Solved

Adding Domain User to local Administrators Group in XP.  Active Directory under 2000 Server.

Posted on 2004-08-26
9
199 Views
Last Modified: 2010-04-12
I am trying to add the domain account to the local administrators group on an XP machine, which is under a 2000 Server running Active Directory.

Basically, when a user logs in using his/her domain account he/she must be a local administrator, but not a Domain Administrator.

On the XP machine, I goto computer management -> Groups -> right-click Administrators -> Add to Group -> Add.

Then, I try adding "DOMAIN\user", and I get "The object named "DOMAIN\user" is not from a domain listed in the Select Location dialog box, and is therefore not valid."

Basically, it cannot see the Domain, even though I have joined the domain, and am able to login to the domain.

I can login as Domain Administor, local Administrator, or Domain User, and in no case can I get this to work.  I have also searched google, and found that DNS can cause this.  I have verified that the Netbios name of the 2000 server resolves.  The Netbios name for the XP machine was also already created in Active Directory after joining the domain.

What is wrong?  BTW this is XP Professional.
0
Comment
Question by:shaggy112
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11908098
Hi

Make sure that your dns server is pointing to itself as preferred dns server in tcp/ip and make sure that your client is also pointing to the servers IP as preferred dns server - see if that helps at all,

Deb :))
0
 

Author Comment

by:shaggy112
ID: 11908170
It is, but thanks for the suggestion!
0
 
LVL 2

Accepted Solution

by:
garyy earned 250 total points
ID: 11910804
Can you check your Administrators group. Is there any funny S-1-5 type numbers in here. If so, then your machine didn't join the domain properly. I suggest you check your DNS settings and rejoin the domain

Check DNS is work by doing the following:
From the XP machine
Go to a command prompt (start run cmd and enter)
type nslookup and enter
You should get something similar to this:
Default Server:  domain.microsoft.com
Address:  192.168.0.1
>
now type in the domain computername
>  microsoftserver
This should resolve the dns for the domain name.

If you can do this, you should be able to add accounts to the domain.
If you can't, then you may well have some dns settings configured incorrectly.

Hope this helps
Thanks
Gary

0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11911179
Hi

You can also check that the internet connection firewall isn't enabled on the XP client if you haven't already done so - Uncheck it in the advanced tab on tcp/ip properties on the XP's lan connection. Also when you start nslookup if it doesn't find the server name for your dc, make sure you have a reverse lookup zone configured in dns on the server containing a pointer record for your server.

I have to concur with Gary though - sounds like it's not correctly joined to the domain,

Deb :))

0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:shaggy112
ID: 11912571
Thanks for the reply's.

I actually can forward and reverse lookup the name of the domain controller from the clients.

I am however getting the strange "S-1-5....".

Is this absolutely a dns issue, or could I be missing something else?

Thanks.
0
 
LVL 2

Expert Comment

by:garyy
ID: 11912797
If you are getting the "S-1-5..." then you do definately need to re-join the domain.

Thanks
Gary
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11913174
Hi
Does this PC think that it's part of the domain? - As Gary has said - Disjoin it, make sure internet connection firewall is definitely disabled, and then rejoin it. The "S-1-5" that you're getting is an unresolvable sid for a user account - All domain accounts have a unique sid (security identifier) - and these then resolve to an actual domain user name like Administrator, Joe Bloggs etc. When they can't be resolved you just get the "S-1-5..." sid account number which basically means that you are not joined to this domain, well at least not properly. How did you join the domain in the first place?

Deb :))
0
 

Author Comment

by:shaggy112
ID: 11915639
I joined the domain by.....

System -> Computer Name
Named the computer
Put in the domain
-> Change.

Then restarted.
0
 
LVL 3

Expert Comment

by:JonIU17
ID: 11918520
Control Panel, User Accounts, Add.  Type the usename, domain, and select other - Administrators.  That should do it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now