Adding DOMAIN user to a LOCAL machine

Me again-- Due to peculiarities in Quickbooks 2006 and ACT 6, we have learned that each of our users must have Admin rights to his local machine, for all features to work correctly. Since we run a domain, each user logs onto the domain rather than the "local" machine. So in Christine's machine for example, I must make her DOMAIN user a member of the LOCAL machine's administrators group. (The username would look like BIGDOMAIN\CHRISTINE.)
I've done this on all of our machines as each machine is assigned to a user. However I have a machine I am moving which I cannot get to accept DOMAIN users as LOCAL users. This machine runs WinXP pro. Any user can log onto the domain successfully from this machine.
The server runs Win2000server. The stations are Win2kPro and WinXPpro, about 9 workstations total. Any ideas? Tnx. Greg.

 

what is the error message you get when you try to add a domain user to the local administrators group on that particular machine?

- Desiree

 

The error said "The trust relationship between this workstation and the primary domain failed. " Does this help?

 

It may have a corrupt SID.
Try renaming the computer and blow out the old computer account in the AD.

 

The workstation does not think it is part of the doamin.

Are you sure that this PC is actually logging on to the domain. When you boot the machine and are prompted for a user name and password, is the "domain" on that screen set to the network domain, or does it have the computer name? It needs to be the network domain name.

it may well be something else (Scott suggestion is a good one and may fix the problem), but its worth checking the simple things too.

 

I would have to agree with Reggie on this one...if you're not getting anything in the event log. I wouldn't worry so much about the SID being corrupt, though stranger things have happened. Has it always been a member of the domain? If not, are you the one that joined it? Can you log in as local admin and add the user?

Another thing that I have found useful in most environments is to have a group called wsadmins. Give that group local admin rights and then put the users that need local admin rights in that group. Of course this leaves all computers open to all users in that group, but hopefully you can trust your folks. Then again, there are those users out there...

 

I almost wonder if you don't already have a computer account in your active directory with that computer name. Could it be that at one time you did have a computer that was joined to that domain with that name and it has since been removed? and now when you are trying to join this one, you get that ugly error? it would be worth checking....

Best regards

Desiree

 

If you have remote locations with domain controllers then dropping and re-adding a computer with the same name to the domain can cause issues.

Its best to drop it from the domain and re-add it with a different name. Then after a day or two, when everything has finished replicating to all domain controllers you can rename it to what it originally was.

 

OK, here we go: First, these machines are all local- none are remote. Second, yes, I am sure I log onto the domain when going onto the workstation. So what I did was to go into AD on the server and delete the computer name. Then, on the workstation, I asked to join the domain again. It worked and I was able to add my user as needed, no snags! Thanks everybody, for your ideas.