2

this is a 2000 functional level domain :( :( :( *

I have a domain local security group in domain A which contains 1 user from a domain B and several from domain A.

On a server in domain A, I can add this domain local group to the local machine administrators group via 'net localgroup', however, after doing this I notice that the members of that group aren't being given local admin permissions (can't remote login, etc).

When I look at local groups via the computer mgmt gui I can see the domain local group. I tried to delete and add it back via the gui, however, the domain local group can't be found. I can see all the global groups, but not any domain local.

I've searched and can't find anything that indicates this shouldn't work.

Should I be able to add a domain local security group to a local machine administrators group? If so, why would I not be able to find the object using the group management gui?

jhayes
  • 476
  • 2
  • 6
  • 12
  • This sounds like you have bigger issues on Domain A. Are there any errors in your DC AD error logs? – Zypher Oct 20 '11 at 22:17
  • nothing I see that indicates a problem, everything else works just fine. I can't seem to confirm that I should be able to add domain local groups to local machine groups though. – jhayes Oct 20 '11 at 22:27
  • Is your domain at at least Windows 2003 Server functional level? I seem to recall that this doesn't work in Windows 2000 or earlier functional level domains. – Harry Johnston Oct 21 '11 at 00:21
  • &^%%$** - no, it's 2000. I'm sure it's something to do with that. There are reasons beyond our control that prevent upgrading the domain functional level, even though almost everything is running 08 server. It is slowly driving me insane. – jhayes Oct 21 '11 at 03:06
  • It's worth noting that testing around this particular matter is confounded by the resistance of administrator access tokens to reissuance as described in [this question](https://serverfault.com/q/997982/115232). – alx9r Jan 07 '20 at 20:50

3 Answers3

1

Workstation SAMs act in many ways like separate domains with a one-way trust relationship. So while I can't find it explicitly documented, I don't find it surprising that this doesn't work, as it is analogous to adding a domain local group from one domain into a domain local group from another domain, which isn't allowed (see table 7-1).

(The only odd thing is that it seems to work if the domain is Windows 2003 functional level, and I can't find this change documented either.)

In any case, you should be able to solve your problem by changing the domain local group into a universal group. Assuming you are at least running in Windows 2000 native mode and not Windows 2000 mixed mode, universal groups are supported, and they are specifically designed for this sort of scenario.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
  • off course it's mixed mode. We get things properly b0rke3d around here :-\ – jhayes Oct 24 '11 at 18:17
  • 1
    [This image](https://public.blu.livefilestore.com/y1prbG1T5B1-rHyLcKPje-dU24ojA9yBg2j6JiHfBidvWow7A9laryOntyQfaURJAam8a3B1VcG1DymvYqDulMHKQ/AD%20Group%20Strategy%206425B%20Mod%204%2C%20p%204-16%2C%20Group%20Scopes%20Summarized.jpg?psid=1) linked from [this question](https://serverfault.com/questions/886792/agdlp-global-vs-local-groups-for-job-role-groups) is the closest documentation I've found. It suggests that domain local groups from the same domain can be members of local groups. Despite that, in my tests adding a domain local group to BUILTIN\Administrators fails while a global works. – alx9r Jan 06 '20 at 22:41
1

I've had a similar issue: I could add a domain local group to a local group on a domain member (e.g. "net localgroup administrators /add NameOfDomainLocalGroup") but the membership didn't display (e.g. in output of "net localgroup administrators") and the membership didn't take effect.

I tracked the cause down to having cloned both the domain controller and domain member from the same OS image (Server 2008 R2) without a sysprep step. (Duplicate SIDs)

After I ran sysprep on the domain member and re-added it to the domain all was fine :)

DeonVDW
  • 11
  • 2
0

Look up Microsoft's AGDLP design best practice. Your Accounts should go into Global groups, and your Global groups should go into Domain Local groups. You then assign Permissions to Domain Local Groups.

So in your case, create a DL group called "ServerX Local Admins" and add that to the local Administrators group on the server. Create a Global group with a meaningful representative name and add the account from Domain B to that group. Then, add that group to the DL group.

Matt
  • 1,883
  • 5
  • 26
  • 39
  • 1
    If he can't add the DL group to the Administrators group, this doesn't help. – Harry Johnston Oct 21 '11 at 02:47
  • just for grins, I tried to add my DL group to the global group, nope, can't see it :( – jhayes Oct 21 '11 at 03:13
  • Other way round - add the Global group to the DL group. @HarryJohnston, it might help if the DL group doesn't contain an account from another domain. – Matt Oct 21 '11 at 03:45
  • 1
    the account from the other domain is the entire point and I CAN'T ADD DL GROUPS TO THE LOCAL MACHINE ADMIN GROUP WHICH IS THE REASON FOR THE QUESTION. I can just add the user account from the other domain to the local machine admin group, but I was hoping to use groups and not have individual users listed. oh well :-\ – jhayes Oct 21 '11 at 13:49