I am trying to add a group (Global Security group) I have created in the Users container to the Domain Admins group which is is in the same container, but when I try to add it on the "Member of" tab, Check names is unable to find the group Domain Admins.  The group definitely exists. Object types it is looking for are Groups or Built in security principals.  Location is BLAHBLAH.dom.  I have tried changing the Location all the way down the tree to the actual Users container and it still cannot find the group.
I have also tried to add this in the opposite direction by choosing the Domain Admins group and trying to add my group as a member but same thing, cannot find the group.

Any ideas please??

The reason I am trying to do this is to use a group temporarily to be added to local machine admins for an install using Kix.

The group has to be in the Domain Admins group to be able to add itself to a local machine Administrators group. the script then installs the software and then removes my group from the local administrators group.

I know it can work as I have just used the same procedures and scripts on one of our other domains and succesfully installed Office 2007 across the domain.

What could be the difference in this domain to the other one??

This Domain does use separate containers for the different departments whereas the other domain was set up with everyone in the Users container,but my group is in the standard Users container along with the Domain Admins group, they just can't see each other! -- SteveB ------------------------------------------------------------------------ SteveB's Profile: http://forums.techarena.in/members/61824.htm View this thread: http://forums.techarena.in/active-directory/1144660.htmhttp://forums.techarena.in

Steve:

I have a similar setup as you.  However, what I find is that if I create the
group as a GLOBAL group I CAN add it to the Domain Admins.  However, if I
accidentally create it as a, let's say, Domain Local group, it will not
appear to be able to add to the Domain Admins group.  So, double check the
properties on that group that you are working with.  If it is a Domain Local
group, delete and create as a Global group.  Also, instead of doing a "check
name" actually click on the Advance button and do a find.  If you don't see
it in the liste, it will never be added.

Good luck,

Craig

Show quoteHide quote

thanks for the prompt reply Craig.

The group was a global group. Yes, I did try the Advanced Find as well

Changing the  Domain Functional level (mode) appears to have fixed my problem, it appears that global security groups are considered as Universal Security groups when it comes to the restriction.

I think the reasoning  is:

In Windows 2000 Mixed mode (the default mode on install) Universal groups (includes Global??) are only enabled for distribution groups, it is disabled for Security groups.

Changing mode to Windows 2000 Native mode enables Universal groups for security groups too.

There are a couple of other differences as well.

It has certainly enabled me to add the group!

It seems whoever installed the AD just accepted the defaults even though there were no NT machines.  I do have W2k servers as well as w2k3 so I have not raised the level to Windows 2003 interim or native mode yet.

Wonder what happens when I introduce a couple of 2008 servers ;)

Steve B -- SteveB ------------------------------------------------------------------------ SteveB's Profile: http://forums.techarena.in/members/61824.htm View this thread: http://forums.techarena.in/active-directory/1144660.htmhttp://forums.techarena.in

Hello SteveB,

Have a look here about group scopes, nesting and where they can be created:
http://technet.microsoft.com/en-us/library/cc755692.aspx

http://technet.microsoft.com/en-us/library/cc776499.aspx

http://technet.microsoft.com/en-us/library/cc781251.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Hi Steve

Problem sorted, but advise since adding another group to domain admins, make
use of the Restricted Groups setting to ensure not just any old person is
getting added to the new global group and the domain admins group, you can
set the on the default domain or default domain controller policy, I prefer
the latter
Show quoteHide quote

Instead of adding the group to Domain Admins, which means that the members
will also be able to administer the Active Directory, servers etc., consider
adding the group to the local Administrators group on the workstations using
Restricted Groups in seperate GPO linked to the OU that has the computers
you want them to be able to install Kix on.

Restricted Groups are in Computer Configuration, Windows Settings, Security
Settings.  Use the "This group is a member of:" part of " Configure
Membership for..." dialog box.

After Kix is installed, you could remove the user accounts from that group,
or your Kix installation script could remove from the local Administrators
group.

Show quoteHide quote

Thanks everyone, some very useful tips there. I particularly like the Restricted Groups in GPO. I can make use of them Perhaps I should explain some of the reasons behind my choice of methods in this case. 1) I have 5 companies in 3 buildings but only around 70 users in total - 5 domains two of which are SBS. The five companies all belong to one group company but prior to my appointment all ran their own systems with a mixture of external support 2) I inherited the setups, all different, all badly documented 3) Some Domains use separate OU's for each department with computers and users under that, others lump everyone under the general Users OU. 4) I wanted to upgrade the whole group to Office 2007 before our group business software rollout. I wanted a simple automated method that didn't mean I have to be on site. so I wanted a method that can be easily ported and configured for each company. 5) After a long time haggling I finally got the companies to agree to a combined purchase/rollout unfortunately this meant I had approx 5 working days to prepare and test the implementation.  The implementation had to be broken down by Department / Company, but NOT all machines required the Office install. 6) I did try using a GPO originally but came across too many permissions and other problems, so as 3 companies were using Kix, I decided to script the install. Unfortunately I have only used Kix 3 times previously and then only to make small alterations to existing scripts. My final solution was to setup the network installation point for Office using the OCT.  Create a group which could be added to the local machine Administrators group for install whilst logged in as the user, that way the Office install can import that users settings and previous .pst etc so when they open Word etc any further user config is minimal. To temporarily add a user to the local machine Admin group the user has to be a domain admin, this is only for the duration of the install. Members of the group only, would receive the install at logon (which of course can be at any time of my choosing - log 'em off, log 'em on), as each department was processed the relevant users would be added to the group then, on successful install of the software, removed. Two text files created and maintained by the scripts would track the machines installed, and the failures if any.  Existing Log On scripts would call the install scripts which would check membership of the group, if not in the group then log on continues normally, if in the group then then the rest of the install scripts run, adding group to local admin group, mapping drives, installing software, updating my text files (records) and removing from local admin group.   On a successful install of the department I remove the users in that department from the group so they dont get the install scripts again. It is probably a convoluted way of running an install but was the quickest I could come up with without having to go to each machine. Anyways it has worked so far ;) Thanks again for the help and suggestions -- SteveB ------------------------------------------------------------------------ SteveB's Profile: http://forums.techarena.in/members/61824.htm View this thread: http://forums.techarena.in/active-directory/1144660.htmhttp://forums.techarena.in

What am I missing?
Domain Trust issue
problem reading gpt.ini
Kerberos Tickets Renewal
How to Switch domains without having admin rights?
problem with NIS and AD user attributes
Problem After Defining Static RPC Port
Logon issue in a 2 domain trust - Win 2003
Folder Redirection Run Amok
Active Directory and local Firewalls