Add domain user\group to local admin group problem

I have two Windows Server 2008 servers. One is a DC and the other is a member
server. I created a global security group in AD and tried to add it as a
member of the local Administrators group of the member server. I am able to
add it but if I open it back up the group is not listed. I have tried to
other tests and if I click Apply instead of OK the domain group\user
disappears instantly.
If I try to add the same domain group\user it says that they are already
members once I click OK\Apply.
Any Ideas?
-dm

More info:
I am running these both as Virtual Machines in Virtual Server 2005 R2 SP1.
They are both differencing disks built from the same parent disk (the parent
is a base install of Server 2008). I sysprepped the member server before
joining it to the domain.
I have since added a third member server (built from same parent disk and
sysprepped as well) with the same results. I tried doing it with a Vista
member server and had no problem.

Restricted Groups in Group Policy can enforce the membership in local
Administrators groups. It sounds like this is happening to you. There are
several kb articles on this, such as:

http://technet.microsoft.com/en-us/l.../cc756802.aspx

can you describe the exact steps?

This is a fresh install with no custom setting in AD. I checked and I didn't
see any Restricted Groups configured in the default domain policy.

So I have a default install of Server 2008 with ADDS role added (using 2008
functional level). The Windows 2008 member server is a default install as
well.
On the DC, I create a global security group in AD, create a new user and add
it to that group.
On the member server, I open Server Manager, expand Local Users and Group,
open the properties of the local Administrators group, and add the Group from
AD.
If I immediately click OK and then open the properties of the local
administrators group it does not list the AD group I added.
I have rebooted by VMs and checked the group membership after an hour or
more just in case and still no group.
Now if I try to add the group again it will let me, but once I click OK it
will then say that the AD group is already a member of the local
Administrators group.
I think that is it but let me know if you need more info.

If i follow your steps i can not reproduce your problem. It works as expected
in my test domain. Functional level is also 2008.

Functional level is Server 2008.

Ok, can you try to remove that member server from the domain and re-add it
again? then test.
Also check if you have errors in eventvwr.

Maybe this has something to do with licensing issue? Not
enough client access license maybe?

FYI, I tried and could not reproduce the issue in a classroom environment.
Functional level also 2008.

the same storage based virtual xen server environment. I can add the
domain user to the local admin groups on one of the windows 2008
member server (this member server is also virtual machine on the same
storage), but the domain user doesn't show up in the local admin group
window and because of that this domain user doesn't have admin rights
on the local server, trying to readding gain to the local admin group
says "this user is already member of this group", any
ideas?

Clones? Did you sysprep the machines first or simply added a clone with
identical SIDs? Sysprep will force the installation to create a brand new
SID for all components that have a SID associated to it's identity. If not,
I can see why this may be happening and why I cannot reproduce it.

Hello all. I have the same issue and I do sysprepped the VMs. My VMs are TechNet licenced, BTW. If you guys have any ideas or workaround on what can be happening, please advise.

I will try to create a VM from scratch and add it to the domain and see if the same behavior happens; I'll let you know.

This thread is so long, I am not sure exactly what 'same' problem you are
having. Is it based on the original thread's subject line:
"> Re: Add domain usergroup to local admin group problem?"

If not, and will also be helpful, to specifically state what exact problem
you are seeing.

As far as Sysprep, it's always a good practice to use Sysprep to insure each
machine has it's own unique SID, however you will need to use a VL (Volume
License) copy of an the operating system, and not something such as a retail
version, or TechNet, unless it it is an MAK (Multiple Activation). retail
versions and single installation TechNet copies are limited to one
activation and will be useless with Sysprep.

Hello Ace Fekay [MCT],

The last weeks some posters, or maybe one with different names???, are posting
in this format with pointing to some really old postings. I have tried to
inform them/he/she??? to better use there own one and describing there own
situation with all relevant information. I have the same thoughts as you
have, if the problem description really applies to the poster.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Guillermo Taylor" wrote in message
> news:20091015183719guillermotaylor@hotmail.com...
>
> Guillermo,
>
> This thread is so long, I am not sure exactly what 'same' problem you
> are
> having. Is it based on the original thread's subject line:
> "> Re: Add domain usergroup to local admin group problem?"
> If not, and will also be helpful, to specifically state what exact
> problem you are seeing.
>
> As far as Sysprep, it's always a good practice to use Sysprep to
> insure each machine has it's own unique SID, however you will need to
> use a VL (Volume License) copy of an the operating system, and not
> something such as a retail version, or TechNet, unless it it is an MAK
> (Multiple Activation). retail versions and single installation TechNet
> copies are limited to one activation and will be useless with Sysprep.
>
> Ace
>
>> Hello all. I have the same issue and I do sysprepped the VMs. My VMs
>> are TechNet licenced, BTW. If you guys have any ideas or workaround
>> on what can be happening, please advise.
>>
>> I will try to create a VM from scratch and add it to the domain and
>> see if the same behavior happens; I'll let you know.
>>
>> Thanks,
>>
>> Guillermo
>>
>> Ace Fekay [Microsoft Certified Trainer] wrote:
>>
>> Re: Add domain usergroup to local admin group problem 24-Dec-08
>>
>> In news:uaWdnT6FhovEE9fUnZ2dnUVZ_rmdnZ2d@giganews.com,
>> mike1610 <mike1720@yahoo-dot-com.no-spam.invalid> requesting
>> assistance,
>> typed the following:
>> Clones? Did you sysprep the machines first or simply added a clone
>> with
>> identical SIDs? Sysprep will force the installation to create a brand
>> new
>> SID for all components that have a SID associated to it's identity.
>> If
>> not,
>> I can see why this may be happening and why I cannot reproduce it.
>> --?
>> Ace
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft
>> Certified Trainer
>>
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> Previous Posts In This Thread:
>>
>> On Wednesday, December 10, 2008 6:54 PM
>> DangerMau wrote:
>> Add domain user\group to local admin group problem
>> I have two Windows Server 2008 servers. One is a DC and the other is
>> a
>> member
>> server. I created a global security group in AD and tried to add it
>> as a
>> member of the local Administrators group of the member server. I am
>> able
>> to
>> add it but if I open it back up the group is not listed. I have tried
>> to
>> other tests and if I click Apply instead of OK the domain group\user
>> disappears instantly.
>> If I try to add the same domain group\user it says that they are
>> already
>> members once I click OK\Apply.
>> Any Ideas?
>> -dm
>> On Wednesday, December 10, 2008 7:15 PM
>> DangerMau wrote:
>> RE: Add domain user\group to local admin group problem
>> More info:
>> I am running these both as Virtual Machines in Virtual Server 2005 R2
>> SP1.
>> They are both differencing disks built from the same parent disk (the
>> parent
>> is a base install of Server 2008). I sysprepped the member server
>> before
>> joining it to the domain.
>> I have since added a third member server (built from same parent disk
>> and
>> sysprepped as well) with the same results. I tried doing it with a
>> Vista
>> member server and had no problem.
>> -dm
>>
>> "DangerMaus" wrote:
>>
>> On Wednesday, December 10, 2008 8:52 PM
>> Richard Mueller [MVP] wrote:
>> Re: Add domain user\group to local admin group problem
>> "DangerMaus" <DangerMaus@discussions.microsoft.com> wrote in message
>> news:C0916F75-6C98-48D7-8D18-FDA19FC1DC74@microsoft.com...
>> Restricted Groups in Group Policy can enforce the membership in local
>> Administrators groups. It sounds like this is happening to you. There
>> are several kb articles on this, such as:
>>
>> http://technet.microsoft.com/en-us/l.../cc756802.aspx
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>> On Wednesday, December 10, 2008 9:17 PM
>> Jorge Silva wrote:
>> Re: Add domain user\group to local admin group problem
>> Hi
>> can you describe the exact steps?
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>> Jorge Silva
>> MCSE, MVP Directory Services
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "DangerMaus" <DangerMaus@discussions.microsoft.com> wrote in message
>> news:C0916F75-6C98-48D7-8D18-FDA19FC1DC74@microsoft.com...
>>
>> On Wednesday, December 10, 2008 9:54 PM
>> DangerMau wrote:
>> Re: Add domain user\group to local admin group problem
>> This is a fresh install with no custom setting in AD. I checked and I
>> didn't
>> see any Restricted Groups configured in the default domain policy.
>> -dm
>>
>> "Richard Mueller [MVP]" wrote:
>>
>> On Wednesday, December 10, 2008 9:59 PM
>> DangerMau wrote:
>> Re: Add domain user\group to local admin group problem
>> So I have a default install of Server 2008 with ADDS role added
>> (using
>> 2008
>> functional level). The Windows 2008 member server is a default
>> install as
>> well.
>> On the DC, I create a global security group in AD, create a new user
>> and
>> add
>> it to that group.
>> On the member server, I open Server Manager, expand Local Users and
>> Group,
>> open the properties of the local Administrators group, and add the
>> Group
>> from
>> AD.
>> If I immediately click OK and then open the properties of the local
>> administrators group it does not list the AD group I added.
>> I have rebooted by VMs and checked the group membership after an hour
>> or
>> more just in case and still no group.
>> Now if I try to add the group again it will let me, but once I click
>> OK it
>> will then say that the AD group is already a member of the local
>> Administrators group.
>> I think that is it but let me know if you need more info.
>> -dm
>> "Jorge Silva" wrote:
>>
>> On Thursday, December 11, 2008 1:45 AM
>> Ace Fekay [Microsoft Certified Trainer] wrote:
>> Re: Add domain user\group to local admin group problem
>> In news:63FC5CB7-FD00-469A-939F-42D0156BE0C6@microsoft.com,
>> DangerMaus <DangerMaus@discussions.microsoft.com> requesting
>> assistance,
>> typed the following:
>> Curious, what functional mode is the domain in?
>>
>> --??
>> Ace
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft
>> Certified Trainer
>>
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> On Thursday, December 11, 2008 11:18 AM
>> DangerMau wrote:
>> Re: Add domain user\group to local admin group problem Functional
>> level is Server 2008.
>>
>> -dm
>>
>> "Ace Fekay [Microsoft Certified Trainer]" wrote:
>>
>> On Thursday, December 11, 2008 1:47 PM
>> Jorge Silva wrote:
>> Re: Add domain user\group to local admin group problem
>> Ok, can you try to remove that member server from the domain and
>> re-add it
>> again? then test.
>> Also check if you have errors in eventvwr.
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>> Jorge Silva
>> MCSE, MVP Directory Services
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "DangerMaus" <DangerMaus@discussions.microsoft.com> wrote in message
>> news:63FC5CB7-FD00-469A-939F-42D0156BE0C6@microsoft.com...
>>
>> On Friday, December 12, 2008 4:32 PM
>> mike172 wrote:
>> Re: Add domain usergroup to local admin group problem
>>
>>> GUEST wrote:
>>> I have two Windows Server 2008 servers. One is a DC and the other
>> is a member
>>
>>> server. I created a global security group in AD and tried to add it
>>>
>> as a
>>
>>> member of the local Administrators group of the member server. I am
>>>
>> able to
>>
>>> add it but if I open it back up the group is not listed. I have
>>>
>> tried to
>>
>>> other tests and if I click Apply instead of OK the domain
>>>
>> group\user
>>
>>> disappears instantly.
>>> If I try to add the same domain group\user it says that they are
>> already
>>
>>> members once I click OK\Apply.
>>> Any Ideas?
>>> -dm
>> Maybe this has something to do with licensing issue? Not enough
>> client access license maybe?
>>
>> On Thursday, December 18, 2008 12:54 PM
>> mike172 wrote:
>> Re: Add domain usergroup to local admin group problem
>>
>>>> I am having the same issue. 2 DC with 2008 functional level on
>>>>
>> the same storage based virtual xen server environment. I can add the
>> domain user to the local admin groups on one of the windows 2008
>> member server (this member server is also virtual machine on the same
>> storage), but the domain user doesn't show up in the local admin
>> group
>> window and because of that this domain user doesn't have admin rights
>> on the local server, trying to readding gain to the local admin group
>> says "this user is already member of this group", any
>> ideas?
>>>> In news:ff16fb66104eb8cb299260e82fa6@msnews.microsoft.com, Meinolf
>>>> Weber [MVP-DS] <meiweb(nospam)@gmx.de> requesting
>>>>
>> assistance, typed
>>
>>>> the following:
>>>> Hello DangerMaus,
>>>> If i follow your steps i can not reproduce your problem. It works
>>>>
>> as
>>
>>>> expected in my test domain. Functional level is also 2008.
>>>>
>>> Ace Fekay [Microsoft Cert wrote:
>>>
>>> FYI, I tried and could not reproduce the issue in a classroom
>>>
>> environment.
>>
>>> Functional level also 2008.
>>>
>>> Ace
>>>
>> On Thursday, December 18, 2008 12:54 PM
>> mike172 wrote:
>> Re: Add domain usergroup to local admin group problem
>>
>>> DangerMaus wrote:
>>> This is related to system SID issue. I fixed my problem by
>> installing all the servers separately not using the clones, looks
>> like this is the issue with virtual environment.
>>
>>> I have two Windows Server 2008 servers. One is a DC and the other
>>>
>> is a member
>>
>>> server. I created a global security group in AD and tried to add it
>>>
>> as a
>>
>>> member of the local Administrators group of the member server. I am
>>>
>> able to
>>
>>> add it but if I open it back up the group is not listed. I have
>>>
>> tried to
>>
>>> other tests and if I click Apply instead of OK the domain
>>>
>> group\user
>>
>>> disappears instantly.
>>> If I try to add the same domain group\user it says that they are
>> already
>>
>>> members once I click OK\Apply.
>>> Any Ideas?
>>> -dm
>> On Wednesday, December 24, 2008 9:52 AM
>> Ace Fekay [Microsoft Certified Trainer] wrote:
>> Re: Add domain usergroup to local admin group problem
>> In news:uaWdnT6FhovEE9fUnZ2dnUVZ_rmdnZ2d@giganews.com,
>> mike1610 <mike1720@yahoo-dot-com.no-spam.invalid> requesting
>> assistance,
>> typed the following:
>> Clones? Did you sysprep the machines first or simply added a clone
>> with
>> identical SIDs? Sysprep will force the installation to create a brand
>> new
>> SID for all components that have a SID associated to it's identity.
>> If
>> not,
>> I can see why this may be happening and why I cannot reproduce it.
>> --?
>> Ace
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft
>> Certified Trainer
>>
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> EggHeadCafe - Software Developer Portal of Choice
>>
>> .NET Web Services - Exception Handling And Non-Exception Error
>> Handling
>>
>> http://www.eggheadcafe.com/tutorials...2f-491e-901f-d
>> 36a82f107e8/net-web-services--excep.aspx
>>

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d7a768cc1c6a295ecc07@msnews.microsoft.com...
> Hello Ace Fekay [MCT],
>
> The last weeks some posters, or maybe one with different names???, are
> posting in this format with pointing to some really old postings. I have
> tried to inform them/he/she??? to better use there own one and describing
> there own situation with all relevant information. I have the same
> thoughts as you have, if the problem description really applies to the
> poster.
>
> Best regards
>
> Meinolf Weber


I know what you mean. It's an uphill battle trying to explain it! Hopefully
the poster will respond with specifics. :-)

Ace