How do I add to PowerUsers group from AD Server? 2

[ccdriver]

I created a group on the Windows 2000 Server with Active Directory. (We are all new at AD. We've used NT4.0 for the last 2 years.) The resaon for this is I need to allow non Admin accounts to use some "legacy" programs such as Adobe PageMaker. (It won't launch unless a PowerUser or above logs on.)

What I'd like to do is make this "group" I created be PowerUsers on our newer workstations which have Windows XP Pro. Since this is an Active Directory (previously just a domain) I wasn't able to do it from the workstations so I assume it can only be done from the server.

I'd appreciate any help on this.

 

[imatthec]

Add the domain\groupname to the local computers' power users group.

 

[ccdriver]

At the workstation when I tried to do that, at some point you get the box labeled location, but there is nothing to choose except for the name of the local computer I'm at so I thought I had to do it from the server. In other words, I can't even choose the domain or AD as the location of the account or group since the domain is not listed.

Maybe something is "screwed up" at the server so I'm not able to browse the domain account names from the workstation even though I'm logged on to the domain as Administrator.

Any ideas?

 

[imatthec]

You should be able to do this manually.

domain\groupname

 

[ccdriver]

Actually, I've tried entering it manually and then it pops a message that the object named "domain\group" is not from a domain listed in the Select Location dialog box, and is therefore not valid. (Of course I had put the REAL domain name and group name.)

Very frustrating to say the least. Can you think of anything else I could try?

 

[zigcoors]

To Administer AD domain accounts from a Workstation XP or W2K you will need to install the AD admin tools. If you wish to Install these on a W2K PC, map a drive to your server %systemroot%\winnt and install adminpak.msi
This will install the full set of AD tools, I would not install these on a normal user's PC.

I have been unable to get the std adminpak that comes with W2K server to install on XP - but I understand an updated version is availble from MS

 

[ccdriver]

I have the original problem solved.

I ran NSLookup at the XP workstation and got this:

H:\>nslookup
*** Can't find server name for address 10.100.1.10: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 10.100.1.10

At one of the servers (not the main AD server) I did the same thing and got the address: 10.120.1.1.

I changed the DNS from "obtain automatically" to using the address: 10.120.1.1.

Suddenly, the S-L-O-W logon we used to have was really quick. I could browse the network, choose the group and it looked like everything was ok UNTIL I tried to connect to the internet.

NO GO! I tried adding the old 10.100.1.10 as the Alternate DNS but still NO GO. Then I reversed them so that the old 10.100.1.10 was the Preferred DNS.

Now I can connect to the Internet BUT the network LOG ON takes forever and I can't browse the AD. But at least, the group has been added to the Power Users Group.

Part of our dilema may be that we use a CABLE ISP hookup and they will not give us a fixed IP address.

I know this is straying from the subject matter a little but is there a way to BOTH keep the quick logon AND the internet connection working?

I know that anytime I need to browse the AD, I can just reverse the DNS search order but I'm sure there must be a better way.

 

[gdvissch]

ccdriver,
I also read your msg on the XP forum ... and start to see the light now!

The problem is that you need a DNS for nameresolution on the internet and another one for your internal nameresolution. W2K and XP use DNS to find a domain controller. This is why when you put an AD server as your primary DNS, logon is fast and browsing works. However this server does not know any names on the internet. The solution is to add a FORWARDER on your internal DNS server. This forwarder should point to the ISP provided DNS server.
Go to the DNS server admin tool select your own domain and select propoperties. One of the tabs says "Forwarders" add the ISP provided DNS here and make sure your clients (W2K and XP) point to the internal DNS server (AD server).

When this tab is greyed-out it means your DNS is integrated in AD. You should do the same as before but in the AD configuration.

I hope this makes sence to you!

 

[ccdriver]

Thanks. That was the problem.