none
Can't add domain user account to local admin group properly

    Question

  • Hi,

    I have two Windows 2008 Servers.  One is the domain controller, let's call it DC and the other is a SQL box, let's call it SQL.  So, I want to setup a domain user account which I can use on the SQL box.  The SQL box has been added to the DC's domain.  I setup the Domain User account in Active Directory.  I then navigate to Computers and select Manage on the SQL box.  Then I navigate to the Administrators group, and add the Domain User account that I created.

    Once I do that, and go back into the Administrators group (for the SQL box) in Active Directory, the SID is listed for the Domain User account instead of the actual user name.  If I try and login to the SQL box with the domain user account, I am able to login, but if I attempt to perform a admin activity, I don't have permissions to do so.  If I am on the SQL box itself (and login as local admin), and navigate to and open the Administrators group, there is no domain user account listed.

    So, I am able to login to the SQL box with the domain account, but don't have local admin priviledge for some reason.  I have set Windows Firewall to OFF on both the DC and the SQL box.  This doesn't seem to help.

    I am at a loss now what to try next.  Any thoughts?

    Thanks.
    Thursday, August 14, 2008 7:31 PM

Answers

  •  

    Hi,

     

    Based on my research, some group policies may cause 'SID can't be correctly translated into friendly name' issue. Please run 'rsop.msc' on problematical PC to see if the following group policies are properly set:

     

    Under computer configurations\Windows setting\security setting\ security options\

     

    Network access: Allow anonymous SID\Name translation ENABLED

    Network access: Do not allow anonymous enumeration of SAM accounts DISABLED

    Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED

     

    Network access: Let Everyone permissions apply to anonymous users ENABLED

    Network access: Named pipes can be accessed anonymously ENABLED

    Network access: Restrict anonymous access to Named Pipes and shares DISABLED

     

    Client PC need to contact DC to translate domain user SID into friendly name. There is possibility that the client machine may not contact DC at that time, so the SID may not be correctly translated. Please wait a longer time to see the result. Also, please check if the client PC's DNS has correctly pointed to DC or DNS server. 

    If this symbol persists, please check if there is any error message in Event viewer on DC and client.

     

     

    Friday, August 15, 2008 7:38 AM
    Moderator
  • Ok, found the issue.  I was setting up a virtual environment, which I do frequently.  However, in this case it was a full domain and network setup.  So, in order to save time I duped the 08 server images.  Well, forgot about the whole SID problem which this creates.  Anyway, short of it is I reinstalled one of the images and it works fine now.  Running Newsid didn't really do the job, so I just reinstallled.  I hope this helps someone else in the future. :-)
    Friday, August 15, 2008 1:22 PM

All replies

  •  

    Hi,

     

    Based on my research, some group policies may cause 'SID can't be correctly translated into friendly name' issue. Please run 'rsop.msc' on problematical PC to see if the following group policies are properly set:

     

    Under computer configurations\Windows setting\security setting\ security options\

     

    Network access: Allow anonymous SID\Name translation ENABLED

    Network access: Do not allow anonymous enumeration of SAM accounts DISABLED

    Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED

     

    Network access: Let Everyone permissions apply to anonymous users ENABLED

    Network access: Named pipes can be accessed anonymously ENABLED

    Network access: Restrict anonymous access to Named Pipes and shares DISABLED

     

    Client PC need to contact DC to translate domain user SID into friendly name. There is possibility that the client machine may not contact DC at that time, so the SID may not be correctly translated. Please wait a longer time to see the result. Also, please check if the client PC's DNS has correctly pointed to DC or DNS server. 

    If this symbol persists, please check if there is any error message in Event viewer on DC and client.

     

     

    Friday, August 15, 2008 7:38 AM
    Moderator
  • Ok, found the issue.  I was setting up a virtual environment, which I do frequently.  However, in this case it was a full domain and network setup.  So, in order to save time I duped the 08 server images.  Well, forgot about the whole SID problem which this creates.  Anyway, short of it is I reinstalled one of the images and it works fine now.  Running Newsid didn't really do the job, so I just reinstallled.  I hope this helps someone else in the future. :-)
    Friday, August 15, 2008 1:22 PM