gokhanoz
asked on
Domain Admins Group
Hi. I had installed and configured Win2003 Standard Server as a Domain Controller role in our network. I created the OU's and created domain and terminal users. Everything was working fine. But later on, I had tried to configure VPN settings via "Routing and Remote Access" window. I cannot succeed this connection and It was not really important for me so I gave up trying it. But later on, I saw that WinXP clients cannot join to this domain. It was giving "domain not found error". Then I checked my settings and I saw that NetBIOS over Tcp/IP was disabled under WINS configuration tab. I think VPN wizard made it. I have checked it. Now I can see the login window when I try to add the client to the domain in the client setup process. But any of the clients except administrator, cannot login to the domain controller. Now, If I add client users to a Domain Admin group, clients can login to the domain controller (In the setup process). Should I add all of my clients to this Domain Admins group? Considering the security, Should I made it? Or why users cant login to the domain controller after VPN setup wizard? (VPN is not enabled). What VPN wizard changed during setup or installation process because everything was working perfectly before it.
Thanks.
Thanks.
Ludovick Lagrevol
why do you need your clients connect directly on DC ?
ASKER
I am not an expert on Windows 2003. How should it suppose to be?
Absolutely do not add all users to Domain Admins. Before we can help you we need to understand what you want to accomplish. What do you mean by "login to the domain controller" and why do the clients need to do that?
ASKER
OK, here what I am currently doing. Please correct me. I create a domain controller. And I created OU's under this domain. Domain is local domain like domain1.local. My aim is to prohibit users to change the critical setting on their WinXP machines. So I am creating Security Policies under OU's and create users (not computers) under this OU's. I assume that, when I create user under this OU, I should apply the some certain setting to clients to be a part of this local domain. This setting on client is: System > Computer Name > Member of Domain > Domain name. When I click on OK button, login window appears and I enter the users user name and password here. I provide this user name and password under the OU's add user setup. If the information is correct, confirmation window appears and I restart the computer then enter the user name and password, so the system that I am in is a part of my local domain with the applied certain security policies like "Prohibit to access Control Panel" or some login scripts.
So what I meant by "login to the domain controller" is the login screen when I click OK button under the Computer Name > Member of Domain > Domain name.
Now, am I using the right way or the wrong way?
So what I meant by "login to the domain controller" is the login screen when I click OK button under the Computer Name > Member of Domain > Domain name.
Now, am I using the right way or the wrong way?
Ok I understand. The process you are talking about is called adding the workstations to the domain, in essence what you're doing is creating computer accounts for the workstations, you can find them in the AD Users and Computers tool under \Computers.
In the default configuration, all user accounts can add 10 machines to the domain, domain administrators can do it without limitations. Normally you would want to revoke the right from normal users and use a privileged account to add them. In this case the easiest solution for you would be to use an administrator account instead of the user's account, it doesn't matter which account you use as long as it has the required permissions to do it.
In the default configuration, all user accounts can add 10 machines to the domain, domain administrators can do it without limitations. Normally you would want to revoke the right from normal users and use a privileged account to add them. In this case the easiest solution for you would be to use an administrator account instead of the user's account, it doesn't matter which account you use as long as it has the required permissions to do it.
ASKER
OK but creating users doing by administrator and machine setup is doing by machines administrator. So, why should I add the user to the Domian Admins group to setup the machine? Why Domain User group isnt enough?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok now I understand the point. When I try to add the machine to the domain, I should use the administrator user name and password. Later on during the system login, users can use their own user names and passwords. Right?
Yor got it now.
ASKER
Thanks for all
ok you are welcome :)
and thanks for points.
Maheen
and thanks for points.
Maheen