Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I need help with permissions. 1

Status
Not open for further replies.
mhch2005

mhch2005

Technical User
May 4, 2003
15
0
0
US
Hey all,
I need to add Domain Users to the local Administrator group. I have added the XP Pro to the domain and all the ip settings are good. But when I go to Control Panel -> Administrative tools -> computer management -> group -> administrators -> add... It won't let me add anything from the domain. the only thing showing up in location is ART (which is the computer name). What should I do? I am logged on with the Administrator account. and I have tried a different NIC. I would apprecieate some help.

Thanx in advance,
Michael

Knowledge is given to the one who asks.
 
Sort by date Sort by votes
In order to add from the Domain you have to be a Domain ADministrator...

And to make it easier - you should be logged into the domain as that administrator account.

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
can you simply walk to the machine and create this user account on it, and make them a member of Local Admin? Or do you specifically want the domain permissions to apply?
 
Upvote 0 Downvote
mhch2005

you're doing this on the local machine? (if so, you need local adminstrative access to add domain users to local Administrators gropu, NOT domain adminstrative access).

Is the machine logged onto the domain when you try to do this? (I ask as Administrator could be local or domain) - because it should be.
 
Upvote 0 Downvote
Umm.. I beg to differ!
if you are logged into an xp box, as a local administrator ONLY, then you will not have access to the Domain Account list UNLESS you provide credentials as a Domain Administrator! This is basic NT Security.

No Non-Domain Administrator should see the Domain Account list. Power Users in the domain may see but not manipulate the account database....

Secondly.. the machine must be part of the domain in order for a Domain account to be a local admin.

Log in as a Domain admin.. and you will be able to manipulate all security on that box.

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Alshrim - what I said was 'you need local adminstrative access to add domain users to local Administrators group'.

This is true. I didn't say you need to be the local Administrator - and if the Domain Administrator has local Adminstrative access (which it normally would have), its a perfectly good account to work from (but if it hasn't, you can't update any of the local groups).
 
Upvote 0 Downvote
If the issue is that the Domain Administrator Group is automaticly made members of the local Administrator Group, it is not.

I agree with Wolluf.
 
Upvote 0 Downvote
Wolluf and bcastner: I'll refer to what wolluf said earlier: "(if so, you need local adminstrative access to add domain users to local Administrators gropu, NOT domain adminstrative access)"

Maybe I'm just misunderstanding something .. and maybe we're saying the same thing.. but i'll clarify for the sake of the forums...

Over here, at my desk, i have an xp machine. On my network, I am an administrator. on my xp machine, Domain Admins are members of the Local Administrator group!

However... If I log into my Local Administrator account on my xp box - The LOCAL Administrator account has ZERO rights on the Domain - and therefore CANNOT add any domain accounts to its own Local Adminitrator Group... It will prompt you for a Domain Adminitrator Login in order to view or to gain access to the Domain Account Database List... Either way.. you need a Domain Administrator Login, which was my original comment... If you are logged into the local xp box as a local administrator, you will need a Domain Admin account to add any Domain accounts to the local admin group, or any other group for that matter. Local Admin account can only manipulate LOCAL accounts and group.

Easier to just log into the domain from the xp box (which, you are right - by default will have a Domain admin group into the local administrator group PROVIDING the machine is a member of that domain...), to add anything to any of the groups on the box. If the box is not a member of the domain - there is no trust between the xp box and the domain, and therefore you would be unable to add any groups from a domain into that box's groups.

To add anything to the local box from the domain - you absolutely need DOMAIN adminitrative access. I have tried it here, just to be sure...

Are we saying the same thing??

Cheers,

Al

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Alshrim,

You are correct, as is the converse situation. You are a Domain Administrator, but not a member of the Local Administrator Group for a workstation. You cannot add Domain members as local administrators.

It is not automatic that a Domain Administrator Group member is made a member of the Local Administrator Group.
 
Upvote 0 Downvote
no.. ok.. I see what you're saying!!!

If I log into the domain as a Domain admin - and the domain admins is NOT member of the local admin group - you can't add anything... YES... on that i agree... Ok... phew..

I just couldn't understand what was being said..

But if you log in as a local admin... either way... once you try to log add an account from the domain - a domain admin account will be prompted for .. once those credentials are accepted... you should be able to do anything.. yes..

I think we're clear...

Thanks for clarifying!

cheers

**As a P.S. tho' .. we should add, however, that by default, Domain Admins is added to the Local Admins group upon the machine's membership to the domain... Only if you removed the Group, will you run into this type of scenario.

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Not to add another layer of confusion to this.... but why add Domain Users? If everybody needs to be a local admin on a box just add the local Interactive account. This way it prevents any savy user from browsing default shares on other PCs.

Anyways - just a thought.

Q-
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Diane Sandstrom
  • Locked
  • Question
PDF with highlighting
Replies
2
Views
73
Diane Sandstrom
Diane Sandstrom
Flinx
  • Locked
  • Question
continuing issues with Windows 10 slow transfer to NAS
Replies
6
Views
124
pmonett
pmonett
TomSalvato
  • Locked
  • Question
Help with a DOS command that isn't working for me
Replies
7
Views
92
Professor Shadow
Professor Shadow
Marguerite Bourgeois
  • Locked
  • Question
I have a document in which margins
Replies
2
Views
76
goombawaho
goombawaho
Shengfu
  • Locked
  • Question
PROBLEM WITH FILES IN FLASHDRIVE
Replies
3
Views
85
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top