adding domain groups to local admin group

[Guest]

-i have a win2003 server/winxp client network
-i have created user groups in the active directory users and computers
utility (and of course added users to those groups)
-i want to add these domain groups to the client computers' local admin
group to assign specific users admin rights to these computers
-i have successfully used the local/client computers' users utility to do
this on several computers, but...
-when i want to add the domain group to the client computer's local admin
group, i need to see the domain in the "...look in the following
locations..." field
-on most computers, i do see the domain in this field, and everything works
normally
-however, on some computers, i can only see the local computer in this
field, and i cannot get the doamin to show up in this field

-can anyone help?

 

[Lanwench [MVP - Exchange]]

-i have a win2003 server/winxp client network
-i have created user groups in the active directory users and
computers utility (and of course added users to those groups)
-i want to add these domain groups to the client computers' local
admin group to assign specific users admin rights to these computers
-i have successfully used the local/client computers' users utility
to do this on several computers, but...
-when i want to add the domain group to the client computer's local
admin group, i need to see the domain in the "...look in the following
locations..." field
-on most computers, i do see the domain in this field, and everything
works normally
-however, on some computers, i can only see the local computer in this
field, and i cannot get the doamin to show up in this field

DNS misconfiguration, most likely. Ensure that *all* clients and servers
specify *only* the internal DNS server IP (your W2003 DC, most likely) for
DNS - no public IPs.

-can anyone help?

General advice:

I tend to set up AD security groups called LocalAdmin & LocalPowerUser. You
can use a computer startup script via GPO so these groups are automatically
added to the local workstation groups. (There are other options, such as
Restricted Groups, but I find this method is easier for me to administer).

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
.........

You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

THAT SAID - it's not good practice to let users have local admin rights - so
if you have software that won't behave properly without admin rights, try to
correct it. First, I'd holler at the software developer, because this is
sloppy code, but then you can try downloading Process Explorer from
Microsoft (a sysinternals utility) to see what the app is trying to do. You
can then modify permissions in the file system/registry appropriately, to
let ordinary users have the access the software needs.