asked on
Cannot add domain user to workstation remotely
I have a remote user who I need to add his domain loigin to the local administrators group. I connected via VPN using my credentials but each time I try to add his user, the domain could not be contacted. What do I need to do to allow me to connect him to the domain and then add his user to the admin group on the computer....or even user group so he can login with that domain login?
Windows NetworkingVPN
Last Comment
Joe Grosskopf
the user has to vpn into the domain and then login.
ASKER
They are....I am using VPN as admin to login and trying to add his user to the user and group manager but each time I specify the domain the computer that the domain could not be contacted. He can pin the AD server by IP and server name but can't do any AD task
ipconfig /all to see what the dns settings are.. the dns should only point to your dns servers and nothing else.
ASKER
The DNS is correct for the VPN connection. However,, the default gateway is blank. Could this be the issue? If I enable the default gateway then the user cannot get to the internet...only the the servers....and even then he could not add the user....domain could not be contacted.
try unchecking ipv6
ASKER
no dice....also enabled wins under tcp/ip 4 and added both DCs ip addresses in the lookup host
I'm a bit confused by the description. In cases like this, it pays to be quite pedantic! So forgive my overkill please.
You say:
This leaves a lot to be clarified.
While some of this might seem to be "obvious", I will list them anyway just for the sake of completeness:
1) the target workstation is joined to the domain.
2) the target user is a domain user.
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation?
Remaining questions:
a) THE local administrators group only exists on a single workstation - and then there are many of those individually. So you mean ONE workstation, yes?
b) you say "add his user" so I take that to mean "add his domain username" to .....
As you are likely aware, there are a couple of aspects of doing this (aside from the VPN):
- If a domain user logs onto a workstation for the first time, a user profile is created (username folder in C:\Users, etc.) but no local group memberships that I'm aware of.
- When you list local users, you won't see this username unless you do something more.
- Most any time you refer to a domain username, you have to have the workstation connected in the domain (as well as joined) so that the username can be found in AD.
- You can use compmgmt.msc (as administrator - which means LOCAL ADMINISTRATOR) in order to add usernames to the various LOCAL groups.
I would assume these things:
1) you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group. Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD).
2) The domain user has a profile on the workstation already? If not, I would log into the workstation as that User or have him/her do it.
3) Once the profile is established then using compmgmt.msc (as administrator) under ANY useful workstation logon, then add the username to whichever local groups you need.
(I don't have a "rule" for this but:
sometimes you can simply use domain username,
sometimes you have to use domain\domainusername and
sometimes you have to use computer\domainusername or computer\localusername
And, sometimes the context isn't obvious so you have to just try ones that make sense to you.
I'm not sure where your VPN terminates and what that has to do with the domain. So that may be an issue. But we'd need to know more about that to effectively comment.
You say:
I am using VPN as admin to loginand
add his domain logon to the local administrators groupand
add his user to the user and group manager
This leaves a lot to be clarified.
While some of this might seem to be "obvious", I will list them anyway just for the sake of completeness:
1) the target workstation is joined to the domain.
2) the target user is a domain user.
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation?
Remaining questions:
a) THE local administrators group only exists on a single workstation - and then there are many of those individually. So you mean ONE workstation, yes?
b) you say "add his user" so I take that to mean "add his domain username" to .....
As you are likely aware, there are a couple of aspects of doing this (aside from the VPN):
- If a domain user logs onto a workstation for the first time, a user profile is created (username folder in C:\Users, etc.) but no local group memberships that I'm aware of.
- When you list local users, you won't see this username unless you do something more.
- Most any time you refer to a domain username, you have to have the workstation connected in the domain (as well as joined) so that the username can be found in AD.
- You can use compmgmt.msc (as administrator - which means LOCAL ADMINISTRATOR) in order to add usernames to the various LOCAL groups.
I would assume these things:
1) you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group. Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD).
2) The domain user has a profile on the workstation already? If not, I would log into the workstation as that User or have him/her do it.
3) Once the profile is established then using compmgmt.msc (as administrator) under ANY useful workstation logon, then add the username to whichever local groups you need.
(I don't have a "rule" for this but:
sometimes you can simply use domain username,
sometimes you have to use domain\domainusername and
sometimes you have to use computer\domainusername or computer\localusername
And, sometimes the context isn't obvious so you have to just try ones that make sense to you.
I'm not sure where your VPN terminates and what that has to do with the domain. So that may be an issue. But we'd need to know more about that to effectively comment.
ASKER
1) the target workstation is joined to the domain. Yes
2) the target user is a domain user. Yes
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation? Never
you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group. Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD) I am logged in as a local admin trying to add his domain user to the admin group on the computer
2) The domain user has a profile on the workstation already? If not, I would log into the workstation as that User or have him/her do it.. Not but a cannot because there is nothing to login to. No user added yet. I can try loggin in as the user with VPN connected and see if that works.
This is usually a very simple process at work connected directy to the domain but this user is hundreds of miles away and I am remotely connected to his computer trying to get it working
Thanks
I'll try some of the things you suggested and see where that leaves me
2) the target user is a domain user. Yes
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation? Never
you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group. Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD) I am logged in as a local admin trying to add his domain user to the admin group on the computer
2) The domain user has a profile on the workstation already? If not, I would log into the workstation as that User or have him/her do it.. Not but a cannot because there is nothing to login to. No user added yet. I can try loggin in as the user with VPN connected and see if that works.
This is usually a very simple process at work connected directy to the domain but this user is hundreds of miles away and I am remotely connected to his computer trying to get it working
Thanks
I'll try some of the things you suggested and see where that leaves me
Not but a cannot because there is nothing to login to. No user added yet.But the user *is* already a domain user, right? On a domain, any domain user can log on to any workstation - in general at least. No prerequisites for doing this except being a domain user, having the workstation joined to the domain and being currently connected to the domain / AD.
The first time this is done creates a user profile on the workstation - so it takes just a little longer.
After the first time, the domain connection isn't necessary I believe and the user can log on - as there is a profile established.
Ah. OK, so you are remoting into the (domain) remote computer. The type of remote may have an impact. Some are logons and some are remote assistance type connections. Windows RDP is different than, for example, GoToAssist, and then there is VNC, etc. In this case, I should think you would want to use something that preserves the domain logon from that workstation.
I envision:
1) remote workstation is accessed by TECH (you) with some kind of "remote access".
2) remote workstation is logged onto the domain (by TECH) via a VPN connection.
3) Internal domain workstation is accessed (by TECH) with some kind of "remote access" with LOCAL ADMIN group membership.
4) Internal domain workstation compmgmt.msc is used (by TECH) to add remotedomainuser to LOCAL Administrators group.
Is that close?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I can't believe it was that simple...Thank You!