I've noticed that the local Administrator group on some PC's has Domain
Admins in there, and some don't. These PC's are all XP Pro, and all are on
the same subnet.
I'm pretty sure they the Domain Admin group should be getting automatically
added to the local admins group.

What are possible causes for this?
Windows firewall is turned off. But I don't think that would cause this.

Hello JohnB,

By default the domain admins group should be added to the local administrators
group. Problems can occur if the machines do not all use the domain DNS servers,
instead the ISPs, on the NIC as then domain settings adn defaults ar enot
properly applied.

Another option is that maybe restricted groups are used and the machines
are not in the OU in AD UC where the GPO is linked to.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I've noticed that the local Administrator group on some PC's has
> Domain
> Admins in there, and some don't. These PC's are all XP Pro, and all
> are on
> the same subnet.
> I'm pretty sure they the Domain Admin group should be getting
> automatically
> added to the local admins group.
> What are possible causes for this?
> Windows firewall is turned off. But I don't think that would cause
> this.

I took a closer look at one of the affected computers. All of the computers
are in the default OU, "computers". So that isn't an issue.

To see which domain controller a computer is authenticated to, I normally
use the "set" command at a command prompt. And with the computer I just
looked at, the LogonServer variable is set to the computer's own name, not a
DC. Which is obviously a problem.

I did an IPconfig /all, and that looks correct. We have 2 DNS servers (that
are also DC's), and they are listed for DNS. The DC's point to themselves
for DNS. And there is a forwarder that points to our ISP DNS servers. So
that doesn't seem to be the problem.

But this does seem to be a DNS problem. LogonServer should be a DC. But
I'm not sure what else to look at.




"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dd87b8cc7c6dd4121497@newsgroup

> Hello JohnB,
>
> By default the domain admins group should be added to the local
> administrators group. Problems can occur if the machines do not all use
> the domain DNS servers, instead the ISPs, on the NIC as then domain
> settings adn defaults ar enot properly applied.
>
> Another option is that maybe restricted groups are used and the machines
> are not in the OU in AD UC where the GPO is linked to.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

>> I've noticed that the local Administrator group on some PC's has
>> Domain
>> Admins in there, and some don't. These PC's are all XP Pro, and all
>> are on
>> the same subnet.
>> I'm pretty sure they the Domain Admin group should be getting
>> automatically
>> added to the local admins group.
>> What are possible causes for this?
>> Windows firewall is turned off. But I don't think that would cause
>> this.

>
>

Hello JohnB,

You are correct, if the logonserver is shown as the local computer it sounds
like DNS or the network is not up and running, in a domain it should be one
DC. If you use XP machines or higher make sure the fast logon is configured
properly, therefore enable:

Computer Configuration, Administrative Templates, System, Logon, "Always
wait for the network at computer startup and logon"

in a GPO which is linke to an OU where the computer accounts must be moved
to. You should create your own OU structure in AD UC and move the machines
and also user accounts there.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I took a closer look at one of the affected computers. All of the
> computers are in the default OU, "computers". So that isn't an issue.
>
> To see which domain controller a computer is authenticated to, I
> normally use the "set" command at a command prompt. And with the
> computer I just looked at, the LogonServer variable is set to the
> computer's own name, not a DC. Which is obviously a problem.
>
> I did an IPconfig /all, and that looks correct. We have 2 DNS servers
> (that are also DC's), and they are listed for DNS. The DC's point to
> themselves for DNS. And there is a forwarder that points to our ISP
> DNS servers. So that doesn't seem to be the problem.
>
> But this does seem to be a DNS problem. LogonServer should be a DC.
> But I'm not sure what else to look at.
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911dd87b8cc7c6dd4121497@newsgroup
>

>> Hello JohnB,
>>
>> By default the domain admins group should be added to the local
>> administrators group. Problems can occur if the machines do not all
>> use the domain DNS servers, instead the ISPs, on the NIC as then
>> domain settings adn defaults ar enot properly applied.
>>
>> Another option is that maybe restricted groups are used and the
>> machines are not in the OU in AD UC where the GPO is linked to.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> I've noticed that the local Administrator group on some PC's has
>>> Domain
>>> Admins in there, and some don't. These PC's are all XP Pro, and all
>>> are on
>>> the same subnet.
>>> I'm pretty sure they the Domain Admin group should be getting
>>> automatically
>>> added to the local admins group.
>>> What are possible causes for this?
>>> Windows firewall is turned off. But I don't think that would cause
>>> this.

Thanks Meinolf. As it turns out, the PC I was looking at had been logged in
with a local account. So I need to look at more.
But I did just enable the "Always > wait for the network at computer startup
and logon"
I need to look at some more PCs.
Thanks.




"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dd8898cc7c821c50ccca@newsgroup

> Hello JohnB,
>
> You are correct, if the logonserver is shown as the local computer it
> sounds like DNS or the network is not up and running, in a domain it
> should be one DC. If you use XP machines or higher make sure the fast
> logon is configured properly, therefore enable:
>
> Computer Configuration, Administrative Templates, System, Logon, "Always
> wait for the network at computer startup and logon"
>
> in a GPO which is linke to an OU where the computer accounts must be moved
> to. You should create your own OU structure in AD UC and move the machines
> and also user accounts there.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

>> I took a closer look at one of the affected computers. All of the
>> computers are in the default OU, "computers". So that isn't an issue.
>>
>> To see which domain controller a computer is authenticated to, I
>> normally use the "set" command at a command prompt. And with the
>> computer I just looked at, the LogonServer variable is set to the
>> computer's own name, not a DC. Which is obviously a problem.
>>
>> I did an IPconfig /all, and that looks correct. We have 2 DNS servers
>> (that are also DC's), and they are listed for DNS. The DC's point to
>> themselves for DNS. And there is a forwarder that points to our ISP
>> DNS servers. So that doesn't seem to be the problem.
>>
>> But this does seem to be a DNS problem. LogonServer should be a DC.
>> But I'm not sure what else to look at.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911dd87b8cc7c6dd4121497@newsgroup
>>

>>> Hello JohnB,
>>>
>>> By default the domain admins group should be added to the local
>>> administrators group. Problems can occur if the machines do not all
>>> use the domain DNS servers, instead the ISPs, on the NIC as then
>>> domain settings adn defaults ar enot properly applied.
>>>
>>> Another option is that maybe restricted groups are used and the
>>> machines are not in the OU in AD UC where the GPO is linked to.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I've noticed that the local Administrator group on some PC's has
>>>> Domain
>>>> Admins in there, and some don't. These PC's are all XP Pro, and all
>>>> are on
>>>> the same subnet.
>>>> I'm pretty sure they the Domain Admin group should be getting
>>>> automatically
>>>> added to the local admins group.
>>>> What are possible causes for this?
>>>> Windows firewall is turned off. But I don't think that would cause
>>>> this.

>
>

"JohnB" <jbrigan@newsgroup> wrote in message
news:%235dpvYmrKHA.5936@newsgroup

> Thanks Meinolf. As it turns out, the PC I was looking at had been logged
> in with a local account. So I need to look at more.
> But I did just enable the "Always > wait for the network at computer
> startup and logon"
> I need to look at some more PCs.
> Thanks.
>

Hi John,

I would suggest to re-evaluate company policy concerning logging on locally.
If they are able to do that, it means the users have the local admin
credentials.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Hello JohnB,

Keep in mind that the GPO will not work on the computers container, even
if linked to the domain level, you MUST move the machine to an OU adn link
the GPO there.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Thanks Meinolf. As it turns out, the PC I was looking at had been
> logged in
> with a local account. So I need to look at more.
> But I did just enable the "Always > wait for the network at computer
> startup
> and logon"
> I need to look at some more PCs.
> Thanks.
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911dd8898cc7c821c50ccca@newsgroup
>

>> Hello JohnB,
>>
>> You are correct, if the logonserver is shown as the local computer it
>> sounds like DNS or the network is not up and running, in a domain it
>> should be one DC. If you use XP machines or higher make sure the fast
>> logon is configured properly, therefore enable:
>>
>> Computer Configuration, Administrative Templates, System, Logon,
>> "Always wait for the network at computer startup and logon"
>>
>> in a GPO which is linke to an OU where the computer accounts must be
>> moved to. You should create your own OU structure in AD UC and move
>> the machines and also user accounts there.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> I took a closer look at one of the affected computers. All of the
>>> computers are in the default OU, "computers". So that isn't an
>>> issue.
>>>
>>> To see which domain controller a computer is authenticated to, I
>>> normally use the "set" command at a command prompt. And with the
>>> computer I just looked at, the LogonServer variable is set to the
>>> computer's own name, not a DC. Which is obviously a problem.
>>>
>>> I did an IPconfig /all, and that looks correct. We have 2 DNS
>>> servers (that are also DC's), and they are listed for DNS. The DC's
>>> point to themselves for DNS. And there is a forwarder that points
>>> to our ISP DNS servers. So that doesn't seem to be the problem.
>>>
>>> But this does seem to be a DNS problem. LogonServer should be a DC.
>>> But I'm not sure what else to look at.
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:6cb2911dd87b8cc7c6dd4121497@newsgroup
>>>
>>>> Hello JohnB,
>>>>
>>>> By default the domain admins group should be added to the local
>>>> administrators group. Problems can occur if the machines do not all
>>>> use the domain DNS servers, instead the ISPs, on the NIC as then
>>>> domain settings adn defaults ar enot properly applied.
>>>>
>>>> Another option is that maybe restricted groups are used and the
>>>> machines are not in the OU in AD UC where the GPO is linked to.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I've noticed that the local Administrator group on some PC's has
>>>>> Domain
>>>>> Admins in there, and some don't. These PC's are all XP Pro, and
>>>>> all
>>>>> are on
>>>>> the same subnet.
>>>>> I'm pretty sure they the Domain Admin group should be getting
>>>>> automatically
>>>>> added to the local admins group.
>>>>> What are possible causes for this?
>>>>> Windows firewall is turned off. But I don't think that would
>>>>> cause
>>>>> this.

I understand what you're saying. But in this case the only accounts I want
as members of the local administrators group, are domain admins. Which get
added automatically.


"Jonathan de Boyne Pollard" <J.deBoynePollard-newsgroups@newsgroup> wrote
in message
news:IU.D20100216.T093139.P39999.Q0@newsgroup
And with the computer I just looked at, the LogonServer variable is set to
the computer's own name, not a DC. Which is obviously a problem.

But this does seem to be a DNS problem.
Not to me, it doesn't. As you later found out, you've just logged on
locally. The variable is telling you what machine authenticated the
credentials. If it's the local machine, then that's a local logon. Simple,
and nothing whatsoever to do with DNS.

It sounds like this and Microsoft KnowledgeBase articles 297307 and 810076
are going to be your friends.

It will not affect computers in the built-in container "Computers"? I did
not know that.

This is a small company, less than 150 computers. What is a recommended AD
structure, particulary for the computer accounts?

This is what is here now:

DomainName.local
- Location1
* Dept 1 (user accounts)
* Dept 2 (user accounts)
* Etc.... (user accounts)
- Builtin
- Computers (all PCs and laptops)
- Domain Controllers
- ForeignSecurityPrincipals
- Member Servers
- Location2
* Dept1 (user accounts)
* Dept2 (user accounts)
- Security Groups
- Users (built-in user accounts and groups)






"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dd8f38cc7cf85922e907@newsgroup

> Hello JohnB,
>
> Keep in mind that the GPO will not work on the computers container, even
> if linked to the domain level, you MUST move the machine to an OU adn link
> the GPO there.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>

>> Thanks Meinolf. As it turns out, the PC I was looking at had been
>> logged in
>> with a local account. So I need to look at more.
>> But I did just enable the "Always > wait for the network at computer
>> startup
>> and logon"
>> I need to look at some more PCs.
>> Thanks.
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911dd8898cc7c821c50ccca@newsgroup
>>

>>> Hello JohnB,
>>>
>>> You are correct, if the logonserver is shown as the local computer it
>>> sounds like DNS or the network is not up and running, in a domain it
>>> should be one DC. If you use XP machines or higher make sure the fast
>>> logon is configured properly, therefore enable:
>>>
>>> Computer Configuration, Administrative Templates, System, Logon,
>>> "Always wait for the network at computer startup and logon"
>>>
>>> in a GPO which is linke to an OU where the computer accounts must be
>>> moved to. You should create your own OU structure in AD UC and move
>>> the machines and also user accounts there.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I took a closer look at one of the affected computers. All of the
>>>> computers are in the default OU, "computers". So that isn't an
>>>> issue.
>>>>
>>>> To see which domain controller a computer is authenticated to, I
>>>> normally use the "set" command at a command prompt. And with the
>>>> computer I just looked at, the LogonServer variable is set to the
>>>> computer's own name, not a DC. Which is obviously a problem.
>>>>
>>>> I did an IPconfig /all, and that looks correct. We have 2 DNS
>>>> servers (that are also DC's), and they are listed for DNS. The DC's
>>>> point to themselves for DNS. And there is a forwarder that points
>>>> to our ISP DNS servers. So that doesn't seem to be the problem.
>>>>
>>>> But this does seem to be a DNS problem. LogonServer should be a DC.
>>>> But I'm not sure what else to look at.
>>>>
>>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>>> news:6cb2911dd87b8cc7c6dd4121497@newsgroup
>>>>
>>>>> Hello JohnB,
>>>>>
>>>>> By default the domain admins group should be added to the local
>>>>> administrators group. Problems can occur if the machines do not all
>>>>> use the domain DNS servers, instead the ISPs, on the NIC as then
>>>>> domain settings adn defaults ar enot properly applied.
>>>>>
>>>>> Another option is that maybe restricted groups are used and the
>>>>> machines are not in the OU in AD UC where the GPO is linked to.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> I've noticed that the local Administrator group on some PC's has
>>>>>> Domain
>>>>>> Admins in there, and some don't. These PC's are all XP Pro, and
>>>>>> all
>>>>>> are on
>>>>>> the same subnet.
>>>>>> I'm pretty sure they the Domain Admin group should be getting
>>>>>> automatically
>>>>>> added to the local admins group.
>>>>>> What are possible causes for this?
>>>>>> Windows firewall is turned off. But I don't think that would
>>>>>> cause
>>>>>> this.

>
>