locked
Domain Admins group does not automatically add to local Administrators group RRS feed

  • Question

  • Hello,

    I just recently setup a test Windows 2008 domain with a new forest and DNS.  No major changes to the new domain so far.  I setup a user and added them into the Domain Admin group.  Then I setup a new server that I was going to use as a test print server.  I was successfully able to add the server to the new domain using the new account that I seutp and can see it in the Computers OU however, I've noticed that on the new server the Domain Admin group did not automatically add into the local Administrators group on the server.

    I thought this was default by design.  Am I missing adding the Domain Admin group to something?  I verified that the group is added to BUILTIN\Administrators and while logging into the PDC as my new account I am a domain admin...  I've tried re-adding the server to the domain, running GPUPDATE and no luck.

    Has anyone else experienced this or know how to resolve this?

    Thank you for your help.
    Wednesday, December 9, 2009 4:58 PM

Answers

  • I am running into the same issue. I cannot find the domain admin groups. Using windows server 2008 R2 as DC and a member server.  Need help with this issue !! I have UAC disabled. I cannot added domain accounts to the local Administrators group either !!


    Dec 23 - After a lot of research here's what I found:

    I had two VM's running Windows server 2008 R2. One was the domain controller and the other as a member joining the domain. I had installed the DC OS from disk. But for the member VM, I had copied the virtual disk from the  DC.  The member VM joins the domain successfully, but does not contain the Domain admin as part of the local administrators group nor can you add add a domain user or group to the local admin group. 


    Resolution:

    Deleted both the VM's and created a clean install of OS for both the VM's from disk ( ISO file ). This resolved the issue. I believe the issue was caused by duplication of SID's, since the member machine was an image of the DC OS.
    • Proposed as answer by Gigen_Thomas Wednesday, December 23, 2009 7:51 PM
    • Marked as answer by rheyman Thursday, July 22, 2010 11:04 PM
    Wednesday, December 23, 2009 12:01 AM

All replies

  • Yes that has always been the default in every domain I have ever installed... not sure why it would not be the case in your situation. So if you go into computer management on the member server (Start -> Run -> compmgmt.msc) and expand the Local Users and Groups node, then click Groups, then double click the Administrators group, what is actually listed in there? Is it just Administrators and the local admin account on that server?

    Oh and by the way, you dont need to be a domain admin to join computers to the domain, any domain user account can by default join up to 10 machines to the domain if I remember rightly. Sorry if you already knew that but just from this statement it sounded like you thought that this proved your account was domain admin: "I was successfully able to add the server to the new domain using the new account that I seutp" :)
    Wednesday, December 9, 2009 6:57 PM
  • Thanks for confirming that--I thought was loosing my mind... The only account that is listed in Administrators group is the Administrator account. 

    I've tried fiddling with the Local Policy settings in the Default Domain group policy thinking maybe I was missing something in the User Rights Assignment and still no go...  I'm kind of at a loss on this one...

    You are correct on the users adding computers to the domain... I did know that--but I forgot... I usually adjust the setting in User Rights Assignment....
    "Add workstations to domain

    This security setting determines which groups or users can add workstations to a domain.

    This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain. "
    Wednesday, December 9, 2009 7:06 PM
  • That should be the case - unless someone either removed Domain Admins from the local Administrators group on the server or you have Restricted Groups Policy setting in place that enforces this configuration...

    hth
    Marcin

    Wednesday, December 9, 2009 7:07 PM
  • What was this member server doing before you joined it to the new domain? i.e. is it a fresh build or has it been used for years in another domain etc

    Oh and thanks for confirming the number of workstations users can add :) I wasnt sure if I just made that number up!
    • Proposed as answer by TalEiz Thursday, May 28, 2015 6:20 PM
    Wednesday, December 9, 2009 7:09 PM
  • It's a fresh build... nothing has been installed on the box yet...

    Marcin:  Just verified--The Domain Admins group is a member of BUILTIN\Administrators and there is no Restricted Groups setup in the Domain Policy.
    Wednesday, December 9, 2009 7:27 PM
  • When you say BUILTIN\Administrators I assume you are talking about on the DC?
    Wednesday, December 9, 2009 7:28 PM
  • No, it must be BUILTIN\Administrators group on the member server. DC's have no local accounts (other than for recovery mode).

    Richard Mueller
    MVP ADSI
    Wednesday, December 9, 2009 7:55 PM
  • I meant the Administrators group within the "Builtin" Organizational Unit on the DC.  Sorry, didn't mean to confuse anyone.
    Wednesday, December 9, 2009 9:08 PM
  • Yeah sorry thats what I was referring to as well, I didnt mean the local accounts. I really cant explain why you are having that problem - have you tried joining another machine to the domain (just an XP workstation or something) and see if that does the same thing?

    Wednesday, December 9, 2009 10:12 PM
  • No... I haven't yet... This test network is on a VM server... I haven't setup a computer yet.  I mistakently installed 2008 (non-R2) so I'm downloading the R2 copy and going to take it again from the start...

    This is one issue I've never run into and can't really find an answer for either...
    Wednesday, December 9, 2009 10:40 PM
  • It sounds like "just one of those things" to be honest, I know thats not an answer or anything but I bet when you install it all again with R2 you will not get this issue. I've been having a look on the internet and cant find any other cases at all of people experiencing this problem..

    Wednesday, December 9, 2009 10:44 PM
  • awe... Google was supposedly my best friend... Looks like I might have to Bing things from now on...
    Wednesday, December 9, 2009 11:26 PM
  • So here's something interesting...

    I rebuilt the entire domain from scratch again. Both servers are fresh new installations with no changes. I added the new installed server to the domain successfully, went into the Administrators group on the new server (not the DC) and the Domain Admins group was not showing in the group.  I attempted to manually enter the group and when I tried to apply the changes I received a message stating that the Domain Admins group was already a member of the Administrators group--even though it does not show within the group.

    Anyknow know if this is a new security feature of Windows Server 2008 that the Domain Admins group does not show in the local Administrators group on the PC's/Servers?
    Friday, December 11, 2009 3:47 AM
  • I have never seen that issue on our 2008 servers but I dont think I've ever inspected the local admins group, I just know that when I log in as a domain admin I do indeed have admin permissions... Can you confirm if you are actually restricted when you log in with a domain admin account?
    Also, what version of 2008 are you using? Its not a Beta or anything is it?

    Chris
    My blog: http://cjwdev.wordpress.com
    Tuesday, December 15, 2009 9:00 AM
  • Sorry for the late reply....

    No, we're not using a beta version of 2008.  It's 2008 Std R2.

    What I've noticed is that when I do login I do have Domain Admin rights even though the Domain Admin group does not show in the local Administrators group. 

    I've also noticed that on Windows XP boxes that I've joined to this test domain, is that the Domain Admin group DOES show in the local Administrators group.  SO, my guess is that with Windows 2008 there's some "security" feature somewhere that does not show the DA's group in the local Admins group...

    Plus--have I mentioned how much I HATE the new UAC???  It's so f'ing painful to administer a machine while it's turned on--even if you're a Domain Admin....
    Friday, December 18, 2009 8:21 PM
  • Yeah I disabled UAC within about a week of having our first 2008 server... :P I thought it was supposed to be a lot better in R2 though seen as its a lot better in Windows 7.

    have you tried disabling it just to confirm that it is that thats preventing you from seeing the domain admins group in the list?
    My blog: http://cjwdev.wordpress.com
    Friday, December 18, 2009 9:03 PM
  • Dear rheyman , i'm facing the same issue here, i can't see the domain admins group ,I'm using windows server R2 for the DC and member server,  the same thing as you mentioned here .
    Please tell me if you figured out this issue ................because this drives me crazy .....  :)

    Thank you very much

    MGA2008
    Saturday, December 19, 2009 6:32 AM
  • MGA2008 - do you have UAC enabled?
    My blog: http://cjwdev.wordpress.com
    Sunday, December 20, 2009 10:01 PM
  • I am running into the same issue. I cannot find the domain admin groups. Using windows server 2008 R2 as DC and a member server.  Need help with this issue !! I have UAC disabled. I cannot added domain accounts to the local Administrators group either !!


    Dec 23 - After a lot of research here's what I found:

    I had two VM's running Windows server 2008 R2. One was the domain controller and the other as a member joining the domain. I had installed the DC OS from disk. But for the member VM, I had copied the virtual disk from the  DC.  The member VM joins the domain successfully, but does not contain the Domain admin as part of the local administrators group nor can you add add a domain user or group to the local admin group. 


    Resolution:

    Deleted both the VM's and created a clean install of OS for both the VM's from disk ( ISO file ). This resolved the issue. I believe the issue was caused by duplication of SID's, since the member machine was an image of the DC OS.
    • Proposed as answer by Gigen_Thomas Wednesday, December 23, 2009 7:51 PM
    • Marked as answer by rheyman Thursday, July 22, 2010 11:04 PM
    Wednesday, December 23, 2009 12:01 AM
  • Yeah. Gigen_Thomas was right!

    To reduce time, I made a sysprep image. but, one thing I've missed : check  "Generalize".

    So, after I made again sysprep with generalize option, new SID was created.


    I wanted to tell you this.
    "No need to clean install on every Computer but sysprep with generalize option"

    Nice day~!
    Carpe Diem...
    • Proposed as answer by Steve IM Monday, January 18, 2010 5:49 AM
    Monday, January 18, 2010 5:48 AM
  • This worked great! On your 2008 R2 box, execute the file 'C:\Windows\System32\Sysprep\Sysprep.exe', click 'Generalize', and confirm.
    Wednesday, July 14, 2010 7:01 PM
  • Thanks Chris123 for your interest

    Actualy i followed the solution proposed by Gigen Thomas and it works, the problem was using cloned VMs in the test environments.

    for windows server 2003 Copying and cloning VMs and applying tools like SID change  to simulate production environment was allowed , but when it comes to windows server 2008 such things doesn't work, you have to create all VMs from scratch using the CD or ISO image as Gigen Thomas said.

    Resolution:

    Deleted both the VM's and created a clean install of OS for both the VM's from disk ( ISO file ). This resolved the issue. I believe the issue was caused by duplication of SID's, since the member machine was an image of the DC OS.

    • Proposed As Answer by Gigen Thomas

    If you clone windows server 2008 VMs it will work but you will lose some functionalities and face the issue that is the topic of this article .

     


    MGA2008
    Friday, July 23, 2010 8:47 PM
  • Thank you!  I wasn't aware of this utility. I removed the member machine from the domain, ran sysprep.exe, selected OOBE and Generalize.  Afterward, I was able to join the domain again and Domain Admins appeared under the local Administrator group.

    More importantly, this resolved the cryptic error I encountered when I attemped to activate OCS 2007:

    [0x80070534] No mapping between account names and security IDs was done

     

    • Proposed as answer by Scott.B Wednesday, June 13, 2012 11:33 AM
    Friday, July 30, 2010 1:43 PM
  • Unfortunately it also wipes out the Activation.  MAK keys only have 10 activations (such as the Technet/MSDN Subcription ISO's I build labs with) and you can wipe out that many building one or two Labs.  I don't know about you but it takes me weeks to build Labs and they have a life span longer than the "trial" period you get if you don't activate them.  So for me this is not an acceptable solution.    With 2003/XP and older I used NewSID which doesn't work with 2008.
    • Proposed as answer by Saleh_tiib Tuesday, September 27, 2011 12:12 PM
    • Unproposed as answer by Saleh_tiib Tuesday, September 27, 2011 12:12 PM
    Wednesday, August 4, 2010 1:33 AM
  • .


    hello , i have problem in my network , i have 400 pc in my domain it is windows 2003 server, but 3 pc-  in my domain-  always domain admin group  deleted , what i can do pls help me i have about 100 pc install on install on it windows 7 and all pc that i have problem in it have os windows 7 . thx>>>>>

    saleh


    • Edited by Saleh_tiib Tuesday, September 27, 2011 12:12 PM
    Tuesday, September 27, 2011 12:11 PM
  • Hello,

    please make sure to follow:

    http://www.frickelsoft.net/blog/?p=13

    And especially keep track on:

    "As we do not want to add users or other groups to our group, but add our localAdmins group the local Administrators group on our clients, we have a look at the lower box - labeled “This group is member of”. We click “Add” and type in the name of the group, we want localAdmins to be member of. In this case, it “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched - it simply adds our group."


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, September 27, 2011 12:13 PM
  • Yes, it works,
    Wednesday, December 14, 2011 3:28 PM
  • Great............

     

    It WORKS,  resolve the issue.........

    Wednesday, December 14, 2011 3:29 PM
  • Thanks to Gigen Thomas for helping me to reduce time on recreation VMs, Yes worked for me too!!!

    I just run command in member server Sysprep with checking "Generalize" option to regenerate the SID.

    Thanks,

    Kiran


    • Edited by Kiran Marri Monday, January 25, 2016 9:42 PM
    Monday, January 25, 2016 9:38 PM