Global groups missing from local group on W2K Pro

R

Richard Moreno

Outline:
Native Mode Windows 2000 AD Forest with 1 root domain and 3 child domains; I
manage 1 child domain. Several thousand workstations and user accounts have
been migrated from an old Multi-Master NT Domain Model (user accounts) with
Resource Domains (servers, local services) to this new AD Forest and have
been operating fine thus far. ALL User accounts and computer accounts are
now in the AD Domain. (More specifically the child domain I manage, this is
also the domain they logon to.)

Problem:
W2K Pro workstations are now suddenly missing a domain global group from the
local administrators group that was previously there.

No GPO's are in place at OU or Site levels; 1 GPO exists at the forest root
for all domains for account policies only. Transitive trusts are in place
throughout the forest, FRS replication is good, sysvol directories are
synced and appear uncorrupted.)

Has anyone come across this? Have any ideas or tips?

Thanks
Richard
 
A

Ace Fekay [MVP]

The only thing I can think of is during the migration, did you select
(assuming you used ADMT) the Security Translator? Otherwise it would seem
that the group may have been deleted, such as when you did (if you selected
SIDHIstory option) a SIDHistory cleanup.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
D

David Fisher [MSFT]

Hello Richard.

Perhaps the most likely cause of the groups from the local administrators
group is that, at one time, a restricted group was configured in group
policy. If it is not configured to include those domain administrators into
the local administrators group, they will effectively be removed. If the
policy was then removed, the local groups will still have been modified
permanently.

228496 HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/?id=228496

320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
2000
http://support.microsoft.com/?id=320045

If after consideration this is determined to not be the cause of the
problem, restricted groups may be a means to correct it. Please place these
clients into an appropriate container (OU), create a group policy object,
define a restricted group in this policy for "administrators", and define
all the users and groups that need to be a member of administrators. After
the next client policy refresh (90-120 minutes), you should notice that the
local administrators group is correctly populated.

Best Regards,
David Fisher
Enterprise Platform Support
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Global Groups Missing from Local Group on Windows 2000 Pro 1
Adding user to Child Domain Group 4
Add workstations to Domain rights? 2
AD design question....again 4
New AD DC cannot be seen by other Domains in Forest 7
Strategies for cloning our production AD forest to a "dev" forest ? 2
NetUserGetLocalGroups in multi-domain AD environment 2
AD Design Help..needed.. 3

Top