I am having trouble getting users added into NTFS permissions or in to
groups. I have a single Win 2K server network, the W2K box is setup as
a domain controller. I also setup a simulation in my lab of an XP Pro
workstation and a single W2K Server running as the Domain controller.
In both networks the real on and the lab simulation, when I go to
select a user to add in to the group or to add to the NTFS permissions
I can not find the Domain Users. I can only get a list of the local
users.

For example:

I go to the XP computer and open the Computer Management console in
control panel or the NTFS Security permissions tab. I then choose
"Add User" and then click on the "Advanced" button. This brings up the
"Select Users" window. In the "Locations" box under "From this
location:" it shows the name of the local machine (The name of the XP
workstation). I can not type in the box. If I click on the "Locations"
button I get the option to select the location that I want, but the
only thing that shows is a picture of a computer with the name of the
local computer showing. I get no option or drop down list ect. that
will let me pick the domain server for the location of the user. If I
click on the computer picture nothing happens. If I click the "Find
Now" button I get a list of all the users and groups on the local
workstation. In the lab I have 2 systems running in a secure network
and I have no firewalls, no anti-virus, no anything running except the
default settings. I have all the latest Service Packs installed on all
systems in and out of the lab. On the real world workstation I have a
user that was originally created in Win 98. The WS was later upgraded
to Win XP Pro. The drive was converted to NTFS. This user is not a
member of the admins groups and never will be. This is a system I have
inherited, I did not do the initial setup. I did do the Win98 to XP
upgrade. If I log in as the existing user and go through the steps
mentioned above I can get and option to look to a different location,
i.e. the domain server, for users to add to the security/groups
properties, but of course due to the lack of access right of this user
I can not actually add the user in. The users that do have the access
rights on both the workstation and the domain do not get the option to
find/locate/see ect the domain server for users to add to the various
security/group areas. On the systems in my lab I setup both the
server/domain and the XP box from scratch. The XP box was not an
upgrade from 98. It has the same lack of location choice problems that
the production system has. This workstation is going to be accessed
remotely from India and I need to lock the user who will access it
from India out of everything except just the local folders and apps
that he needs to run and access. I intend to remove all blind access
from root on down to the users group and wish to replace the users
group with one that only has the users I want to explicitly give
access to etc, etc.

So, how can I get the "Select Users" box to give me the option to look
to the domain for the users ?

Any and all help will be greatly appreciated,

Thanks in advance,

Ralph Malph

In article , in the
microsoft.public.win2000.security news group,
says...

> So, how can I get the "Select Users" box to give me the option to look
> to the domain for the users ?
>

If all you're seeing is the list of local user accounts and not the
domain, and if you're sure that the XP box is actually joined to the
domain, then you're logging on to the XP box with a local user account.
You need to log on to the XP box with a domain account in order to
enumerate the domain objects.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Make sure that your computer has been properly joined to the domain which
you normally would do through System Properties/computer name - where you
would change from workgroup to domain and be prompted for domain credentials
to join the domain. Just adding a computer name to the computer container in
AD Users and Computers does NOT join a computer to the domain. If it is
properly joined to the domain, the domain users group from the domain should
be in the local users group and the domain admins group from the domain will
be in the local administrators group. Also run the support tool netdiag on
the XP Pro computer to see if it reports any errors such as dns, dclist,
kerberos, or trust/secure channel which can indicate a problem with domain
membership. Also see the link below on Active Directory dns faq which
explains exactly how your dns must be configured in order for a domain to
function properly. Make note that NEVER have the IP address of an ISP dns
server in the preferred dns server list of tcp/ip properties an shown via
Ipconfig /all for any domain computer or any computer you are trying to join
to the domain. --- Steve


http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 -- this
MUST be correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools including dcdiag.

wrote in message
news:k1slm052q0h82mjj8vj6cbcjenb9h5b8e9@4ax.com...
>I am having trouble getting users added into NTFS permissions or in to
> groups. I have a single Win 2K server network, the W2K box is setup as
> a domain controller. I also setup a simulation in my lab of an XP Pro
> workstation and a single W2K Server running as the Domain controller.
> In both networks the real on and the lab simulation, when I go to
> select a user to add in to the group or to add to the NTFS permissions
> I can not find the Domain Users. I can only get a list of the local
> users.
>
> For example:
>
> I go to the XP computer and open the Computer Management console in
> control panel or the NTFS Security permissions tab. I then choose
> "Add User" and then click on the "Advanced" button. This brings up the
> "Select Users" window. In the "Locations" box under "From this
> location:" it shows the name of the local machine (The name of the XP
> workstation). I can not type in the box. If I click on the "Locations"
> button I get the option to select the location that I want, but the
> only thing that shows is a picture of a computer with the name of the
> local computer showing. I get no option or drop down list ect. that
> will let me pick the domain server for the location of the user. If I
> click on the computer picture nothing happens. If I click the "Find
> Now" button I get a list of all the users and groups on the local
> workstation. In the lab I have 2 systems running in a secure network
> and I have no firewalls, no anti-virus, no anything running except the
> default settings. I have all the latest Service Packs installed on all
> systems in and out of the lab. On the real world workstation I have a
> user that was originally created in Win 98. The WS was later upgraded
> to Win XP Pro. The drive was converted to NTFS. This user is not a
> member of the admins groups and never will be. This is a system I have
> inherited, I did not do the initial setup. I did do the Win98 to XP
> upgrade. If I log in as the existing user and go through the steps
> mentioned above I can get and option to look to a different location,
> i.e. the domain server, for users to add to the security/groups
> properties, but of course due to the lack of access right of this user
> I can not actually add the user in. The users that do have the access
> rights on both the workstation and the domain do not get the option to
> find/locate/see ect the domain server for users to add to the various
> security/group areas. On the systems in my lab I setup both the
> server/domain and the XP box from scratch. The XP box was not an
> upgrade from 98. It has the same lack of location choice problems that
> the production system has. This workstation is going to be accessed
> remotely from India and I need to lock the user who will access it
> from India out of everything except just the local folders and apps
> that he needs to run and access. I intend to remove all blind access
> from root on down to the users group and wish to replace the users
> group with one that only has the users I want to explicitly give
> access to etc, etc.
>
> So, how can I get the "Select Users" box to give me the option to look
> to the domain for the users ?
>
> Any and all help will be greatly appreciated,
>
> Thanks in advance,
>
> Ralph Malph
>

Thanks for the help Steven !!!! That solved the problem. I had not
concedered the DNS, and assummed tht if it needed to be set up this
way the person who originaly setup the system would have done so with
the DNS as it should be, and that Microsoft would also prompt you to
do so as you promote your server to a domain controler. But that is
no excuse for me not to know better.

Again thanks for your help !!!!

Ralph Malph

On Tue, 12 Oct 2004 00:29:30 GMT, "Steven L Umbach"
wrote:

>Make sure that your computer has been properly joined to the domain which
>you normally would do through System Properties/computer name - where you
>would change from workgroup to domain and be prompted for domain credentials
>to join the domain. Just adding a computer name to the computer container in
>AD Users and Computers does NOT join a computer to the domain. If it is
>properly joined to the domain, the domain users group from the domain should
>be in the local users group and the domain admins group from the domain will
>be in the local administrators group. Also run the support tool netdiag on
>the XP Pro computer to see if it reports any errors such as dns, dclist,
>kerberos, or trust/secure channel which can indicate a problem with domain
>membership. Also see the link below on Active Directory dns faq which
>explains exactly how your dns must be configured in order for a domain to
>function properly. Make note that NEVER have the IP address of an ISP dns
>server in the preferred dns server list of tcp/ip properties an shown via
>Ipconfig /all for any domain computer or any computer you are trying to join
>to the domain. --- Steve
>
>
>http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 -- this
>MUST be correct.
>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
>and how to install support tools including dcdiag.
>
> wrote in message
>news:k1slm052q0h82mjj8vj6cbcjenb9h5b8e9@4ax.com...
>>I am having trouble getting users added into NTFS permissions or in to
>> groups. I have a single Win 2K server network, the W2K box is setup as
>> a domain controller. I also setup a simulation in my lab of an XP Pro
>> workstation and a single W2K Server running as the Domain controller.
>> In both networks the real on and the lab simulation, when I go to
>> select a user to add in to the group or to add to the NTFS permissions
>> I can not find the Domain Users. I can only get a list of the local
>> users.
>>
>> For example:
>>
>> I go to the XP computer and open the Computer Management console in
>> control panel or the NTFS Security permissions tab. I then choose
>> "Add User" and then click on the "Advanced" button. This brings up the
>> "Select Users" window. In the "Locations" box under "From this
>> location:" it shows the name of the local machine (The name of the XP
>> workstation). I can not type in the box. If I click on the "Locations"
>> button I get the option to select the location that I want, but the
>> only thing that shows is a picture of a computer with the name of the
>> local computer showing. I get no option or drop down list ect. that
>> will let me pick the domain server for the location of the user. If I
>> click on the computer picture nothing happens. If I click the "Find
>> Now" button I get a list of all the users and groups on the local
>> workstation. In the lab I have 2 systems running in a secure network
>> and I have no firewalls, no anti-virus, no anything running except the
>> default settings. I have all the latest Service Packs installed on all
>> systems in and out of the lab. On the real world workstation I have a
>> user that was originally created in Win 98. The WS was later upgraded
>> to Win XP Pro. The drive was converted to NTFS. This user is not a
>> member of the admins groups and never will be. This is a system I have
>> inherited, I did not do the initial setup. I did do the Win98 to XP
>> upgrade. If I log in as the existing user and go through the steps
>> mentioned above I can get and option to look to a different location,
>> i.e. the domain server, for users to add to the security/groups
>> properties, but of course due to the lack of access right of this user
>> I can not actually add the user in. The users that do have the access
>> rights on both the workstation and the domain do not get the option to
>> find/locate/see ect the domain server for users to add to the various
>> security/group areas. On the systems in my lab I setup both the
>> server/domain and the XP box from scratch. The XP box was not an
>> upgrade from 98. It has the same lack of location choice problems that
>> the production system has. This workstation is going to be accessed
>> remotely from India and I need to lock the user who will access it
>> from India out of everything except just the local folders and apps
>> that he needs to run and access. I intend to remove all blind access
>> from root on down to the users group and wish to replace the users
>> group with one that only has the users I want to explicitly give
>> access to etc, etc.
>>
>> So, how can I get the "Select Users" box to give me the option to look
>> to the domain for the users ?
>>
>> Any and all help will be greatly appreciated,
>>
>> Thanks in advance,
>>
>> Ralph Malph
>>
>

Thanks for the help Paul !!! The solution was found in Steven's
message. It was the DNS settings. Thanks again for trying.

Ralph Malph

On Mon, 11 Oct 2004 19:43:10 -0400, Paul Adare - MVP - Microsoft
Virtual PC wrote:

>In article , in the
>microsoft.public.win2000.security news group,
>says...
>
>> So, how can I get the "Select Users" box to give me the option to look
>> to the domain for the users ?
>>
>
>If all you're seeing is the list of local user accounts and not the
>domain, and if you're sure that the XP box is actually joined to the
>domain, then you're logging on to the XP box with a local user account.
>You need to log on to the XP box with a domain account in order to
>enumerate the domain objects.