Avatar of Joe Grosskopf
Joe Grosskopf
 asked on

Cannot add domain user to workstation remotely

I have a remote user who I need to add his domain loigin to the local administrators group. I connected via VPN using my credentials but each time I try to add his user, the domain could not be contacted. What do I need to do to allow me to connect him to the domain and then add his user to the admin group on the computer....or even user group so he can login with that domain login?
Windows NetworkingVPN

Avatar of undefined
Last Comment
Joe Grosskopf

8/22/2022 - Mon
David Johnson, CD

the user has to vpn into the domain and then login. 
Joe Grosskopf

ASKER
They are....I am using VPN as admin to login and trying to add his user to the user and group manager but each time I specify the domain the computer that the domain could not be contacted. He can pin the AD server by IP and server name but can't do any AD task
David Johnson, CD

ipconfig /all to see what the dns settings are.. the dns should only point to your dns servers and nothing else.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Joe Grosskopf

ASKER
The DNS is correct for the VPN connection. However,, the default gateway is blank. Could this be the issue? If I enable the default gateway then the user cannot get to the internet...only the the servers....and even then he could not add the user....domain could not be contacted.
David Johnson, CD

try unchecking ipv6
Joe Grosskopf

ASKER
no dice....also enabled wins under tcp/ip 4 and added both DCs ip addresses in the lookup host
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
hypercube

I'm a bit confused by the description.  In cases like this, it pays to be quite pedantic!  So forgive my overkill please.

You say:
I am using VPN as admin to login
and
add his domain logon to the local administrators group
and
add his user to the user and group manager

This leaves a lot to be clarified.

While some of this might seem to be "obvious", I will list them anyway just for the sake of completeness:
1) the target workstation is joined to the domain.
2) the target user is a domain user.
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation?

Remaining questions:
a) THE local administrators group only exists on a single workstation - and then there are many of those individually.  So you mean ONE workstation, yes?
b) you say "add his user" so I take that to mean "add his domain username" to .....

As you are likely aware, there are a couple of aspects of doing this (aside from the VPN):
- If a domain user logs onto a workstation for the first time, a user profile is created (username folder in C:\Users, etc.) but no local group memberships that I'm aware of.
- When you list local users, you won't see this username unless you do something more.
- Most any time you refer to a domain username, you have to have the workstation connected in the domain (as well as joined) so that the username can be found in AD.
- You can use compmgmt.msc (as administrator - which means LOCAL ADMINISTRATOR) in order to add usernames to the various LOCAL groups.

I would assume these things:
1) you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group.  Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD).
2) The domain user has a profile on the workstation already?  If not, I would log into the workstation as that User or have him/her do it.
3) Once the profile is established then using compmgmt.msc (as administrator) under ANY useful workstation logon, then add the username to whichever local groups you need.  
(I don't have a "rule" for this but:  
sometimes you can simply use domain username,
sometimes you have to use domain\domainusername and
sometimes you have to use computer\domainusername or computer\localusername
And, sometimes the context isn't obvious so you have to just try ones that make sense to you.

I'm not sure where your VPN terminates and what that has to do with the domain.  So that may be an issue.  But we'd need to know more about that to effectively comment.
Joe Grosskopf

ASKER
1) the target workstation is joined to the domain. Yes
2) the target user is a domain user. Yes
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation? Never
 

you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group.  Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD) I am logged in as a local admin trying to add his domain user to the admin group on the computer

2) The domain user has a profile on the workstation already?  If not, I would log into the workstation as that User or have him/her do it.. Not but a cannot because there is nothing to login to. No user added yet. I can try loggin in as the user with VPN connected and see if that works.

This is usually a very simple process at work connected directy to the domain but this user is hundreds of miles away and I am remotely connected to his computer trying to get it working

Thanks

I'll try some of the things you suggested and see where that leaves me
hypercube

Not but a cannot because there is nothing to login to. No user added yet.
But the user *is* already a domain user, right?  On a domain, any domain user can log on to any workstation - in general at least.  No prerequisites for doing this except being a domain user, having the workstation joined to the domain and being currently connected to the domain / AD.
The first time this is done creates a user profile on the workstation - so it takes just a little longer.
After the first time, the domain connection isn't necessary I believe and the user can log on - as there is a profile established.

Ah.  OK, so you are remoting into the (domain) remote computer.  The type of remote may have an impact.  Some are logons and some are remote assistance type connections.  Windows RDP is different than, for example, GoToAssist, and then there is VNC, etc.  In this case, I should think you would want to use something that preserves the domain logon from that workstation.

I envision:
1) remote workstation is accessed by TECH (you) with some kind of "remote access".
2) remote workstation is logged onto the domain (by TECH) via a VPN connection.
3) Internal domain workstation is accessed (by TECH) with some kind of "remote access" with LOCAL ADMIN group membership.
4) Internal domain workstation compmgmt.msc is used (by TECH) to add remotedomainuser to LOCAL Administrators group.

Is that close?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Joe Grosskopf

ASKER
I can't believe it was that simple...Thank You!