Cannot Add Domain Accounts to Local Admin Group

  • Thread starter Thread starter JT
  • Start date Start date
J

JT

I periodiacally support a small business with SBS 2000.
I cannot add Domain accounts into the local admin group.
I was able to do this several weeks ago. I recently
completed Windows Updates, and feel this may be my
issue.

Any others with this problem?

Thanks,
JT
 
JT,

To what 'local admin group' are you referring? And where - on the
WIN2000/WINXP clients or on the SBS2000 Server?

My guess is that you are referring to your clients. Do you know if the
Group Policy 'Restricted Groups' has been implemented. This could have
something to do with your issue. Take a look at the following MSKB Article:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=320045
http://support.microsoft.com/?id=228496
http://support.microsoft.com/?id=279301

By default, the 'Domain Admins' group is a member of the local
'Administrators' group on each client system. The use of the 'Restricted
Groups' GPO can be used to make sure that no other user account/group
account can be added to the local 'Administrators' group. Initially, when
applying this GPO all members of the local 'Administrators' group were
replaced by whatever group you indicated in the GPO ( typically the 'Domain
Admins' group ). However, there was a later fix for this that 'merged' the
group that you were using in the GPO with the current members of the local
'Administrators' group. Please see the following MSKB Article:

http://support.microsoft.com/?id=810076

Does this help you? Also, what error message are you receiving when
attempting to do this? And how are you trying to do this?

HTH,

Cary
 
Cary,

Thank You for the speedy reply. I am trying to add
domain user accounts into the Local Administrators group
on several XP and Win2K systems. I get an error
staing "the domain does not exist or cannot be located".
No changes have been made to DNS, WINS, or DHCP. There
is only the default GPO implemented. If I add the user
to the Domain Admins group, they have full access to the
local system, but I really would like to avoid that
senerio.

Since I only work there on Saturday's I cannot
troubleshoot as I would like. I'll be sure to check the
articles you advised.

Thanks again. I really appreciate your advisments!
JT
-----Original Message-----
JT,

To what 'local admin group' are you referring? And where - on the
WIN2000/WINXP clients or on the SBS2000 Server?

My guess is that you are referring to your clients. Do you know if the
Group Policy 'Restricted Groups' has been implemented. This could have
something to do with your issue. Take a look at the following MSKB Article:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=320045
http://support.microsoft.com/?id=228496
http://support.microsoft.com/?id=279301

By default, the 'Domain Admins' group is a member of the local
'Administrators' group on each client system. The use of the 'Restricted
Groups' GPO can be used to make sure that no other user account/group
account can be added to the local 'Administrators' group. Initially, when
applying this GPO all members of the
Click to expand...
local 'Administrators' group were
 
JT,

You are well advised to not make any user account a member of the Domain
Admins. That would give those with a little bit of knowledge access to just
about everything. Not a really good situation in most cases. I have found
out over the years that there is always one ( at least! ) who tries to go a
bit too far!

In the TCP/IP configuration on each client computer are the DNS entries set
to the *internal* DNS Server and NOT to the ISP's DNS Server IP Address(es)?
I would assume that each client computer is receiving the IP Address lease
from a DHCP Server ( either SBS2000 or a Firewall-type device ). Do an
ipconfig /all on several of the clients where you are getting this error and
look specifically at the DNS entry. It *must* be the local DNS Server and
not the ISP.

See if that helps.

Cary
 
I have the same issue here, and I checked the DHCP
information, it had both local DNS ip, and ISP DNS ip
addresses. Are you saying we should totally remove all
ISP DNS ip addresses from the DHCP server. Thanks
 
Absolutely. Without hesitation!

The only place that your ISP DNS information should show up would be in the
Forwarders tab in your Forward Lookup Zone ( DNS MMC ).

None of your local clients ( workstations, servers, Domain Controllers )
should have the ISP DNS information anywhere it their TCP/IP configuration
information. Just the local DNS Servers.

I would make that change immediately and either have all of your clients
reboot their system ( probably easiest ) or do an ipconfig /release followed
by an ipconfig /renew.

HTH,

Cary
 
Back
Top