We help IT Professionals succeed at work.

Cannot add domain user to workstation remotely

jsgrosskopf
jsgrosskopf asked
on
I have a remote user who I need to add his domain loigin to the local administrators group. I connected via VPN using my credentials but each time I try to add his user, the domain could not be contacted. What do I need to do to allow me to connect him to the domain and then add his user to the admin group on the computer....or even user group so he can login with that domain login?
Comment
Watch Question

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
the user has to vpn into the domain and then login. 
jsgrosskopfIS Manager

Author

Commented:
They are....I am using VPN as admin to login and trying to add his user to the user and group manager but each time I specify the domain the computer that the domain could not be contacted. He can pin the AD server by IP and server name but can't do any AD task
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
ipconfig /all to see what the dns settings are.. the dns should only point to your dns servers and nothing else.
jsgrosskopfIS Manager

Author

Commented:
The DNS is correct for the VPN connection. However,, the default gateway is blank. Could this be the issue? If I enable the default gateway then the user cannot get to the internet...only the the servers....and even then he could not add the user....domain could not be contacted.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
try unchecking ipv6
jsgrosskopfIS Manager

Author

Commented:
no dice....also enabled wins under tcp/ip 4 and added both DCs ip addresses in the lookup host
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
I'm a bit confused by the description.  In cases like this, it pays to be quite pedantic!  So forgive my overkill please.

You say:
I am using VPN as admin to login
and
add his domain logon to the local administrators group
and
add his user to the user and group manager

This leaves a lot to be clarified.

While some of this might seem to be "obvious", I will list them anyway just for the sake of completeness:
1) the target workstation is joined to the domain.
2) the target user is a domain user.
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation?

Remaining questions:
a) THE local administrators group only exists on a single workstation - and then there are many of those individually.  So you mean ONE workstation, yes?
b) you say "add his user" so I take that to mean "add his domain username" to .....

As you are likely aware, there are a couple of aspects of doing this (aside from the VPN):
- If a domain user logs onto a workstation for the first time, a user profile is created (username folder in C:\Users, etc.) but no local group memberships that I'm aware of.
- When you list local users, you won't see this username unless you do something more.
- Most any time you refer to a domain username, you have to have the workstation connected in the domain (as well as joined) so that the username can be found in AD.
- You can use compmgmt.msc (as administrator - which means LOCAL ADMINISTRATOR) in order to add usernames to the various LOCAL groups.

I would assume these things:
1) you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group.  Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD).
2) The domain user has a profile on the workstation already?  If not, I would log into the workstation as that User or have him/her do it.
3) Once the profile is established then using compmgmt.msc (as administrator) under ANY useful workstation logon, then add the username to whichever local groups you need.  
(I don't have a "rule" for this but:  
sometimes you can simply use domain username,
sometimes you have to use domain\domainusername and
sometimes you have to use computer\domainusername or computer\localusername
And, sometimes the context isn't obvious so you have to just try ones that make sense to you.

I'm not sure where your VPN terminates and what that has to do with the domain.  So that may be an issue.  But we'd need to know more about that to effectively comment.
jsgrosskopfIS Manager

Author

Commented:
1) the target workstation is joined to the domain. Yes
2) the target user is a domain user. Yes
3) the target domain user has ever logged onto the workstation or has not ever logged onto the workstation? Never
 

you are logged into the workstation as a User that is a member of the LOCAL ADMINISTRATORS group.  Yes?
(but First you say "I" and then you say "He"... ??? re: reaching AD) I am logged in as a local admin trying to add his domain user to the admin group on the computer

2) The domain user has a profile on the workstation already?  If not, I would log into the workstation as that User or have him/her do it.. Not but a cannot because there is nothing to login to. No user added yet. I can try loggin in as the user with VPN connected and see if that works.

This is usually a very simple process at work connected directy to the domain but this user is hundreds of miles away and I am remotely connected to his computer trying to get it working

Thanks

I'll try some of the things you suggested and see where that leaves me
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Not but a cannot because there is nothing to login to. No user added yet.
But the user *is* already a domain user, right?  On a domain, any domain user can log on to any workstation - in general at least.  No prerequisites for doing this except being a domain user, having the workstation joined to the domain and being currently connected to the domain / AD.
The first time this is done creates a user profile on the workstation - so it takes just a little longer.
After the first time, the domain connection isn't necessary I believe and the user can log on - as there is a profile established.

Ah.  OK, so you are remoting into the (domain) remote computer.  The type of remote may have an impact.  Some are logons and some are remote assistance type connections.  Windows RDP is different than, for example, GoToAssist, and then there is VNC, etc.  In this case, I should think you would want to use something that preserves the domain logon from that workstation.

I envision:
1) remote workstation is accessed by TECH (you) with some kind of "remote access".
2) remote workstation is logged onto the domain (by TECH) via a VPN connection.
3) Internal domain workstation is accessed (by TECH) with some kind of "remote access" with LOCAL ADMIN group membership.
4) Internal domain workstation compmgmt.msc is used (by TECH) to add remotedomainuser to LOCAL Administrators group.

Is that close?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
here is the situation consideration that Fred and David are ..

Are you actually remotely connecting into that system via rdp
Or are you able a remote tool for the user to share ?

A quicker noute than graphical is from an elevated command window
Net localgroup administrators "domain\username." /add
net localgroup  administrators
To confirm.
jsgrosskopfIS Manager

Author

Commented:
I can't believe it was that simple...Thank You!