When is an Admin not an Admin?

[Randall Arnold]

I'm trying to get a handle on Windows XP Pro's way of managing permissions
and having a poor time of it.

For lack of true IT department, I am the de facto network Admin of our
company and am a member of the Administrators group on our Windows 2000
Server. However, when I log onto the local domain as either Administrator
or my regular User ID, the XP client doesn't recognize me as an Admin. I
have to log onto the machine itself (using either name) in order to install
software, access restricted folders, etc. Some programs *will* allow me to
use "Run as..." and enter the domain\Admin name in order to install, but
others fail to recognize server shares, thus forcing me to log out of the
domain and onto the workstation. I also can't even add domain-based users
and groups while logged into the workstation; it doesn't see them. This is
getting to be a pain.

I had thought that when the XP box was joined to a domain it inherited the
policies from the server via Active Directory. This does not seem to the
the case, even though I've tried to force the issue by granting myself every
possible privilege I can think of.

Overlooking my obvious thick-headedness, can anyone explain to me what I
need to do to get each XP client to recognize the LAN Admin as THE Admin
(ie, "GOD") with full rights to everything?

Thanks,

Randall Arnold

 

[oklier]

you have to remember that each XP machine is its own
domain. so you have to add the domain admin to the admin
group on the local machine.

 

[Roger Abell [MVP]]

First, it sounds like you may have a DNS issue, indicated by

I also can't even add domain-based users and groups
while logged into the workstation; it doesn't see them.

assuming that the machine is indeed joined to the domain.

All of your domain members should use only the DNS servers
that support the AD zones, and when the support tools utility
netdiag
is run on the DC it should not report any failures.

Now, at one point you mentioned using an account that is
in the Administrators group of the domain and it not having
admin rights on the local machine. By default Domain Admins
are local Administrators but the domain Administrators group
members are not necessarily Administrators on local machines.

Beyond all of this, be aware that there are some brain dead
third party applications that do not correctly recognize that an
account is an admin (check vendor website for fix).

 

[Randall Arnold]

Interesting turn of events: after fiddling with various secruity and policy
settings for a couple of days, I logged into the local domain this morning
to find that I now have full rights on this machine. The odd part is that
yesterday I did not (even after logging in and out 2 times) and I haven't
done anything different that past day or so. Did it just take that long to
propagate the updates I did earlier? If so, that itself is strange!

Randall