Cannot add a Domain User to local Administrators Group

[b4u]

Hi,

I have a Windows 2000 Advanced Server configured with a domain "mydomain.com". Everything seems to be working fine.

Now I have a Windows XP Pro workstation, and some users log into the "mydomain.com" with no problem. They are given the default "User" group, which is enough to all but one user.

I want to be able to say: In this workstation, MYDOMAIN\user1 belongs to group Administrators.

So I go into user manager panel, select Groups on the tree, double click Administrators, and then "Add...".

On the location, I see "mydomain.com", if I click "Advanced..." and a list appears with the user1 ... I select it, click "OK" and the object "user1 (user1@mydomain.com); Administrator" appears ... seems to be okay.

Then if I click "OK" or "Check Names" I get the following error:

Windows cannot process the object with the name "user1" because of the following error:

A socket operation was attemped to an unreachable host."

What? I just logged into the domain, and searched for the user on it ... now it can't reach it?

How to solve this? What is happening here?


Any help appreciated ...

Thank You.

 

[stash]

Can you ping mydomain.com from that workstation? Does it return the IP of a domain controller? Any userenv or netlogon errors in the event logs on that workstation?

 

[gwag]

log onto the server and change privledges there.

 

[b4u]

Hi,

Strange thing happened ... today I started the server (named server2k) and the workstation (named stationxp), logged into mydomain using the Administrator password (like I did yesterday), and when I try to add some user to the group Administrators, I can't find the domain on the "Location". Only the local "STATIONXP".

The server successfully leased an IP, but the ping doesn't return anything ...

I added the results from the command line to the message ... and as you can see, I can ping the IP directly ... so any DNS problem?

Added:

Now when I try to logon with user1, I get the following message:

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security right. If this problem persists, contact your network administrator.

DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you

I have remote profiling on server, as you notice, but that worked yesterday with flaulessly ... but today I can't seem to connect to the server, even though he leases an IP and I can ping it on the server IP.


About Event Logs:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 05-03-2005
Time: 13:17:08
User: NT AUTHORITY\SYSTEM
Computer: STATIONXP
Description:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1521
Date: 05-03-2005
Time: 13:15:31
User: MYDOMAIN\user1
Computer: STATIONXP
Description:
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 05-03-2005
Time: 12:51:52
User: N/A
Computer: STATIONXP
Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x80072751). A socket operation was attempted to an unreachable host.
Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thank you

 

[b4u]

* bump of luck *

 

[dclive]

Originally posted by: b4u
Hi,

I have a Windows 2000 Advanced Server configured with a domain "mydomain.com". Everything seems to be working fine.

Now I have a Windows XP Pro workstation, and some users log into the "mydomain.com" with no problem. They are given the default "User" group, which is enough to all but one user.

I want to be able to say: In this workstation, MYDOMAIN\user1 belongs to group Administrators.

So I go into user manager panel, select Groups on the tree, double click Administrators, and then "Add...".

On the location, I see "mydomain.com", if I click "Advanced..." and a list appears with the user1 ... I select it, click "OK" and the object "user1 (user1@mydomain.com); Administrator" appears ... seems to be okay.

Then if I click "OK" or "Check Names" I get the following error:

Windows cannot process the object with the name "user1" because of the following error:

A socket operation was attemped to an unreachable host."

What? I just logged into the domain, and searched for the user on it ... now it can't reach it?

How to solve this? What is happening here?


Any help appreciated ...

Thank You.

Sounds like a DNS issue. On the public internet I can get to www.mydomain.com, so it's a public site - MS's recommendation is for you to set up non-public AD sites as "mydomain.local" so DNS won't get confused. How is your DNS set up, both on the AD DNS Server/Domain controller and on the workstation? What's the workstation's first DNS server that it queries?

 

[b4u]

Hi,

My local domain is not connected to the internet. My domain is "dune.com" (I changed it from "mydomain.com" ... to re-test settings), and my server is a Windows 2000 Advanced Server, names "server2k".

The network settings on the client (Windows XP Professional named "stationxp") are all automatically, and it leases an IP without problems.

If I ping "192.168.0.1" or "server2k" it works just fine, but if I ping "server2k.dune.com" it doesn't work.

Also when trying to add a domain user to the local administrators group, I cannot "see" the domain on the Location ... so I can't find it through the GUI.

 

[stash]

Can you post an ipconfig /all from both the server and the client?

 

[b4u]

Here comes "ipconfig /all" for both machines ...

 

[stash]

Why is there no DNS information for the client? Your DHCP scope should be setting clients to use 192.168.0.1 for DNS.

 

[b4u]

My DHCP & DNS services are on the same computer (server2k) shouldn't the information about the DNS be given automatically when a machine log on the domain?

I'll check it out ...

What DHCP services should I setup (the more important ones). I've seen the service about DNS registration, in a big list, so I don't have a clue wether I should be setting any other service.

I'll try it out the service you told me.

 

[stash]

shouldn't the information about the DNS be given automatically when a machine log on the domain?

You need to configure a scope option in DHCP for the DNS configuration. Otherwise DHCP clients will not know what DNS server to use.

 

[b4u]

OH MY GOD!!!!! IT WORKS!!!!

I mean I just added on DHCP Scope Options the entry "006 DNS Servers" with value "192.168.0.1", and when login in the "Windows XP Pro" machine I get the "ipconfig /all" shown on attached code.

I then connected with a "Windows 2000 Pro" machine, and same thing applied.

I could ping "server2k.dune.com" on both machines ... and I could even ping each of the client machines (WinXPpro vs Win2Kpro) with "(...).dune.com" with success.

Then the DNS server automatically added each entry for the client machines with the leased IPs ...

Then adding a specific domain user to the local "Administrators" group in "Windows XP Pro" and "Windows 2000 Pro" worked like a charm ... "Location" found the domain, the user was added without error messages ... it seems to be working just fine (at least for now).

Many thanks to all, and special thanks to STaSh who pointed me to something new that solved my problem, or so it seems

Thank you all.