• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Domain Admins Group

Hi. I had installed and configured Win2003 Standard Server as a Domain Controller role in our network. I created the OU's and created domain and terminal users. Everything was working fine. But later on, I had tried to configure VPN settings via "Routing and Remote Access" window. I cannot succeed this connection and It was not really important for me so I gave up trying it. But later on, I saw that WinXP clients cannot join to this domain. It was giving "domain not found error". Then I checked my settings and I saw that NetBIOS over Tcp/IP was disabled under WINS configuration tab. I think VPN wizard made it. I have checked it. Now I can see the login window when I try to add the client to the domain in the client setup process. But any of the clients except administrator, cannot login to the domain controller. Now, If I add client users to a Domain Admin group, clients can login to the domain controller (In the setup process). Should I add all of my clients to this Domain Admins group? Considering the security, Should I made it? Or why users cant login to the domain controller after VPN setup wizard? (VPN is not enabled). What VPN wizard changed during setup or installation process because everything was working perfectly before it.

Thanks.
0
gokhanoz
Asked:
gokhanoz
  • 5
  • 3
  • 2
  • +2
2 Solutions
 
ingeticCommented:
why do you need your clients connect directly on DC  ?
0
 
gokhanozAuthor Commented:
I am not an expert on Windows 2003. How should it suppose to be?
0
 
CoccoBillCommented:
Absolutely do not add all users to Domain Admins. Before we can help you we need to understand what you want to accomplish. What do you mean by "login to the domain controller" and why do the clients need to do that?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
gokhanozAuthor Commented:
OK, here what I am currently doing. Please correct me. I create a domain controller. And I created OU's under this domain. Domain is local domain like domain1.local. My aim is to prohibit users to change the critical setting on their WinXP machines. So I am creating Security Policies under OU's and create users (not computers) under this OU's. I assume that, when I create user under this OU, I should apply the some certain setting to clients to be a part of this local domain. This setting on client is: System > Computer Name > Member of Domain > Domain name. When I click on OK button, login window appears and I enter the users user name and password here. I provide this user name and password under the OU's add user setup. If the information is correct, confirmation window appears and I restart the computer then enter the user name and password, so the system that I am in is a part of my local domain with the applied certain security policies like "Prohibit to access Control Panel" or some login scripts.

So what I meant by "login to the domain controller" is the login screen when I click OK button under the Computer Name > Member of Domain > Domain name.

Now, am I using the right way or the wrong way?
0
 
CoccoBillCommented:
Ok I understand. The process you are talking about is called adding the workstations to the domain, in essence what you're doing is creating computer accounts for the workstations, you can find them in the AD Users and Computers tool under \Computers.

In the default configuration, all user accounts can add 10 machines to the domain, domain administrators can do it without limitations. Normally you would want to revoke the right from normal users and use a privileged account to add them. In this case the easiest solution for you would be to use an administrator account instead of the user's account, it doesn't matter which account you use as long as it has the required permissions to do it.
0
 
gokhanozAuthor Commented:
OK but creating users doing by administrator and machine setup is doing by machines administrator. So, why should I add the user to the Domian Admins group to setup the machine? Why Domain User group isnt enough?
0
 
CoccoBillCommented:
The machine local administrator does not have privileges in the domain, you will have to use a domain administrator account. Furthermore, do not make the user accounts administrators, use the same admin account to add each workstation.
0
 
vmaheenCommented:
Hi friend,

 i think thats not VPN problem.

your question is why workstation cannot  add to domain  using domain users account  ? am i correct ?
when  connecting  workstation to domain needed  login to connecting vizard with  Admintrator (or administrator group) or Account operatror group member. thats only for create Computer account on AD. ( That is the theory)

but after connecting workstation to  domain user can login  domain  with there domain user account

Maheen
0
 
gokhanozAuthor Commented:
ok now I understand the point. When I try to add the machine to the domain, I should use the administrator user name and password. Later on during the system login, users can use their own user names and passwords. Right?
0
 
e-rynoCommented:
Yor got it now.
0
 
gokhanozAuthor Commented:
Thanks for all
0
 
vmaheenCommented:
ok you are welcome :)

and thanks for points.

Maheen
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now