dmorr
asked on
group/user not displayed when adding local group on windows 2008
I have a windows 2008 server I recently added to a child domain. I can add users, group from the parent domain to the local groups on the windows 2008 server. However, if i try to add a child domain user or group it seemingly adds correctly, but it doesn't show up in the members list of the group -- only the parent domain user/group. If I add the same child domain user or group to the list again I get a message that the user, group is already part of the local group.
When adding the user/group, check names works correctly and resolves the group. The odd part is that when added to the members list, I get the SID displayed e.g. "DOMAIN\user (S-1-5...)" as if it can't completely resovle the name.
Even if I do, from a command line 'net localgroup "local group name"' it lists only the parent domain users, but if I add the child domain users from the command line I get the same "The specified account name is already a member of the group."
Permissions seem to be applied, but I can't review nor can I remove permissions if needed.
When adding the user/group, check names works correctly and resolves the group. The odd part is that when added to the members list, I get the SID displayed e.g. "DOMAIN\user (S-1-5...)" as if it can't completely resovle the name.
Even if I do, from a command line 'net localgroup "local group name"' it lists only the parent domain users, but if I add the child domain users from the command line I get the same "The specified account name is already a member of the group."
Permissions seem to be applied, but I can't review nor can I remove permissions if needed.
ASKER
1. windows server 2008
2. windows server 2003
3. global security group being added to a local group (remote desktop users)
4. before any roles were installed this was happening. now i have terminal services role installed and it continues. the group acl does seem to be applied so users in the group can use rdp, but it's not visible through compmgmt or from net localgroup (difficult for management)
5. this is a new domain and i have not put any ws2003 server in it. however, i did put an xp workstation and it was able to successfully see add groups.
6. verified.
Thanks for getting back to me!!
2. windows server 2003
3. global security group being added to a local group (remote desktop users)
4. before any roles were installed this was happening. now i have terminal services role installed and it continues. the group acl does seem to be applied so users in the group can use rdp, but it's not visible through compmgmt or from net localgroup (difficult for management)
5. this is a new domain and i have not put any ws2003 server in it. however, i did put an xp workstation and it was able to successfully see add groups.
6. verified.
Thanks for getting back to me!!
My apologies for the delay, and thanks for providing additional information!
At the risk of making you feel like we're playing 20 questions ... I'm still trying to mentally narrow this down a bit. :)
7) Can you duplicate the issue with a newly created local group on the WS2008 server? (i.e. create a test group to see if the problem is only with builtin/default groups)
8) Based on your response to Q5, is the WS2008 box also a DC for the child domain, since no other servers are members? If not, where is the DC for the child domain in all of this?
9) What was the source media for the WS2008 install (physical media/DVD, MSDN .ISO, cloned image, etc.)?
For what it's worth, I scoured the Interweb and found this (but unfortunately no resolution). So at least you're not alone! We just have to figure out how to reproduce it. Awaiting your responses to move forward. :)
Thanks for your patience,
Mark
At the risk of making you feel like we're playing 20 questions ... I'm still trying to mentally narrow this down a bit. :)
7) Can you duplicate the issue with a newly created local group on the WS2008 server? (i.e. create a test group to see if the problem is only with builtin/default groups)
8) Based on your response to Q5, is the WS2008 box also a DC for the child domain, since no other servers are members? If not, where is the DC for the child domain in all of this?
9) What was the source media for the WS2008 install (physical media/DVD, MSDN .ISO, cloned image, etc.)?
For what it's worth, I scoured the Interweb and found this (but unfortunately no resolution). So at least you're not alone! We just have to figure out how to reproduce it. Awaiting your responses to move forward. :)
Thanks for your patience,
Mark
ASKER
I apologize for the delay...
7. with a new local group, the group will resolve if I check the name. similarly i can browse the domain for the group; however, when finally commiting the changes (final OK), I get an error indicating the group cannot be found.
8. This WS2008 is not the DC. in this domain i currenly have this WS2008 server, the WS2008 DC and that's it. I am building w/in the next day or so another WS2008R2 server to put in the domain. I'll find out what the results are with that too.
9. VMware template that has been used many times in the parent domain without issue.
7. with a new local group, the group will resolve if I check the name. similarly i can browse the domain for the group; however, when finally commiting the changes (final OK), I get an error indicating the group cannot be found.
8. This WS2008 is not the DC. in this domain i currenly have this WS2008 server, the WS2008 DC and that's it. I am building w/in the next day or so another WS2008R2 server to put in the domain. I'll find out what the results are with that too.
9. VMware template that has been used many times in the parent domain without issue.
Let's see if you can reproduce this "fun" behavior on the second WS2008 box and go from there. :) At least that will tell us if we're dealing with something unique to the WS2008 member server or higher up at the domain/forest level.
Let me know how it goes? I like these weird ones!
Let me know how it goes? I like these weird ones!
ASKER
This morning I finished te WS2008 R2 server and it doesn't display the same problem. It appears to be isolated to the WS2008 server.
I'm sure this sounds obvious, but have you already tried removing/readding the original WS2008 box from/to the child domain?
ASKER
I've actually gone as far as to create a new one -- same results.
So you're saying that you have this problem specifically with WS2008 and not with WS2008 R2? Meaning, the WS2008 box was rebuilt using the same VMware image used elsewhere and yet it exhibits the same behavior?
Apologies again for the 40,000 questions. :)
Apologies again for the 40,000 questions. :)
ASKER
correct.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me work on a new buid over the next day or two and get back. I agree that may be better.
Hi dmorr,
Just checking in to see how things turned out after the rebuild ... any good news? :)
-Mark
Just checking in to see how things turned out after the rebuild ... any good news? :)
-Mark
ASKER
I wasn't able to get a new machine rebuilt w/out an image and the other system is no longer required. so this never did get resolved, but isn't an issue anymore either. i may come across it again, I'm sure but can't allocate time to troubleshoot a problem that doesn't affect me anymore. Thanks for the assistance to this point.
ASKER
not an issue any longer.
Can you provide some additional information?
1) Domain functional level
2) Forest functional level
3) Type and Scope of the groups being modified on the WS2008 server
4) Role(s) of the WS2008 server
5) Do additional WS2003 member servers joined to the child domain exhibit the same behavior? How about additional WS2008 member servers?
6) Does netdom verify /d:childdomain servername complete successfully (where childdomain = domain WS2008 server is joined to and servername = WS2008 computer name)?
Hang in there!
-Mark