Questions

Computers are listed in AD and can access all aspects of the LAN however...

+
0 Votes
Locked

Computers are listed in AD and can access all aspects of the LAN however...

luv2bike2
I have never seen this before so I hope someone can shed some light on this issue I am having.

Windows XP computers, all are up-to-date on SP's and MS Updates and are in the domain (can be seen in AD)

When I right click My Computer/Manage/Users and Groups/Groups/Administrators and click on ADD, the "From this Location" it is set to the Local Computer and NOT to the Domain. When I click on "Locations" button I get the local computer name and "Entire Directory" I do not have the Domain under the "Entire Directory". I click on "Entire Directory" and it changes the "From this Location" to "Entire Directory". Click on "Advance" and "Find Now" and all the names come up and I choose the name I want and click OK and Ok and Apply. Everything looks good, the name appears in the Members list. Now when I reboot the computer and go back in to see if that name is still there, sometimes the name is there as it should be displayed (ie Domain Admins), sometime it comes up with a long name with S-1-5-21-3390.......... (too long to enter all the number)

We have a small network of about 24 PC's and 7 servers (2 of which are DC's), this is happening on only a handful of computers where the location is not set to the domain and the name is being displayed like S-1-5-21-3390......

My questions are:

1) What do I need to do/fix to make the location be the domain and not the local computer.

2) is the name being displayed like S-1-5-21-3390.... because the local computer name is set as the location and not the domain and if fixing the location to the domain will that fix the name being displayed?

Thank you very much.
Robin
  • +
    0 Votes
    gechurch

    I'm not sure on the answer to question 1. It's not a setting I look at often, but just checking on one domain-joined computer now its 'From this location' is set to the domain by default, so I suspect there is an issue. I assume you are logging on to the computer using a domain account?

    The long name you are seeing starting with "S-1-5" is a user account SID. This is an ID that uniquely represents a user account. Lets say you have a domain account called "Jane Doe". When you add "domain\Jane Doe" to the local administrators group what gets stored behind the scenes is actually the SID of Jane Doe's account. That way when Jane gets married and you rename her account to "domain\Jane Smith" the local computer will be able to keep track and know that Jane Smith is a local admin on the PC.

    When everything is working correctly, when you look at the local admin group the SID is read (S-1-5-21-3390...whatever). Then a lookup is performed - the PC asks the domain controller "hey, here's a SID. Can you please tell me the name of this account?". The DC looks up the SID, finds that the account belongs to "domain\Jane Smith" and that's what gets displayed. As you've probably figured out by now, if this lookup fails for some reason the local PC ends up displaying the SID because that's all it can display. So it sounds like your PCs are not talking to the DC properly sometimes. Taking a look in the event log for DC-related errors is a good place to start troubleshooting the problem.

    +
    0 Votes
    luv2bike2

    Thank you for your response.

    The user is logging in as a domain user and on to the domain and NOT on the local computer as a local user. :)

    DHCP is confgiured on all the computers and when I do IPCONFIG on the computers that are having this issue DNS shows up correctly. The one thing I did not do however I will do when I return back to work on Tuesday, is log into the computers as a different user to see if maybe the user.dat file is corrupt and I can see the domain and the users correctly. :)

    I will post back with the results.
    Thanks again

  • +
    0 Votes
    gechurch

    I'm not sure on the answer to question 1. It's not a setting I look at often, but just checking on one domain-joined computer now its 'From this location' is set to the domain by default, so I suspect there is an issue. I assume you are logging on to the computer using a domain account?

    The long name you are seeing starting with "S-1-5" is a user account SID. This is an ID that uniquely represents a user account. Lets say you have a domain account called "Jane Doe". When you add "domain\Jane Doe" to the local administrators group what gets stored behind the scenes is actually the SID of Jane Doe's account. That way when Jane gets married and you rename her account to "domain\Jane Smith" the local computer will be able to keep track and know that Jane Smith is a local admin on the PC.

    When everything is working correctly, when you look at the local admin group the SID is read (S-1-5-21-3390...whatever). Then a lookup is performed - the PC asks the domain controller "hey, here's a SID. Can you please tell me the name of this account?". The DC looks up the SID, finds that the account belongs to "domain\Jane Smith" and that's what gets displayed. As you've probably figured out by now, if this lookup fails for some reason the local PC ends up displaying the SID because that's all it can display. So it sounds like your PCs are not talking to the DC properly sometimes. Taking a look in the event log for DC-related errors is a good place to start troubleshooting the problem.

    +
    0 Votes
    luv2bike2

    Thank you for your response.

    The user is logging in as a domain user and on to the domain and NOT on the local computer as a local user. :)

    DHCP is confgiured on all the computers and when I do IPCONFIG on the computers that are having this issue DNS shows up correctly. The one thing I did not do however I will do when I return back to work on Tuesday, is log into the computers as a different user to see if maybe the user.dat file is corrupt and I can see the domain and the users correctly. :)

    I will post back with the results.
    Thanks again