add domain user rights to local windows xp

[twospoons]

I have a Win2K Server setup as PDC / AD. All my users have accounts on the PDC. Most of the workstation were Win98 and now we have begun replacing them with WinXP Pro. I want add the domain user account to each machine to give each user full access to their own c:\ to install programs, updates, etc...

When I go right click c:\ --> properties --> security, then click add, the location only shows the local machine name. I have added and removed the machine from the domain several times via right click my computer --> computer name --> network id (and just the change button)... I have tried adding the domain users in the control panel --> user manager locally, through the computer manager --> users and groups, and through the system properties --> network id... sometimes the domain user will show up under the user manager, but it does not show up when I go to the security properties of drive c:\.

I was able to get this to work on one WinXP machine... I followed the exact same steps on two others, and when I click the locations button in the security properties of drive c:\, it only list the local machine. Why can I not browse the domain?

Help please.
twospoons@hotmail.com

 

[wbg34]

You will either need to add them to the local power users or admin group to give them install rights. On the local machine log on as the administrator and go to your control panel. Double click on admin tools and then on Computer Management. Click on the plus next to Local users or groups and then on the plus next to the groups folder. Double Click the group that you want to add them to. Click on the add button.
There will be three text boxes in the window that pops up. At some point in this procedure you will need to enter the username and password of the domain administrator in a pop up window to verify that you have the rights to do this. In the first verify that users or groups is listed. If not, then choose it by selecting object types. The second window should contain your domain name for the location. Finally in the third window type in domainname\username for the user that you are adding. Click OK all the way out and have the user log in.

 

[twospoons]

that's the problem, the second window that you are talking about doesn't show up. when i click the location button to change it from the local machine to the domain, the domain is not listed. i have tried typing in the domain\username and get an error that it can't find the domain. yes i am connected to the domain, i'm logged in as the domain admin, i have tried removing and adding the local machine back into the domain, i can verify that the computer is listed in the domain on the PDC, i can verify that the system properties --> network says i'm in the domain, when i add the machine to the domain it says welcome to domain.com, restart, try to add user, still can't see the domain listed in the location box of the add user dialog.

 

[wbg34]

Twospoons,
Leave the XP workstation logged in and go to your domain server. Right Click on my computer and select manage. Click on the Actions menu and choose connect to another computer. Type in the XP Workstations name. Does it let you connect? If so try and add the user from there.

 

[twospoons]

thanks for the help so far, i tried connecting to the xp machine from the PDC, i selected the workstation name from the list and get error message "Computer-Name.domain.com cannot be managed, the network path was not found." does something need to be configured on the workstation to allow access?

 

[twospoons]

can anyone tell me how to turn on remote management for windows xp pro?

 

[twospoons]

anyone??? i'm still having problems with this??? please help.

 

[kmills]

twospoons,
Have you compared the services that are running on the machine that worked to the machine that isn't. I think remote management is located there.

 

[probeselector]

I had this problem with 2000 pro. I did this: control panel users and passwords. Click advanced and then double click groups. Double click the group you want to add them to and then click add. Look at the look in drop down and see if the domain appears. If so just look there. Worked for me. Good luck

 

[cameramonkey]

make sure when you are connecting to the workstation that the PC is logged in under a domain user, and is properly added to the domain. If it isnt properly joined to the domain, or if you are logged in as a local user, remote management wont work properly.

 

[twospoons]

kmills, both xp computers came from dell brand new... all the same services running.

probeselector, i have tried the advanced options for adding users (have not specifically tried the groups in the exact steps you suggest, but i will try that), the problem is that the domain does not show up as a location option.

cameramonkey, yes the domain admin is logged in on the workstation, and yes i believe it is properly added to the domain. besides it doesn't have to be a member of a domain for remote admin. i have tested this on an xp pro computer that is only a memeber of a workgroup and remote admin works.

any other suggestions???

 

[probeselector]

Take a look at this
Adding a Domain Account to a Local Machine Group



In the document about joining a Windows 2000 workstation to the ADS domain, we mentioned that you need to put the user’s domain account into one of the Groups on the local machine. If you don’t do this, the user will not be able to log into the local machine with her/his domain account credential. While that may cut back on some of your support calls, it probably doesn’t do much for employee productivity.

Log in to the local workstation using the Administrator account on the local workstation (NOT an ADS domain account).

Right-click on the My Computer icon, and select Manage from the pop-up menu.

You will be in the Computer Management MMC. Look under Computer Management (Local) -> System Tools and expand Local Users and Groups.



Click on Users, to display the user accounts that are defined on the Local Machine. These are NOT domain accounts. In the window below, you can see that there is a user account defined for cx0156; this account exists ONLY on the local machine, and the ADS domain does not know that it exists.



Now click on Groups. You will need to pick a group to put the ADS domain account of the user in. If you put the user’s domain account in the Administrators group, the user will have full rights on the local machine; you may not want your users to have those capabilities, in which case you’ll want to choose a more restrictive group such as Power Users.

Notice at this point that the local machine account for cx0156 is in the Power Users group at this point, but the domain account is not.



In the group that you selected (in this example, Power Users), hit the Add button to bring up the Select Users or Groups window. By default the Look In box will show the local machine name



Change the Look In box from the local machine name to ADS using the drop-down selection list. You may see a window titled Enter Network Password. This window appears because you are logged into the local machine as Administrator but are trying to access domain resources, and the local Administrator account has NO rights in the domain. Fill in your domain account information and hit the OK button.



The list of domain user accounts will begin to fill. Be patient here, since loading more than 8,000 accounts takes a bit of time. Scroll through the list until you find the user’s account, then select it and hit the Add button. In the bottom of the Select Users or Groups window, hit the OK button.



Now notice that there are two accounts in the Power Users group: the local machine account (cx0156) and the domain account (ADS\cx0156).



IMPORTANT: When you joined the workstation to the domain, by default the ADS Domain Admins group was placed in the workstation's Administrators group. You may want to remove the Domain Admins group so that members of that group do not have Administrative rights on the local machine. In the Groups window, double click on the Administrators group. Select the ADS\Domain Admins group, and hit the Remove button.




You may want to add in the domain account for one or more of your LAN admins, so that you have a way of logging into the machine if the user has problems. You can repeat the process described above to add your domain account to the Administrators group on the local machine.

You can now hit the OK button on the Group Properties page, and then exit the Computer Management Console.

At this point, you can log out of the machine and log back in, this time using the user’s ADS account and password. Windows will create a profile for the new domain account, and then you can begin to configure the user’s applications.

If you have questions about any of this, please call the Customer Support Center at 444-2000 and open a problem ticket. We’ll gladly do our best to answer your questions and resolve any problems that have popped up.

 

[twospoons]

thank you for the info... but once again the problem is that the location box only displays the local machine. how can i force it to browse the domain/ads???

 

[probeselector]

You said that you are sure that you added the machine to the domain, have you tried to log on as local administer and as domain administrator?

 

[twospoons]

yes, i have tried as domain admin and local admin

 

[probeselector]

Correct me if i am wrong: you need to give the local machine user admin rights for the c:\?

 

[twospoons]

the end goal is to give the domain user account admin rights to the local c:\

 

[probeselector]

Have you added the users to the administrators group on the domain controller?

 

[twospoons]

the one machine that i got this to work with the user is setup as a domain user and local admin...

the one that isn't working the user is domain admin and i'm trying to get local admin.

 

[probeselector]

Again have you added this user to the admin group on the domain controller?