J
JohnB
Is there a way, with a GPO, that I can add the Domain Admins group to the
Local Administrator's group on every PC?
Local Administrator's group on every PC?
- Thread starter
- #2
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:e1Jyl71QKHA.3296@TK2MSFTNGP04.phx.gbl...
> Is there a way, with a GPO, that I can add the Domain Admins group to the
> Local Administrator's group on every PC?
>
Yes, there is, with Restricted Groups or Group Policy Preferences. Read more
below.
==================================================================
==================================================================
Restricted Groups
I usually do this from a non-DC with the GPMC installed because you need
access to local groups on a non-DC, however manually typing in
"Administrators" or "Users" should work if you do it from a DC.
Going on memory... forgive me if I missed a step...
In AD, create an OU and call it Restricted Groups (or whatever you want to
call it)
In AD, create a group and call it Local Power Users Group
Create another group and call it Local Admin Users Group
Logon as domain admin on an XP machine
Install the GPMC on an XP machine
Open the GPMC and navigate to the OU you created above
Create and link a new GPO to the OU
Right-click on it and choose Edit
Navigate to the Computer section, and Restricted Groups
Choose new group, browse to the domains' Local Power Users Group and add it
to the local XP machine's groups, and choose
Power Users
Choose new group, browse to the domain's Local Admin Users Group and add it
to the local XP machine's groups and choose
Administrators
Move the computer to the OU
Add the user to the Local Power Users Group in AD that you created above
On the machine where the user is logged on, have him logoff and logon
You may have to have him do it twice
In the XP's computer Management console, look at the Local Power Users and
Administrators Groups and see if the Domain\Local Power Users Group is added
to the machine's local Power Users group and the Local Admin Users Group is
added to the machine's local Administrators group. If so, they will show up
as grayed out, meaning the policy is working. If you added the user to the
domain's Local Power Users Group, then the user should now be able to
perform actions of a Power User.
------
Related Links:
Using Restricted Groups
http://www.windowsecurity.com/articles/Usi...ted-Groups.html
Restricted groups are made for that:
http://www.frickelsoft.net/blog/?p=13
------
You can also use Group Policy Preferences:
You can take advantage of the Local Users and Groups settings of Group
Policy Preferences, which gives you an option to add the current user to an
arbitrary local group (including local Administrators). For more info, refer
to http://technet.microsoft.com/en-us/library/cc731972.aspx
==================================================================
==================================================================
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
news:e1Jyl71QKHA.3296@TK2MSFTNGP04.phx.gbl...
> Is there a way, with a GPO, that I can add the Domain Admins group to the
> Local Administrator's group on every PC?
>
Yes, there is, with Restricted Groups or Group Policy Preferences. Read more
below.
==================================================================
==================================================================
Restricted Groups
I usually do this from a non-DC with the GPMC installed because you need
access to local groups on a non-DC, however manually typing in
"Administrators" or "Users" should work if you do it from a DC.
Going on memory... forgive me if I missed a step...
In AD, create an OU and call it Restricted Groups (or whatever you want to
call it)
In AD, create a group and call it Local Power Users Group
Create another group and call it Local Admin Users Group
Logon as domain admin on an XP machine
Install the GPMC on an XP machine
Open the GPMC and navigate to the OU you created above
Create and link a new GPO to the OU
Right-click on it and choose Edit
Navigate to the Computer section, and Restricted Groups
Choose new group, browse to the domains' Local Power Users Group and add it
to the local XP machine's groups, and choose
Power Users
Choose new group, browse to the domain's Local Admin Users Group and add it
to the local XP machine's groups and choose
Administrators
Move the computer to the OU
Add the user to the Local Power Users Group in AD that you created above
On the machine where the user is logged on, have him logoff and logon
You may have to have him do it twice
In the XP's computer Management console, look at the Local Power Users and
Administrators Groups and see if the Domain\Local Power Users Group is added
to the machine's local Power Users group and the Local Admin Users Group is
added to the machine's local Administrators group. If so, they will show up
as grayed out, meaning the policy is working. If you added the user to the
domain's Local Power Users Group, then the user should now be able to
perform actions of a Power User.
------
Related Links:
Using Restricted Groups
http://www.windowsecurity.com/articles/Usi...ted-Groups.html
Restricted groups are made for that:
http://www.frickelsoft.net/blog/?p=13
------
You can also use Group Policy Preferences:
You can take advantage of the Local Users and Groups settings of Group
Policy Preferences, which gives you an option to add the current user to an
arbitrary local group (including local Administrators). For more info, refer
to http://technet.microsoft.com/en-us/library/cc731972.aspx
==================================================================
==================================================================
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
- Thread starter
- #3
J
JohnB
Ok I'll give that a try.
Thanks
"Ace Fekay [MCT]" wrote in message
news:OIA%23$E2QKHA.3876@TK2MSFTNGP06.phx.gbl...
> "JohnB" wrote in message
> news:e1Jyl71QKHA.3296@TK2MSFTNGP04.phx.gbl...
>> Is there a way, with a GPO, that I can add the Domain Admins group to the
>> Local Administrator's group on every PC?
>>
>
>
> Yes, there is, with Restricted Groups or Group Policy Preferences. Read
> more below.
>
> ==================================================================
> ==================================================================
> Restricted Groups
>
> I usually do this from a non-DC with the GPMC installed because you need
> access to local groups on a non-DC, however manually typing in
> "Administrators" or "Users" should work if you do it from a DC.
>
> Going on memory... forgive me if I missed a step...
>
> In AD, create an OU and call it Restricted Groups (or whatever you want to
> call it)
> In AD, create a group and call it Local Power Users Group
> Create another group and call it Local Admin Users Group
> Logon as domain admin on an XP machine
> Install the GPMC on an XP machine
> Open the GPMC and navigate to the OU you created above
> Create and link a new GPO to the OU
> Right-click on it and choose Edit
> Navigate to the Computer section, and Restricted Groups
> Choose new group, browse to the domains' Local Power Users Group and add
> it to the local XP machine's groups, and choose
>
> Power Users
> Choose new group, browse to the domain's Local Admin Users Group and add
> it to the local XP machine's groups and choose
>
> Administrators
> Move the computer to the OU
> Add the user to the Local Power Users Group in AD that you created above
> On the machine where the user is logged on, have him logoff and logon
> You may have to have him do it twice
> In the XP's computer Management console, look at the Local Power Users and
> Administrators Groups and see if the DomainLocal Power Users Group is
> added to the machine's local Power Users group and the Local Admin Users
> Group is added to the machine's local Administrators group. If so, they
> will show up as grayed out, meaning the policy is working. If you added
> the user to the domain's Local Power Users Group, then the user should now
> be able to perform actions of a Power User.
>
> ------
> Related Links:
>
> Using Restricted Groups
> http://www.windowsecurity.com/articles/Usi...ted-Groups.html
>
> Restricted groups are made for that:
> http://www.frickelsoft.net/blog/?p=13
>
> ------
> You can also use Group Policy Preferences:
>
> You can take advantage of the Local Users and Groups settings of Group
> Policy Preferences, which gives you an option to add the current user to
> an
> arbitrary local group (including local Administrators). For more info,
> refer
> to http://technet.microsoft.com/en-us/library/cc731972.aspx
> ==================================================================
> ==================================================================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
Thanks
"Ace Fekay [MCT]" wrote in message
news:OIA%23$E2QKHA.3876@TK2MSFTNGP06.phx.gbl...
> "JohnB" wrote in message
> news:e1Jyl71QKHA.3296@TK2MSFTNGP04.phx.gbl...
>> Is there a way, with a GPO, that I can add the Domain Admins group to the
>> Local Administrator's group on every PC?
>>
>
>
> Yes, there is, with Restricted Groups or Group Policy Preferences. Read
> more below.
>
> ==================================================================
> ==================================================================
> Restricted Groups
>
> I usually do this from a non-DC with the GPMC installed because you need
> access to local groups on a non-DC, however manually typing in
> "Administrators" or "Users" should work if you do it from a DC.
>
> Going on memory... forgive me if I missed a step...
>
> In AD, create an OU and call it Restricted Groups (or whatever you want to
> call it)
> In AD, create a group and call it Local Power Users Group
> Create another group and call it Local Admin Users Group
> Logon as domain admin on an XP machine
> Install the GPMC on an XP machine
> Open the GPMC and navigate to the OU you created above
> Create and link a new GPO to the OU
> Right-click on it and choose Edit
> Navigate to the Computer section, and Restricted Groups
> Choose new group, browse to the domains' Local Power Users Group and add
> it to the local XP machine's groups, and choose
>
> Power Users
> Choose new group, browse to the domain's Local Admin Users Group and add
> it to the local XP machine's groups and choose
>
> Administrators
> Move the computer to the OU
> Add the user to the Local Power Users Group in AD that you created above
> On the machine where the user is logged on, have him logoff and logon
> You may have to have him do it twice
> In the XP's computer Management console, look at the Local Power Users and
> Administrators Groups and see if the DomainLocal Power Users Group is
> added to the machine's local Power Users group and the Local Admin Users
> Group is added to the machine's local Administrators group. If so, they
> will show up as grayed out, meaning the policy is working. If you added
> the user to the domain's Local Power Users Group, then the user should now
> be able to perform actions of a Power User.
>
> ------
> Related Links:
>
> Using Restricted Groups
> http://www.windowsecurity.com/articles/Usi...ted-Groups.html
>
> Restricted groups are made for that:
> http://www.frickelsoft.net/blog/?p=13
>
> ------
> You can also use Group Policy Preferences:
>
> You can take advantage of the Local Users and Groups settings of Group
> Policy Preferences, which gives you an option to add the current user to
> an
> arbitrary local group (including local Administrators). For more info,
> refer
> to http://technet.microsoft.com/en-us/library/cc731972.aspx
> ==================================================================
> ==================================================================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
- Thread starter
- #4
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:e9NTIH6QKHA.3540@TK2MSFTNGP04.phx.gbl...
> Ok I'll give that a try.
> Thanks
>
You are welcome!
Ace
news:e9NTIH6QKHA.3540@TK2MSFTNGP04.phx.gbl...
> Ok I'll give that a try.
> Thanks
>
You are welcome!
Ace
- Thread starter
- #5
D
DaveMills
On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>Is there a way, with a GPO, that I can add the Domain Admins group to the
>Local Administrator's group on every PC?
>
I am missing something here, by default the "domain admins" group is a member of
the local "administrators" group.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
>Is there a way, with a GPO, that I can add the Domain Admins group to the
>Local Administrator's group on every PC?
>
I am missing something here, by default the "domain admins" group is a member of
the local "administrators" group.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
- Thread starter
- #6
A
Ace Fekay [MCT]
"DaveMills" wrote in message
news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>
>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>Local Administrator's group on every PC?
>>
> I am missing something here, by default the "domain admins" group is a
> member of
> the local "administrators" group.
> --
> Dave Mills
Good point. That's default anyway with a joined machine. I overlooked that.
Hmm...
So I wonder why the domain admin group is no longer part of the joined
machine's local admin group.
Ace
news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>
>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>Local Administrator's group on every PC?
>>
> I am missing something here, by default the "domain admins" group is a
> member of
> the local "administrators" group.
> --
> Dave Mills
Good point. That's default anyway with a joined machine. I overlooked that.
Hmm...
So I wonder why the domain admin group is no longer part of the joined
machine's local admin group.
Ace
- Thread starter
- #7
D
Dusko Savatovic
>> I am missing something here, by default the "domain admins" group is a
>> member of
>> the local "administrators" group.
>> --
>> Dave Mills
>
> Good point. That's default anyway with a joined machine. I overlooked
> that. Hmm...
>
> So I wonder why the domain admin group is no longer part of the joined
> machine's local admin group.
>
> Ace
Local admin can remove Domain Admins from Local administrators group.
- Thread starter
- #8
A
Ace Fekay [MCT]
"Dusko Savatovic" wrote in message
news:euMasDHRKHA.1268@TK2MSFTNGP04.phx.gbl...
>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>
> Local admin can remove Domain Admins from Local administrators group.
>
>
Good point. Restricted groups will definitely eliminate this possibility.
Ace
news:euMasDHRKHA.1268@TK2MSFTNGP04.phx.gbl...
>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>
> Local admin can remove Domain Admins from Local administrators group.
>
>
Good point. Restricted groups will definitely eliminate this possibility.
Ace
- Thread starter
- #9
D
DaveMills
On Sat, 3 Oct 2009 23:31:47 +0200, "Dusko Savatovic"
wrote:
>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>Local admin can remove Domain Admins from Local administrators group.
>
Also sounds like a disciplinary issue more than a technical one.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
wrote:
>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>Local admin can remove Domain Admins from Local administrators group.
>
Also sounds like a disciplinary issue more than a technical one.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
- Thread starter
- #10
J
JohnB
I'm wondering if I don't have some kind of Active Directory problem.
What brought this on was I was trying to browse the hidden share on a PC on
the network using \\IP_Address\C$
And I was prompted with a username and password, and my domain admin account
was rejected with "invalid logon" or something to that affect.
"Ace Fekay [MCT]" wrote in message
news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
> "DaveMills" wrote in message
> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>
>>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>>Local Administrator's group on every PC?
>>>
>> I am missing something here, by default the "domain admins" group is a
>> member of
>> the local "administrators" group.
>> --
>> Dave Mills
>
>
> Good point. That's default anyway with a joined machine. I overlooked
> that. Hmm...
>
> So I wonder why the domain admin group is no longer part of the joined
> machine's local admin group.
>
> Ace
>
What brought this on was I was trying to browse the hidden share on a PC on
the network using \\IP_Address\C$
And I was prompted with a username and password, and my domain admin account
was rejected with "invalid logon" or something to that affect.
"Ace Fekay [MCT]" wrote in message
news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
> "DaveMills" wrote in message
> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>
>>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>>Local Administrator's group on every PC?
>>>
>> I am missing something here, by default the "domain admins" group is a
>> member of
>> the local "administrators" group.
>> --
>> Dave Mills
>
>
> Good point. That's default anyway with a joined machine. I overlooked
> that. Hmm...
>
> So I wonder why the domain admin group is no longer part of the joined
> machine's local admin group.
>
> Ace
>
- Thread starter
- #11
D
DaveMills
On Sun, 4 Oct 2009 15:28:30 -0400, "JohnB" wrote:
>I'm wondering if I don't have some kind of Active Directory problem.
>What brought this on was I was trying to browse the hidden share on a PC on
>the network using \IP_AddressC$
>And I was prompted with a username and password, and my domain admin account
>was rejected with "invalid logon" or something to that affect.
This can be caused if the trust between the client and AD is broken. Did you
actually check the membership of the Administrators group.
>
>
>
>"Ace Fekay [MCT]" wrote in message
>news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
>> "DaveMills" wrote in message
>> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>>
>>>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>>>Local Administrator's group on every PC?
>>>>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
>I'm wondering if I don't have some kind of Active Directory problem.
>What brought this on was I was trying to browse the hidden share on a PC on
>the network using \IP_AddressC$
>And I was prompted with a username and password, and my domain admin account
>was rejected with "invalid logon" or something to that affect.
This can be caused if the trust between the client and AD is broken. Did you
actually check the membership of the Administrators group.
>
>
>
>"Ace Fekay [MCT]" wrote in message
>news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
>> "DaveMills" wrote in message
>> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>>
>>>>Is there a way, with a GPO, that I can add the Domain Admins group to the
>>>>Local Administrator's group on every PC?
>>>>
>>> I am missing something here, by default the "domain admins" group is a
>>> member of
>>> the local "administrators" group.
>>> --
>>> Dave Mills
>>
>>
>> Good point. That's default anyway with a joined machine. I overlooked
>> that. Hmm...
>>
>> So I wonder why the domain admin group is no longer part of the joined
>> machine's local admin group.
>>
>> Ace
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
- Thread starter
- #12
J
JohnB
I haven't checked. I still don't know which PC it is.
"DaveMills" wrote in message
news:df4ic59pvb0uepj0cn8k7h4n5eiid185mf@4ax.com...
> On Sun, 4 Oct 2009 15:28:30 -0400, "JohnB" wrote:
>
>>I'm wondering if I don't have some kind of Active Directory problem.
>>What brought this on was I was trying to browse the hidden share on a PC
>>on
>>the network using IP_AddressC$
>>And I was prompted with a username and password, and my domain admin
>>account
>>was rejected with "invalid logon" or something to that affect.
>
> This can be caused if the trust between the client and AD is broken. Did
> you
> actually check the membership of the Administrators group.
>
>>
>>
>>
>>"Ace Fekay [MCT]" wrote in message
>>news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
>>> "DaveMills" wrote in message
>>> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>>>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>>>
>>>>>Is there a way, with a GPO, that I can add the Domain Admins group to
>>>>>the
>>>>>Local Administrator's group on every PC?
>>>>>
>>>> I am missing something here, by default the "domain admins" group is a
>>>> member of
>>>> the local "administrators" group.
>>>> --
>>>> Dave Mills
>>>
>>>
>>> Good point. That's default anyway with a joined machine. I overlooked
>>> that. Hmm...
>>>
>>> So I wonder why the domain admin group is no longer part of the joined
>>> machine's local admin group.
>>>
>>> Ace
>>>
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.
"DaveMills" wrote in message
news:df4ic59pvb0uepj0cn8k7h4n5eiid185mf@4ax.com...
> On Sun, 4 Oct 2009 15:28:30 -0400, "JohnB" wrote:
>
>>I'm wondering if I don't have some kind of Active Directory problem.
>>What brought this on was I was trying to browse the hidden share on a PC
>>on
>>the network using IP_AddressC$
>>And I was prompted with a username and password, and my domain admin
>>account
>>was rejected with "invalid logon" or something to that affect.
>
> This can be caused if the trust between the client and AD is broken. Did
> you
> actually check the membership of the Administrators group.
>
>>
>>
>>
>>"Ace Fekay [MCT]" wrote in message
>>news:%23gv5hSDRKHA.488@TK2MSFTNGP05.phx.gbl...
>>> "DaveMills" wrote in message
>>> news:vn1ec5ppittl48n8jjbbmfts2l6a4ol34l@4ax.com...
>>>> On Fri, 2 Oct 2009 08:50:17 -0400, "JohnB" wrote:
>>>>
>>>>>Is there a way, with a GPO, that I can add the Domain Admins group to
>>>>>the
>>>>>Local Administrator's group on every PC?
>>>>>
>>>> I am missing something here, by default the "domain admins" group is a
>>>> member of
>>>> the local "administrators" group.
>>>> --
>>>> Dave Mills
>>>
>>>
>>> Good point. That's default anyway with a joined machine. I overlooked
>>> that. Hmm...
>>>
>>> So I wonder why the domain admin group is no longer part of the joined
>>> machine's local admin group.
>>>
>>> Ace
>>>
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.
- Thread starter
- #13
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:%23z%23ulCVRKHA.4020@TK2MSFTNGP05.phx.gbl...
>I haven't checked. I still don't know which PC it is.
>
>
Did you provide credentials in the form of domainname\administrator or just
administrator?
Ace
news:%23z%23ulCVRKHA.4020@TK2MSFTNGP05.phx.gbl...
>I haven't checked. I still don't know which PC it is.
>
>
Did you provide credentials in the form of domainname\administrator or just
administrator?
Ace
- Thread starter
- #14
J
JohnB
That computer is offline this morning. Which helps a little in narrowing
down where it is, that building is closed on Mondays.
I noticed that there were quite a few records in DNS with multiple hosts for
the same IP. Usually 2 for a particular host. Scavenging wasn't enabled, I
enabled it and have it set to 7 days. So I don't know, maybe that is
somehow related to the possible Active Directory problem with that PC.
"Ace Fekay [MCT]" wrote in message
news:OgjZ7VXRKHA.352@TK2MSFTNGP02.phx.gbl...
> "JohnB" wrote in message
> news:%23z%23ulCVRKHA.4020@TK2MSFTNGP05.phx.gbl...
>>I haven't checked. I still don't know which PC it is.
>>
>>
>
> Did you provide credentials in the form of domainnameadministrator or
> just administrator?
>
> Ace
>
>
>
down where it is, that building is closed on Mondays.
I noticed that there were quite a few records in DNS with multiple hosts for
the same IP. Usually 2 for a particular host. Scavenging wasn't enabled, I
enabled it and have it set to 7 days. So I don't know, maybe that is
somehow related to the possible Active Directory problem with that PC.
"Ace Fekay [MCT]" wrote in message
news:OgjZ7VXRKHA.352@TK2MSFTNGP02.phx.gbl...
> "JohnB" wrote in message
> news:%23z%23ulCVRKHA.4020@TK2MSFTNGP05.phx.gbl...
>>I haven't checked. I still don't know which PC it is.
>>
>>
>
> Did you provide credentials in the form of domainnameadministrator or
> just administrator?
>
> Ace
>
>
>
- Thread starter
- #15
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:uSQRfbbRKHA.4568@TK2MSFTNGP06.phx.gbl...
> That computer is offline this morning. Which helps a little in narrowing
> down where it is, that building is closed on Mondays.
> I noticed that there were quite a few records in DNS with multiple hosts
> for the same IP. Usually 2 for a particular host. Scavenging wasn't
> enabled, I enabled it and have it set to 7 days. So I don't know, maybe
> that is somehow related to the possible Active Directory problem with that
> PC.
>
>
>
Ok, so that would address if you are connecting to the correct machine or
not. And scavenging takes about a week or more to get going. But for DHCP
leases, you would also need to provide credentials for DHCP so that it owns
the records it creates in order to update a previous record by a client
machine, otherwise you will continue to get duplicates. Read more on this
and how to set it up:
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group
http://msmvps.com/blogs/acefekay/archive/2...date-group.aspx
However, you previously said your credentials were rejected. They should NOT
have been rejected, no matter what machine you connect to that is part of
AD.
So my question still stands, how did you enter the credentials??
Ace
news:uSQRfbbRKHA.4568@TK2MSFTNGP06.phx.gbl...
> That computer is offline this morning. Which helps a little in narrowing
> down where it is, that building is closed on Mondays.
> I noticed that there were quite a few records in DNS with multiple hosts
> for the same IP. Usually 2 for a particular host. Scavenging wasn't
> enabled, I enabled it and have it set to 7 days. So I don't know, maybe
> that is somehow related to the possible Active Directory problem with that
> PC.
>
>
>
Ok, so that would address if you are connecting to the correct machine or
not. And scavenging takes about a week or more to get going. But for DHCP
leases, you would also need to provide credentials for DHCP so that it owns
the records it creates in order to update a previous record by a client
machine, otherwise you will continue to get duplicates. Read more on this
and how to set it up:
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group
http://msmvps.com/blogs/acefekay/archive/2...date-group.aspx
However, you previously said your credentials were rejected. They should NOT
have been rejected, no matter what machine you connect to that is part of
AD.
So my question still stands, how did you enter the credentials??
Ace
- Thread starter
- #16
J
JohnB
> So my question still stands, how did you enter the credentials??
Don't remember. That's why I tried it again this morning. I'm not sure if
the domain name was in front of the user name or not. I'll try it again
tomorrow and post back here.
> However, you previously said your credentials were rejected. They should
> NOT have been rejected, no matter what machine you connect to that is part
> of AD.
I've actually seen several that I could not connect to with my Domain Admin
credentials. They're all in a separate building from the main office,
connected via fiber.... same subnet.
>>
>
> Ok, so that would address if you are connecting to the correct machine or
> not. And scavenging takes about a week or more to get going. But for DHCP
> leases, you would also need to provide credentials for DHCP so that it
> owns the records it creates in order to update a previous record by a
> client machine, otherwise you will continue to get duplicates. Read more
> on this and how to set it up:
>
> DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and
> the DnsProxyUpdate Group
> http://msmvps.com/blogs/acefekay/archive/2...date-group.aspx
>
> However, you previously said your credentials were rejected. They should
> NOT have been rejected, no matter what machine you connect to that is part
> of AD.
>
> So my question still stands, how did you enter the credentials??
>
> Ace
>
>
>
Don't remember. That's why I tried it again this morning. I'm not sure if
the domain name was in front of the user name or not. I'll try it again
tomorrow and post back here.
> However, you previously said your credentials were rejected. They should
> NOT have been rejected, no matter what machine you connect to that is part
> of AD.
I've actually seen several that I could not connect to with my Domain Admin
credentials. They're all in a separate building from the main office,
connected via fiber.... same subnet.
>>
>
> Ok, so that would address if you are connecting to the correct machine or
> not. And scavenging takes about a week or more to get going. But for DHCP
> leases, you would also need to provide credentials for DHCP so that it
> owns the records it creates in order to update a previous record by a
> client machine, otherwise you will continue to get duplicates. Read more
> on this and how to set it up:
>
> DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and
> the DnsProxyUpdate Group
> http://msmvps.com/blogs/acefekay/archive/2...date-group.aspx
>
> However, you previously said your credentials were rejected. They should
> NOT have been rejected, no matter what machine you connect to that is part
> of AD.
>
> So my question still stands, how did you enter the credentials??
>
> Ace
>
>
>
- Thread starter
- #17
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:uYqdw5bRKHA.3540@TK2MSFTNGP04.phx.gbl...
>> So my question still stands, how did you enter the credentials??
>
> Don't remember. That's why I tried it again this morning. I'm not sure
> if the domain name was in front of the user name or not. I'll try it
> again tomorrow and post back here.
Ok, thanks.
>
>
>> However, you previously said your credentials were rejected. They should
>> NOT have been rejected, no matter what machine you connect to that is
>> part of AD.
>
> I've actually seen several that I could not connect to with my Domain
> Admin credentials. They're all in a separate building from the main
> office, connected via fiber.... same subnet.
>
Different building? Same subnet? Are the two locations simply bridged
(plugged into the same switch)? Curious as to why they weren't made into
separate subnets?
Ace
news:uYqdw5bRKHA.3540@TK2MSFTNGP04.phx.gbl...
>> So my question still stands, how did you enter the credentials??
>
> Don't remember. That's why I tried it again this morning. I'm not sure
> if the domain name was in front of the user name or not. I'll try it
> again tomorrow and post back here.
Ok, thanks.
>
>
>> However, you previously said your credentials were rejected. They should
>> NOT have been rejected, no matter what machine you connect to that is
>> part of AD.
>
> I've actually seen several that I could not connect to with my Domain
> Admin credentials. They're all in a separate building from the main
> office, connected via fiber.... same subnet.
>
Different building? Same subnet? Are the two locations simply bridged
(plugged into the same switch)? Curious as to why they weren't made into
separate subnets?
Ace
- Thread starter
- #18
J
JohnB
>
> Different building? Same subnet? Are the two locations simply bridged
> (plugged into the same switch)? Curious as to why they weren't made into
> separate subnets?
>
Well, honestly... there are a lot of things that are curious about the way
the network is setup here. I just started working here a month ago. The
provious IT guy was terminated. He and the guy before that knew very little
about Active Directory. This is a small company - only about 75 users - so
there's always been 1 IT person.
There are other problems that I need to correct.
But yes, the remote building connects to the main office switch. There's no
router in that building. And having one would probably be overkill, given
the number of computers there.
> Different building? Same subnet? Are the two locations simply bridged
> (plugged into the same switch)? Curious as to why they weren't made into
> separate subnets?
>
Well, honestly... there are a lot of things that are curious about the way
the network is setup here. I just started working here a month ago. The
provious IT guy was terminated. He and the guy before that knew very little
about Active Directory. This is a small company - only about 75 users - so
there's always been 1 IT person.
There are other problems that I need to correct.
But yes, the remote building connects to the main office switch. There's no
router in that building. And having one would probably be overkill, given
the number of computers there.
- Thread starter
- #19
A
Ace Fekay [MCT]
"JohnB" wrote in message
news:u8oPLWcRKHA.1876@TK2MSFTNGP06.phx.gbl...
> >
>> Different building? Same subnet? Are the two locations simply bridged
>> (plugged into the same switch)? Curious as to why they weren't made into
>> separate subnets?
>>
> Well, honestly... there are a lot of things that are curious about the way
> the network is setup here. I just started working here a month ago. The
> provious IT guy was terminated. He and the guy before that knew very
> little about Active Directory. This is a small company - only about 75
> users - so there's always been 1 IT person.
> There are other problems that I need to correct.
>
> But yes, the remote building connects to the main office switch. There's
> no router in that building. And having one would probably be overkill,
> given the number of computers there.
>
I see. You inherited this. Apparently you need to clean up some things and
straighten out others.
I dont think a router would be overkill. After all, you have a fiber
connection to the other building, right? So why not subnetted it with two
routers?
Nonetheless... I assume there are no arp rules blocking traffic between the
buildings, meaning it's completely wide open. It sounds like you need to
clean up DNS and setup DHCP first. My article I posted should help in that
area.
I would suggest to test connectivity with a known machine, other than that,
you may have to physically go to the other building and check the local
admin group membership, and start from there.
Ace
news:u8oPLWcRKHA.1876@TK2MSFTNGP06.phx.gbl...
> >
>> Different building? Same subnet? Are the two locations simply bridged
>> (plugged into the same switch)? Curious as to why they weren't made into
>> separate subnets?
>>
> Well, honestly... there are a lot of things that are curious about the way
> the network is setup here. I just started working here a month ago. The
> provious IT guy was terminated. He and the guy before that knew very
> little about Active Directory. This is a small company - only about 75
> users - so there's always been 1 IT person.
> There are other problems that I need to correct.
>
> But yes, the remote building connects to the main office switch. There's
> no router in that building. And having one would probably be overkill,
> given the number of computers there.
>
I see. You inherited this. Apparently you need to clean up some things and
straighten out others.
I dont think a router would be overkill. After all, you have a fiber
connection to the other building, right? So why not subnetted it with two
routers?
Nonetheless... I assume there are no arp rules blocking traffic between the
buildings, meaning it's completely wide open. It sounds like you need to
clean up DNS and setup DHCP first. My article I posted should help in that
area.
I would suggest to test connectivity with a known machine, other than that,
you may have to physically go to the other building and check the local
admin group membership, and start from there.
Ace