Add domain user\group to local admin group problem

Discussion in 'Active Directory' started by DangerMaus, Dec 10, 2008.

  1. DangerMaus

    DangerMaus Guest

    I have two Windows Server 2008 servers. One is a DC and the other is a member
    server. I created a global security group in AD and tried to add it as a
    member of the local Administrators group of the member server. I am able to
    add it but if I open it back up the group is not listed. I have tried to
    other tests and if I click Apply instead of OK the domain group\user
    disappears instantly.
    If I try to add the same domain group\user it says that they are already
    members once I click OK\Apply.
    Any Ideas?
    -dm
     
    DangerMaus, Dec 10, 2008
    #1
    1. Advertisements

  2. DangerMaus

    DangerMaus Guest

    More info:
    I am running these both as Virtual Machines in Virtual Server 2005 R2 SP1.
    They are both differencing disks built from the same parent disk (the parent
    is a base install of Server 2008). I sysprepped the member server before
    joining it to the domain.
    I have since added a third member server (built from same parent disk and
    sysprepped as well) with the same results. I tried doing it with a Vista
    member server and had no problem.

    -dm
     
    DangerMaus, Dec 11, 2008
    #2
    1. Advertisements

  3. Restricted Groups in Group Policy can enforce the membership in local
    Administrators groups. It sounds like this is happening to you. There are
    several kb articles on this, such as:

    http://technet.microsoft.com/en-us/library/cc756802.aspx
     
    Richard Mueller [MVP], Dec 11, 2008
    #3
  4. DangerMaus

    Jorge Silva Guest

    Hi
    can you describe the exact steps?

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Dec 11, 2008
    #4
  5. DangerMaus

    DangerMaus Guest

    This is a fresh install with no custom setting in AD. I checked and I didn't
    see any Restricted Groups configured in the default domain policy.

    -dm
     
    DangerMaus, Dec 11, 2008
    #5
  6. DangerMaus

    DangerMaus Guest

    So I have a default install of Server 2008 with ADDS role added (using 2008
    functional level). The Windows 2008 member server is a default install as
    well.
    On the DC, I create a global security group in AD, create a new user and add
    it to that group.
    On the member server, I open Server Manager, expand Local Users and Group,
    open the properties of the local Administrators group, and add the Group from
    AD.
    If I immediately click OK and then open the properties of the local
    administrators group it does not list the AD group I added.
    I have rebooted by VMs and checked the group membership after an hour or
    more just in case and still no group.
    Now if I try to add the group again it will let me, but once I click OK it
    will then say that the AD group is already a member of the local
    Administrators group.
    I think that is it but let me know if you need more info.
    -dm
     
    DangerMaus, Dec 11, 2008
    #6
  7. In
    Curious, what functional mode is the domain in?

    --Â
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly.
    Please check http://support.microsoft.com for regional support phone
    numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Dec 11, 2008
    #7
  8. Hello DangerMaus,

    If i follow your steps i can not reproduce your problem. It works as expected
    in my test domain. Functional level is also 2008.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Dec 11, 2008
    #8
  9. DangerMaus

    DangerMaus Guest

    Functional level is Server 2008.

    -dm

     
    DangerMaus, Dec 11, 2008
    #9
  10. DangerMaus

    Jorge Silva Guest

    Ok, can you try to remove that member server from the domain and re-add it
    again? then test.
    Also check if you have errors in eventvwr.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jorge Silva, Dec 11, 2008
    #10
  11. In
    FYI, I tried and could not reproduce the issue in a classroom environment.
    Functional level also 2008.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Dec 15, 2008
    #11
  12. In

    Clones? Did you sysprep the machines first or simply added a clone with
    identical SIDs? Sysprep will force the installation to create a brand new
    SID for all components that have a SID associated to it's identity. If not,
    I can see why this may be happening and why I cannot reproduce it.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly.
    Please check http://support.microsoft.com for regional support phone
    numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Dec 24, 2008
    #12
  13. Hello all. I have the same issue and I do sysprepped the VMs. My VMs are TechNet licenced, BTW. If you guys have any ideas or workaround on what can be happening, please advise.

    I will try to create a VM from scratch and add it to the domain and see if the same behavior happens; I'll let you know.

    Thanks,


    Guillermo



    Ace Fekay [Microsoft Certified Trainer] wrote:

    Re: Add domain usergroup to local admin group problem
    24-Dec-08

    In mike1610 <-spam.invalid> requesting assistance,
    typed the following

    Clones? Did you sysprep the machines first or simply added a clone with
    identical SIDs? Sysprep will force the installation to create a brand new
    SID for all components that have a SID associated to it's identity. If not,
    I can see why this may be happening and why I cannot reproduce it

    --
    Ac

    This posting is provided "AS-IS" with no warranties or guarantees an
    confers no rights

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MC
    Microsoft Certified Traine

    For urgent issues, you may want to contact Microsoft PSS directly
    Please check http://support.microsoft.com for regional support phon
    numbers.

    Previous Posts In This Thread:

    Add domain user\group to local admin group problem
    I have two Windows Server 2008 servers. One is a DC and the other is a member
    server. I created a global security group in AD and tried to add it as a
    member of the local Administrators group of the member server. I am able to
    add it but if I open it back up the group is not listed. I have tried to
    other tests and if I click Apply instead of OK the domain group\user
    disappears instantly
    If I try to add the same domain group\user it says that they are already
    members once I click OK\Apply
    Any Ideas
    -dm

    RE: Add domain user\group to local admin group problem
    More info
    I am running these both as Virtual Machines in Virtual Server 2005 R2 SP1.
    They are both differencing disks built from the same parent disk (the parent
    is a base install of Server 2008). I sysprepped the member server before
    joining it to the domain
    I have since added a third member server (built from same parent disk and
    sysprepped as well) with the same results. I tried doing it with a Vista
    member server and had no problem

    -d

    :

    Re: Add domain user\group to local admin group problem

    Restricted Groups in Group Policy can enforce the membership in local
    Administrators groups. It sounds like this is happening to you. There are
    several kb articles on this, such as

    http://technet.microsoft.com/en-us/library/cc756802.asp

    --
    Richard Muelle
    MVP Directory Service
    Hilltop Lab - http://www.rlmueller.ne
    --

    Re: Add domain user\group to local admin group problem
    H
    can you describe the exact steps

    --
    I hope that the information above helps you
    Have a Nice day

    Jorge Silv
    MCSE, MVP Directory Service

    Please no e-mails, any questions should be posted in the NewsGrou
    This posting is provided "AS IS" with no warranties, and confers no rights


    Re: Add domain user\group to local admin group problem
    This is a fresh install with no custom setting in AD. I checked and I didn't
    see any Restricted Groups configured in the default domain policy

    -d

    :

    Re: Add domain user\group to local admin group problem
    So I have a default install of Server 2008 with ADDS role added (using 2008
    functional level). The Windows 2008 member server is a default install as
    well.
    On the DC, I create a global security group in AD, create a new user and add
    it to that group.
    On the member server, I open Server Manager, expand Local Users and Group,
    open the properties of the local Administrators group, and add the Group from
    AD.
    If I immediately click OK and then open the properties of the local
    administrators group it does not list the AD group I added.
    I have rebooted by VMs and checked the group membership after an hour or
    more just in case and still no group.
    Now if I try to add the group again it will let me, but once I click OK it
    will then say that the AD group is already a member of the local
    Administrators group.
    I think that is it but let me know if you need more info.
    -dm

    :

    Re: Add domain user\group to local admin group problem
    In DangerMaus <> requesting assistance,
    typed the following:

    Curious, what functional mode is the domain in?

    --??
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly.
    Please check http://support.microsoft.com for regional support phone
    numbers.

    Re: Add domain user\group to local admin group problem
    Functional level is Server 2008.

    -dm

    :

    Re: Add domain user\group to local admin group problem
    Ok, can you try to remove that member server from the domain and re-add it
    again? then test.
    Also check if you have errors in eventvwr.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.



    Re: Add domain usergroup to local admin group problem
    Maybe this has something to do with licensing issue? Not
    enough client access license maybe?

    Re: Add domain usergroup to local admin group problemthe same storage based virtual xen server environment. I can add the
    domain user to the local admin groups on one of the windows 2008
    member server (this member server is also virtual machine on the same
    storage), but the domain user doesn't show up in the local admin group
    window and because of that this domain user doesn't have admin rights
    on the local server, trying to readding gain to the local admin group
    says "this user is already member of this group", any
    ideas?
    Re: Add domain usergroup to local admin group problem
    installing all the servers separately not using the clones, looks
    like this is the issue with virtual environment.
    Re: Add domain usergroup to local admin group problem
    In mike1610 <-spam.invalid> requesting assistance,
    typed the following:


    Clones? Did you sysprep the machines first or simply added a clone with
    identical SIDs? Sysprep will force the installation to create a brand new
    SID for all components that have a SID associated to it's identity. If not,
    I can see why this may be happening and why I cannot reproduce it.

    --?
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly.
    Please check http://support.microsoft.com for regional support phone
    numbers.

    EggHeadCafe - Software Developer Portal of Choice
    ..NET Web Services - Exception Handling And Non-Exception Error Handling
    http://www.eggheadcafe.com/tutorial...01f-d36a82f107e8/net-web-services--excep.aspx
     
    Guillermo Taylor, Oct 15, 2009
    #13
  14. in message

    Guillermo,

    This thread is so long, I am not sure exactly what 'same' problem you are
    having. Is it based on the original thread's subject line:
    "> Re: Add domain usergroup to local admin group problem?"

    If not, and will also be helpful, to specifically state what exact problem
    you are seeing.

    As far as Sysprep, it's always a good practice to use Sysprep to insure each
    machine has it's own unique SID, however you will need to use a VL (Volume
    License) copy of an the operating system, and not something such as a retail
    version, or TechNet, unless it it is an MAK (Multiple Activation). retail
    versions and single installation TechNet copies are limited to one
    activation and will be useless with Sysprep.

    Ace



     
    Ace Fekay [MCT], Oct 16, 2009
    #14
  15. Hello Ace Fekay [MCT],

    The last weeks some posters, or maybe one with different names???, are posting
    in this format with pointing to some really old postings. I have tried to
    inform them/he/she??? to better use there own one and describing there own
    situation with all relevant information. I have the same thoughts as you
    have, if the problem description really applies to the poster.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Oct 16, 2009
    #15

  16. I know what you mean. It's an uphill battle trying to explain it! Hopefully
    the poster will respond with specifics. :)

    Ace
     
    Ace Fekay [MCT], Oct 16, 2009
    #16
  17. DangerMaus

    kinsja

    Joined:
    Feb 2, 2010
    Messages:
    2
    Likes Received:
    0
    Solution

    Hi, the reason you are getting this issue is related to duplicate SIDs. In general duplicate SIDs is not a problem. The only time you will find it causing issues (exactly as you are seeing) is when the domian SID and the machine SIDs are identical. Did you clone all servers from the same image, including the domain controller? If so what has happened is that the domain sid (created from the server first promoted to a DC) is identical to the member servers. Run psgetsid against the domain controller and the server in question and you will probably find they are identical.

    Hope this helps.
     
    kinsja, Feb 2, 2010
    #17
  18. DangerMaus

    kinsja

    Joined:
    Feb 2, 2010
    Messages:
    2
    Likes Received:
    0
    kinsja, Feb 2, 2010
    #18
  19. DangerMaus

    srikanth t Guest

    I had the same issue. This has been resolved by installing each VM from scratch (not by cloning the VHD file which I've done earlier)

    -st
     
    srikanth t, Nov 9, 2010
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.