Domain Admins Group

Hi. I had installed and configured Win2003 Standard Server as a Domain Controller role in our network. I created the OU's and created domain and terminal users. Everything was working fine. But later on, I had tried to configure VPN settings via "Routing and Remote Access" window. I cannot succeed this connection and It was not really important for me so I gave up trying it. But later on, I saw that WinXP clients cannot join to this domain. It was giving "domain not found error". Then I checked my settings and I saw that NetBIOS over Tcp/IP was disabled under WINS configuration tab. I think VPN wizard made it. I have checked it. Now I can see the login window when I try to add the client to the domain in the client setup process. But any of the clients except administrator, cannot login to the domain controller. Now, If I add client users to a Domain Admin group, clients can login to the domain controller (In the setup process). Should I add all of my clients to this Domain Admins group? Considering the security, Should I made it? Or why users cant login to the domain controller after VPN setup wizard? (VPN is not enabled). What VPN wizard changed during setup or installation process because everything was working perfectly before it.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

why do you need your clients connect directly on DC  ?
gokhanozAuthor Commented:
I am not an expert on Windows 2003. How should it suppose to be?
Absolutely do not add all users to Domain Admins. Before we can help you we need to understand what you want to accomplish. What do you mean by "login to the domain controller" and why do the clients need to do that?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

gokhanozAuthor Commented:
OK, here what I am currently doing. Please correct me. I create a domain controller. And I created OU's under this domain. Domain is local domain like domain1.local. My aim is to prohibit users to change the critical setting on their WinXP machines. So I am creating Security Policies under OU's and create users (not computers) under this OU's. I assume that, when I create user under this OU, I should apply the some certain setting to clients to be a part of this local domain. This setting on client is: System > Computer Name > Member of Domain > Domain name. When I click on OK button, login window appears and I enter the users user name and password here. I provide this user name and password under the OU's add user setup. If the information is correct, confirmation window appears and I restart the computer then enter the user name and password, so the system that I am in is a part of my local domain with the applied certain security policies like "Prohibit to access Control Panel" or some login scripts.

So what I meant by "login to the domain controller" is the login screen when I click OK button under the Computer Name > Member of Domain > Domain name.

Now, am I using the right way or the wrong way?
Ok I understand. The process you are talking about is called adding the workstations to the domain, in essence what you're doing is creating computer accounts for the workstations, you can find them in the AD Users and Computers tool under \Computers.

In the default configuration, all user accounts can add 10 machines to the domain, domain administrators can do it without limitations. Normally you would want to revoke the right from normal users and use a privileged account to add them. In this case the easiest solution for you would be to use an administrator account instead of the user's account, it doesn't matter which account you use as long as it has the required permissions to do it.
gokhanozAuthor Commented:
OK but creating users doing by administrator and machine setup is doing by machines administrator. So, why should I add the user to the Domian Admins group to setup the machine? Why Domain User group isnt enough?
The machine local administrator does not have privileges in the domain, you will have to use a domain administrator account. Furthermore, do not make the user accounts administrators, use the same admin account to add each workstation.
Hi friend,

 i think thats not VPN problem.

your question is why workstation cannot  add to domain  using domain users account  ? am i correct ?
when  connecting  workstation to domain needed  login to connecting vizard with  Admintrator (or administrator group) or Account operatror group member. thats only for create Computer account on AD. ( That is the theory)

but after connecting workstation to  domain user can login  domain  with there domain user account


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gokhanozAuthor Commented:
ok now I understand the point. When I try to add the machine to the domain, I should use the administrator user name and password. Later on during the system login, users can use their own user names and passwords. Right?
Yor got it now.
gokhanozAuthor Commented:
Thanks for all
ok you are welcome :)

and thanks for points.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.