What the heck am I missing? (Domain Issue)

I've got a new Win2003 domain and have started moving machines into this domain. I have a user who wants their domain user account to be the local administrator on their machine. To do this, I go to the box, log in as the Domain Admin and do the following:

Computer Management -> Local Users and Groups -> Administrators -> Select Users ->

The problem here is that the only domain listed to select from in "Locations" is the local machine. I've tried manually adding \\mydomain\username, but this doesn't work either.

I've also tried this logged in as the local administrator for the box.

What am I missing?

 

incidentally...

...this works in the Windows2000 machines that I've added.. this behavior is only present on XP and 2003 machines that I try to add to the domain.

 

I've seen this if your DNS setting aren't right. You can log in with a Doamin account, without DNS being set up correctly, but you will get strange authentication problems. Check your DNS setting on the PC by doing a:

nslookup www.windowsbbs.com

See if your 2003 server answers or is involved in the response. If it doesn't you have not got DNS set up correctly. Set the Windows 2003 as the main DNS server for you client PCs - you can use a scope option in DHCP to do this if you are using dynamic IP addressing.

 

Go to controll Panel / Users and add the user and the domain.

By default the domain will be listed as the local machine.
Change this to your domain and then select Administrator rights for that user.

Im not anywhere that I can get a screen shot at this time.

Basically your creating a users domain account on the local machine.

 

To give you a third answer (don't ya love it), you just need to add the domain user account to the local administrator group for that account to have admin rights.

If the user really wants to use the same account when the PC is not able to see the domain, how about just adding a local account with the same name as the domain user account and making it an admin?

 

Newt,

I think there will be some profile issues with your last option. Even if the local user has the same name as the domain user account, they will get a different SID and profile when they log on locally to that which they will get when the log on to the domian. With the local login, the different SID may prevent the user accessing the server's resources (depending on how the server is set up. 2003 seems to be better than previous versions at blocking users who are simply using the user name and password without actually being logged into the server). The different profile will make it difficult to access documents in his profile and change things like Outlook setting.

There are tools that will let you share profiles but I think adding the domain user to the local administors group is a better route to use. Especially as the system should cache the account details and thereby allow the user to log on when disconnected from the server.

 

A domain user can log on to his domain acconnt on the local machine without the machine connected to the domain for a long time. I'm not sure what the duration is but I have never experienced one not able to log on after months of not being connected.
Laptops would be a good example.

It is also a good practace to add a domain admin account to the local machine admin group.
Several applications (Trend Micro Office Scan being one of them) require a local admin account name and password when you are pushing the products out.

 

Reggie - absolutely. I was offering the local user account as an emergency back door in case of some sort of network failure since it is easier than trying to remember a totally different username/password to log on. Probably not that important for a user with only a single PC though.

Scott - you can certainly log on with cached credentials when the machine can't find the domain but unless I'm missing something here, that only works as long as you haven't tried to change the username you log on with. I usually find that the box 'forgets' the domain account if you've used another local account in the mean time.

 

Interesting Newt. I have never tried that.
I will unplug one from the network and try to log on with 2 diffrent user accouns and see what happens.