Re: Local admin rights not flowing through

It sounds like it could be a problem with contacting the domain controller
at logon. It could be the user is logging on via cached credentials even
just briefly as is often the case where clients have wireless network
connections. You can check the security log on the client workstation,
assuming auditing of logon events is enabled as shown in Local Security
Policy, to see if cached logons are happening as evidenced by type 11
logons. Try using the support tool whoami /groups to compare the security
token of the domain user compared to the domain user to see if
builtin\administrators is shown for the domain user. Also run rsop.msc on
the domain computer in question to see if there are any differences in user
configuration group policy settings for the domain user that could be
restricting the user such as Software Restriction Policies. Another
possibility is that the domain user is a member of a group that has deny
permissions in some access control list that may be restricting them. ---
Steve


"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45EAB03A-3DC4-40A7-B4AD-BEEF14DD56E4@xxxxxxxxxxxxxxxx
>I do have DNS configured correctly, including the reverse lookup zone. I
>use
> a .local extension for internal DNS. I also looked at the event logs on
> both
> the domain controller and the local workstations and all were squeaky
> clean.
>
> I haven't tried a netdiag yet though. I'll give that a shot tomorrown.
> Any
> other ideas anyone?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> It should work [if that is what you REALLY want to do] if you add their
>> domain user account to the local administrators group on their
>> workstation.
>> You may have other issues going on here also though. First make
>> absolutely
>> sure that you have DNS configured correctly for your domain as per the KB
>> article in the link below [NEVER ever have an ISP DNS server is the
>> preferred DNS server list of ANY domain computer] and run the support
>> tool
>> netdiag on your domain controllers and a couple domain workstations
>> having
>> this problem and run the support tool dcdiag and gpotool on your domain
>> controllers looking for any problems. Also look in the logs of the domain
>> controllers and domain workstations via Event Viewer to see if any
>> related
>> problems are found. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>>
>> "Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:E9700A33-9CFD-4CF8-8E92-E52150E88DA0@xxxxxxxxxxxxxxxx
>> > I've got a weird issue that I hope someone knows what's going on...
>> >
>> > I recently moved from my NTSBS 4.0 domain into a Win2003 AD. I have 7
>> > workstations all with the same issue. I had to re-create the user
>> > accounts
>> > in 2003 since I couldn't find a direct upgrade path which was no big
>> > deal.
>> >
>> > Anyway, all of my workstations are XP SP2.
>> >
>> > The workstations did not have local administrator rights so the users
>> > could
>> > not install their own applications. I added into each user's
>> > workstation
>> > their domain login name and added them as local administrator. I can
>> > log
>> > in
>> > as them to the local workstation and gain local admin, but if I login
>> > into
>> > the domain I do not get local administrator rights.
>> >
>> > Here's what I tried:
>> >
>> > Deleting the profiles, deleting references in the registry to that
>> > user,
>> > re-creating the profile by logging in again.
>> >
>> > I noticed when I logged in with the new user that it took a while to
>> > create
>> > the profile. When I logged in with the original user, even though the
>> > profile directories were deleted it just said loading profile and
>> > entered
>> > winxp quickly. So it looks like it was grabbing a profile from
>> > somewhere.
>> > I
>> > examined the PC and their home directory but could not find another
>> > profile
>> > directory.
>> >
>> > Created a new user on the domain, created a new user on the local
>> > workstation and this new user did get local admin.
>> >
>> > Re-formatted a PC and re-patched. Added the original user in the local
>> > workstation as local administrator and the problem was still there. No
>> > local
>> > administrator rights.
>> >
>> > It seems to be a profile/policy issue but no policies or roaming
>> > profiles
>> > are defined in the new domain.
>> >
>> > Does anyone have any idea on what is going on with this?
>>
>>
>>


.

Relevant Pages

  • Re: Why allow log on locally" is not configured by default??
    ... To logon locally you would have to be sitting in front of the console or use ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authentication failures
    ... If yes I would be leaning torwards a corrupt profile. ... lastly the user never logs in on any other workstation so simultaneous ... The user logs in every day. ... Logon Failure: ...
    (microsoft.public.windows.server.sbs)
  • Re: Locked out of machine
    ... This was just a workstation. ... >domain controller, I believe you may need to use ... >> Now I cannot logon to the machine. ...
    (microsoft.public.win2000.active_directory)
  • Logon to the domain failure
    ... when WinXPPro workstation logons to the domain I can see error in system log ... There are currently no logon servers available to service the logon request. ... 'Windows cannot obtain the domain controller name for your computer network. ... The workstation doesn't process any Group Policy, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Mapped drive not reconnecting
    ... Created a new profile on the workstation and mapped F: ... Drive mappings are fine until shutdown or reboot. ... > reconnect after logon. ...
    (microsoft.public.win2000.networking)