Add permissions for local workstation client

Administrator I want to give a domain user administrative rights to the local
machine. I go to users and groups select the administrators group, click add,
and select from the "Entire Directory" sub: "domain.local" select the user I
need to add.

However on a Small Business Server Domain; a local workstation logged in as
the Domain Administrator if I want to give a domain user administrative
rights to the local machine. I go to users and groups select the
administrators group, click add, there is NO “Entire Directory sub:
domain.local� only the local machine name.
Thus I cannot add a domain user to the administrator group on the local
machine.

Is this unique to Small Business Server or is there a problem with the
network. If this is a network error, can I assume it is a DNS or NetBios
error?

On 04/03/2010 12:45, Terry wrote:
> Administrator I want to give a domain user administrative rights to the local
> machine. I go to users and groups select the administrators group, click add,
> and select from the "Entire Directory" sub: "domain.local" select the user I
> need to add.
>
> However on a Small Business Server Domain; a local workstation logged in as
> the Domain Administrator if I want to give a domain user administrative
> rights to the local machine. I go to users and groups select the
> administrators group, click add, there is NO “Entire Directory sub:
> domain.local� only the local machine name.
> Thus I cannot add a domain user to the administrator group on the local
> machine.
>
> Is this unique to Small Business Server or is there a problem with the
> network. If this is a network error, can I assume it is a DNS or NetBios
> error?

It's because it's a domain controller. Domain Controllers have no
concept of 'local groups', at least in 2003 and below anyway. 2008 does
have something called Role Separation which allows you to make people
local administrators of DCs but I believe that they need to be RODCs in
order for this to work.

There is a domain-level BUILTIN\Administrators group but adding someone
to this group this is not the same thing as making them a local admin of
the domain controller itself.

--
Chris M.

"Terry" <> wrote in message news:59DB2990-521A-496A-9B8D-...
> Administrator I want to give a domain user administrative rights to the local
> machine. I go to users and groups select the administrators group, click add,
> and select from the "Entire Directory" sub: "domain.local" select the user I
> need to add.
>
> However on a Small Business Server Domain; a local workstation logged in as
> the Domain Administrator if I want to give a domain user administrative
> rights to the local machine. I go to users and groups select the
> administrators group, click add, there is NO “Entire Directory sub:
> domain.local� only the local machine name.
> Thus I cannot add a domain user to the administrator group on the local
> machine.
>
> Is this unique to Small Business Server or is there a problem with the
> network. If this is a network error, can I assume it is a DNS or NetBios
> error?


Did you select "Change Location" to choose the domain instead of the local machine?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

On 04/03/2010 14:04, Chris M wrote:
> On 04/03/2010 12:45, Terry wrote:
>> Administrator I want to give a domain user administrative rights to
>> the local
>> machine. I go to users and groups select the administrators group,
>> click add,
>> and select from the "Entire Directory" sub: "domain.local" select the
>> user I
>> need to add.
>>
>> However on a Small Business Server Domain; a local workstation logged
>> in as
>> the Domain Administrator if I want to give a domain user administrative
>> rights to the local machine. I go to users and groups select the
>> administrators group, click add, there is NO “Entire Directory sub:
>> domain.local� only the local machine name.
>> Thus I cannot add a domain user to the administrator group on the local
>> machine.
>>
>> Is this unique to Small Business Server or is there a problem with the
>> network. If this is a network error, can I assume it is a DNS or NetBios
>> error?
>
> It's because it's a domain controller. Domain Controllers have no
> concept of 'local groups', at least in 2003 and below anyway. 2008 does
> have something called Role Separation which allows you to make people
> local administrators of DCs but I believe that they need to be RODCs in
> order for this to work.
>
> There is a domain-level BUILTIN\Administrators group but adding someone
> to this group this is not the same thing as making them a local admin of
> the domain controller itself.
>

Ignore my post - I misread your original post and assumed you were
logging into the SBS server itself.

Never mind!

--
Chris M.

Yes,
I selected change location. I could only see the "local" machine not the
entire directory.

I have a screen shot of the "select" location if needed.

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Terry" <> wrote in message news:59DB2990-521A-496A-9B8D-...
> > Administrator I want to give a domain user administrative rights to the local
> > machine. I go to users and groups select the administrators group, click add,
> > and select from the "Entire Directory" sub: "domain.local" select the user I
> > need to add.
> >
> > However on a Small Business Server Domain; a local workstation logged in as
> > the Domain Administrator if I want to give a domain user administrative
> > rights to the local machine. I go to users and groups select the
> > administrators group, click add, there is NO “Entire Directory sub:
> > domain.local� only the local machine name.
> > Thus I cannot add a domain user to the administrator group on the local
> > machine.
> >
> > Is this unique to Small Business Server or is there a problem with the
> > network. If this is a network error, can I assume it is a DNS or NetBios
> > error?
>
>
> Did you select "Change Location" to choose the domain instead of the local machine?
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

"Terry" <> wrote in message news:54E683C0-DC40-42E6-B6D2-...
> Yes,
> I selected change location. I could only see the "local" machine not the
> entire directory.
>
> I have a screen shot of the "select" location if needed.
>

Sure, please post it to a photo sharing site and provide the link here.

Also, please post an ipconfig /all from this workstation and of your domain controller. I have a feeling there is a misconfig going on. Please also post any event log errors EventID# and Source names from the workstation and domain controller's event logs.

Ace

Ace - Thanks for your replys

I agree there is something not correct. Since there is no data on the server
and only 10 users, I have deceided to re build the system.

Thanks again

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Terry" <> wrote in message news:54E683C0-DC40-42E6-B6D2-...
> > Yes,
> > I selected change location. I could only see the "local" machine not the
> > entire directory.
> >
> > I have a screen shot of the "select" location if needed.
> >
>
> Sure, please post it to a photo sharing site and provide the link here.
>
> Also, please post an ipconfig /all from this workstation and of your domain controller. I have a feeling there is a misconfig going on. Please also post any event log errors EventID# and Source names from the workstation and domain controller's event logs.
>
> Ace
>
>
> .
>

"Terry" <> wrote in message news:BAE56E11-AB4F-40F2-AB09-...
> Ace - Thanks for your replys
>
> I agree there is something not correct. Since there is no data on the server
> and only 10 users, I have deceided to re build the system.
>
> Thanks again
>


Rebuilding it when it could only be a minor setting, is not the normal resolution response. However, if I can't talk you out of it, I wish you luck. It would be better that you can figure out what is going on in order to understand the issue if it reappears in the future. That was why I was asking for ipconfigs. You can rebuild it using the same mis-configurations, still have a problem, and we've learned nothing.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Unfortunately my problem still exists; I still cannot add local rights for a
domain user. Assuming it was a server problem I re built the server (SBS
2003), configured users and an administrator. Logged on to a local
workstation (XP Pro) as a local administrator and joined the new domain just
fine. Logged off as administrator and on as a domain user on the workstation
without problem. I then logged on as the domain administrator and tried to
add the domain user as a local administrator, I could not, again! Again I
could not choose users from the domain directory only the local machine. (see
image) Still logged on as domain admin I could not see the server or shared
folders on the server unless I searched for the server by name. I could ping
it by name and IP, all antivirus and firewalls are turned off.

So I brought in a workstation (XP Pro) that worked fine on another domain.
Joined this problem domain just fine, and added the domain user to the local
workstation administrators’ just fine.

What can be configured wrong on all these existing workstations that I’m not
seeing?

You can see images here
http://eriemetroparks.com/Network/default.html

The ipconfig shows for the workstation

the IP of 192.168.1.21
subnet of 255.255.255.0
gateway of 192.168.1.1

DNS of 192.168.1.10
72.240.13.5

The server is

IP of server 192.168.1.10
subnet of 255.255.255.0
gateway of 192.168.1.1

DNS of 72.240.13.5
209.143.0.0

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Terry" <> wrote in message news:BAE56E11-AB4F-40F2-AB09-...
> > Ace - Thanks for your replys
> >
> > I agree there is something not correct. Since there is no data on the server
> > and only 10 users, I have deceided to re build the system.
> >
> > Thanks again
> >
>
>
> Rebuilding it when it could only be a minor setting, is not the normal resolution response. However, if I can't talk you out of it, I wish you luck. It would be better that you can figure out what is going on in order to understand the issue if it reappears in the future. That was why I was asking for ipconfigs. You can rebuild it using the same mis-configurations, still have a problem, and we've learned nothing.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

"Terry" <> wrote in message news:29AE2AD2-476C-4A33-A1FE-...
> Unfortunately my problem still exists; I still cannot add local rights for a
> domain user. Assuming it was a server problem I re built the server (SBS
> 2003), configured users and an administrator. Logged on to a local
> workstation (XP Pro) as a local administrator and joined the new domain just
> fine. Logged off as administrator and on as a domain user on the workstation
> without problem. I then logged on as the domain administrator and tried to
> add the domain user as a local administrator, I could not, again! Again I
> could not choose users from the domain directory only the local machine. (see
> image) Still logged on as domain admin I could not see the server or shared
> folders on the server unless I searched for the server by name. I could ping
> it by name and IP, all antivirus and firewalls are turned off.
>
> So I brought in a workstation (XP Pro) that worked fine on another domain.
> Joined this problem domain just fine, and added the domain user to the local
> workstation administrators’ just fine.
>
> What can be configured wrong on all these existing workstations that I’m not
> seeing?
>
> You can see images here
> http://eriemetroparks.com/Network/default.html
>
> The ipconfig shows for the workstation
>
> the IP of 192.168.1.21
> subnet of 255.255.255.0
> gateway of 192.168.1.1
>
> DNS of 192.168.1.10
> 72.240.13.5
>
> The server is
>
> IP of server 192.168.1.10
> subnet of 255.255.255.0
> gateway of 192.168.1.1
>
> DNS of 72.240.13.5
> 209.143.0.0
>


Ah, I see the problem. It can't find the domain, that's why. The reason is the workstation is using a DNS IP of 72.240.13.5, which is NOT the SBS server. It is essentially asking the DNS server at 72.240.13.5, "where is my domain controller?" Unfortunately it does not have that answer.

WIth the SBS using 72.240.13.5 and 209.143.0.0, it can't even find itself! And that IP 209.143.0.0, is not really an IP, rather is it's a subnet ID. I don't know where you got that IP from.

Recommendations to fix everything:
1. Remove all references of 72.240.13.5 and 209.143.0.0. If you are using DHCP, in DHCP console, Scope Option 006, remove those addresses and only show 192.168.1.10.

2. For DNS address, ONLY use 192.168.1.10 on all machines' interfaces.

3. For efficient internet resolution, create a Forwarder. In SBS, DNS console, DNS servername properties, Forwarders Tab, create a Forwarder using 72.240.13.5. If you are not sure how to do this, the following article shows you how.

HOW TO Configure DNS for Internet Access in Windows Server 2003 (including how to configure a Forwarder) :
http://support.microsoft.com/?id=323380

4. Restart the SBS, then restart your workstations.

5. I assume the SBS only has one NIC. If it has two, it's highly suggested to disable the outer NIC and only use one NIC, and rely on your edge router for internet access and NAT translation.

After restarting everything, try your tasks again and report back, please.

Ace


reconfigure ALL machine