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now