User Access

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I have inherited a small school with many problems. They are running 2003
Server and have 2000Pro Desktops.
I can add users and computers to the domain (at the server) with no problem.
I can join computers to the domain with no problem. However, when adding user
to the administrator group on the local machine, I have problems. I can
choose the correct domain from the drop down box at the to and then
authenticate to the domain. But when I choose the user I want to add and
select apply or OK, I get an error message that the domain does not exist or
cannot be contacted.
Why? I can see the domain and it's users!

Any insight on this would be helpful.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The first thing I would check is to make sure that dns is configured
correctly in the domain with the biggest problem being that ISP dns servers
are in the list of preferred dns servers for domain computers as shown via
Ipconfig /all. See the link below for more details.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

Also check Event Viewer on the domain controllers and the domain computer
where you are having a problem doing this. There are a few invaluable
support tools such as netdiag and dcdiag that can be installed from the
install cdrom in the support/tools folder. I would run netdiag on the domain
computer where you are having a problem and in particular look for
errors/warnings/failed tests for dc discovery, dns, kerberos, and
trust/secure channel that would help troubleshoot the problem. Most
problems are related to improper dns configuration in the domain. --- Steve

"Fergie" <Fergie@discussions.microsoft.com> wrote in message
news:C9321F12-6912-4F85-A245-55035015BD77@microsoft.com...
>I have inherited a small school with many problems. They are running 2003
> Server and have 2000Pro Desktops.
> I can add users and computers to the domain (at the server) with no
> problem.
> I can join computers to the domain with no problem. However, when adding
> user
> to the administrator group on the local machine, I have problems. I can
> choose the correct domain from the drop down box at the to and then
> authenticate to the domain. But when I choose the user I want to add and
> select apply or OK, I get an error message that the domain does not exist
> or
> cannot be contacted.
> Why? I can see the domain and it's users!
>
> Any insight on this would be helpful.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Fergie wrote:
> I have inherited a small school with many problems. They are running
> 2003 Server and have 2000Pro Desktops.
> I can add users and computers to the domain (at the server) with no
> problem. I can join computers to the domain with no problem. However,
> when adding user to the administrator group on the local machine, I
> have problems. I can choose the correct domain from the drop down box
> at the to and then authenticate to the domain. But when I choose the
> user I want to add and select apply or OK, I get an error message
> that the domain does not exist or cannot be contacted.
> Why? I can see the domain and it's users!
>
> Any insight on this would be helpful.

In addition to Steven's reply - are you absolutely sure you want to do this?
If these are regular end-user accounts, you may be opening up a big can of
worms by granting them local admin rights.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I concur...there really isn't any reason for a "normal" user to be a member
of the local administrators group. Any application that they may need
"administrative" access can be handled through GPO's.

Also, the issue with seeing the domain..DNS DNS DNS.

Make sure your Primary/Preferred DNS (All machines) is your Active Directory
DNS server and nothing else. Also check your forward lookup zone on your
DNS server to verify that you have the 4 primary SRV records, MSDCS, SITES,
UDP, TCP. If they are not there, then you have DNS issues. DNS issues do
not render your Domain unusable, however, it will raise problems. At no
point in time should anything point to an outside ISP unless you configure
the forwarders. If you remove any references in your TCP/IP properties,
always make sure you run these four commands:

ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon

Again, all DNS references in TCP/IP settings should ONLY point to your AD
DNS server and nothing else.

Michael MSCE

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:uliX9jnwEHA.3416@TK2MSFTNGP09.phx.gbl...
> Fergie wrote:
>> I have inherited a small school with many problems. They are running
>> 2003 Server and have 2000Pro Desktops.
>> I can add users and computers to the domain (at the server) with no
>> problem. I can join computers to the domain with no problem. However,
>> when adding user to the administrator group on the local machine, I
>> have problems. I can choose the correct domain from the drop down box
>> at the to and then authenticate to the domain. But when I choose the
>> user I want to add and select apply or OK, I get an error message
>> that the domain does not exist or cannot be contacted.
>> Why? I can see the domain and it's users!
>>
>> Any insight on this would be helpful.
>
> In addition to Steven's reply - are you absolutely sure you want to do
> this?
> If these are regular end-user accounts, you may be opening up a big can of
> worms by granting them local admin rights.
>
>