Active Directory Problem

[clarky2k3]

I have just cleaned up our active directory as it was a shambles. I have also changed some group policys for the better. However now i cannot add the administrators security group to a user account! It is in the active directory but when adding it to a user it cannot find it! To add to the problems I cannot add a computer to the domain as the error msg is that the domain controller isnt available! HELP!!! Please!

[sahmeepee]

I have just cleaned up our active directory as it was a shambles. I have also changed some group policys for the better. However now i cannot add the administrators security group to a user account! It is in the active directory but when adding it to a user it cannot find it! To add to the problems I cannot add a computer to the domain as the error msg is that the domain controller isnt available! HELP!!! Please!

Can you connect to the DC? Can you log on to it?

[clarky2k3]

Yeah I can log into the DC. I was trying to add the administrators group to a user while logged in to the DC.

[Ric_]

Have you tried goold old NETDIAG and DCDIAG?

[clarky2k3]

No i havent tried that yet but will give it a go in the morning!

[JamesC]

Yeah I can log into the DC. I was trying to add the administrators group to a user while logged in to the DC.

There lies your problem - adding a group to a user? what is that?

Are you sure you don't mean 'add a user to a group' or 'make a user a member of a group'?

[clarky2k3]

Yeah i meant adding a user to the administrators group. Thanks. This problem has screwed my head up!

[JamesC]

Have you got any info on what you 'cleared up' clarky?

[clarky2k3]

Our users are in seperate OUs depending on year group but these user groups were under the domain conrollers OU so i moved the OUs to a new Curriculum Users OU in our domain. I deleted the gpo linked to the OU and created a new GPO with some revised settings.

[JamesC]

How many of your servers are domain controllers? Have you tried using Users and Computers to connect to each domain controller to check that changes have replicated to all of them?

[clarky2k3]

We have two domain controllers and I have checked the other domain controllera and the changes have been replicated.

[azrael78]

While I've read your posts - what is it exactly you are trying to do?
There is an 'Administrators' group on the DCs and member servers and there is 'Administrators' on the local PCs.

While you can add users directly to the 'Administrators' group, it's usually best to create a group to house these users, and then add that group to the 'Administrators' group - the Domain Admins group is a member of the 'Administrators' group on a DC, so it may be worth adding people to that group instead of 'Administrators'.

It's worth noting that giving someone Local Admin (on a workstation/member server) and giving someone Local Admin (on a DC) are very different in terms of what they can do.

Local PC/Member Server - Same deal, they have full administrative access to the PC or Server, but their access (unless you grant them more access elsewhere) - remains at that server.

DC - Giving anyone Admin access here grants them full admin access to this DC and any other DCs in your forest - this means they can do literally 'anything' with your domain - from adding users/computer accounts to using ADSIEDIT and playing with the schema. What I'm not sure is if 'Administrators' on a DC gives you full admin rights across child domains as well or whether it only gives it to you for a single domain.

Hopefully some of this was helpful.

Az

[clarky2k3]

I came in this morning and everything was fine! Thanks for everyones help!