Local Admin Group

[Graham]

I am trying to add the Domain users group to the local
admin group for users in my Windows 2000 Network. I go
into groups --> Administrators --> Add and browse the
domain for the Domain users group, when I apply the option
I get an error message along the lines of "Could not add
user, the domain does not exist or is not available" even
though I am able to browse it for users???

I can not even add a single domain user to the local
admin group. Whats going on here, if I can browse the
domain, how can it not be available?

This is driving me crazy as users can not install
software or run love update unless I log them on as
administrator. And I do not want then to have
administrator right.

Any help would be great.

Thanks - Graham

 

[Oli Restorick [MVP]]

Could be a number of issues:

1) You must be logged on as a domain user to browse the list of users and
groups in the domain
2) You must be logged on as a local administrator (and therefore domain
administrator will work) to add the user to the group on the machine.
3) Because of 1 & 2, a domain administrator's account is the easiest to use
to achieve this
4) DNS issue, as already suggested.

Having said that, if you add the Builtin\INTERACTIVE group from the local
machine to the local administrators group, any user who logs in locally gets
administrative rights, but domain users browsing across the network don't
get any additional access.

You really don't want people being able to browse to other users' machines
and having full control over all thier files (and their user profile). That
would make for a very easy exploit for a user to get domain admin rights.

Oli