Adding Domain Users

Microsoft Windows server 2003 enterprise...
June 3, 2010 at 10:11:48
Specs: Windows Server 2003 R2 SP2, 3.49 Gh/3.99 GB
Hello. I am new here and a bit of a novice. I need help allowing domain users to log into a server. This is what I have done so far. Hopefully someone can help me with what I am missing.
1. Created a user group.
2. Added a user from a domain by searching the domain for his login. It found him on the domain no problem.
3. Created a share folder.
4. Removed "everyone" from both the share permissions and the security tab. Both fields were then empty.
5. Added the user group to both the share permissions and the security tab. Gave the group full rights in both.

Here's where the problems start...

When the user I added tries to map network drive, he just gets asked for his password over and over. The computer he is logging in from is a member of the domain his login comes from and network connectivity is fine because I can login using my admin account. Can anybody think of anything I missed? Help, please!

Thanks!


See More: Adding Domain Users

Report •

#1
June 3, 2010 at 10:27:15
Are you working with multiple domains? Please describe your AD setup.
Does not sound like the user is logging into the domain the share is on.

Report •

#2
June 3, 2010 at 10:27:53
I should add that his login works fine from a Mac on the same network using a Samba mount.

Report •

#3
June 3, 2010 at 10:29:34
Thanks for the reply. The machines are members of different domains, but are on the same network and subnet. I think that's what you were asking...

Report •

Related Solutions

#4
June 3, 2010 at 10:54:48
Are these domains under the same forest?

Report •

#5
June 3, 2010 at 11:00:57
I believe so. The server is under one domain and was able to reach into the other in order to get the login.

Report •

#6
June 3, 2010 at 11:30:15
group a universal or global group?

Report •

#7
June 3, 2010 at 11:34:21
The workgroup is a local group on the machine. Does this answer that?

Report •

#8
June 3, 2010 at 12:35:59
There are no workgroups in Active Directory.
It would appear you are trying to share a folder on a pc not on the server.
This is peer to peer networking. The user logon account would need to exist on this pc with same passwords the users logon using for them to access this share.

This is not a recommended procedure when running AD


Report •

#9
June 3, 2010 at 13:03:28
Maybe I'm not understanding your answer. Sorry, I'm a bit of a novice and was kind of thrown into this. In any case, I logged into the server, created users and added folders and shared them. I have done this before on this server and still have shared folders on this server that are running on the network that users log into every day, but these are all local accounts on the server. I have been asked to replace the local accounts with the same user name and passwords that people get their email with so that we can more easily track logins and data transfers. I'm not sure if that is an Acitve Directory set up or not.

Report •

#10
June 3, 2010 at 13:49:51
Normally you do all of your server/AD administration from your workstation by running MMC.

In Active Directory there are no local users but AD users.

The procedure you describe in post #9 is not that of a AD server but a standalone server.

What you have been requested to do actually makes no sense at all. No one but the user should know their password.

Enable auditing and you can track user activities.

Having multiple domains [not to be confused with OUs] is a complex AD setup. You are also mixing terms like " workgroup is a local group on the machine" which is confusing. Did you mean its a local to that server group?
Are you doing this under Computer Management/users and groups?

Where is your network/server admin?
This is not the kind of job you can just throw someone into.


Report •

#11
June 3, 2010 at 14:15:16
He quit in a huff about something. In any case, I think the reason they threw me in is because I'm tenacious and usually figure stuff out. Also, I have done this kind of thing on a smaller scale with this server.

Yes, I am doing it under Computer management/users and groups. I'll try to be more specific. Maybe then it will make more sense.

I was logged directly into the server with my local admin account. I went to computer management, users and groups. I created a group called "encoding." I added a user by selecting "Add." Under "from this location" there are about 20 or 30 locations to choose from. The only two that concern me I'll call "production" and "corporate."

The sever itself is a member of the production domain. However, the people, including myself, all have corporate logins for email, etc. In any case, I chose corporate in the "from this location" drop down box.

I do not know this persons password. I just typed his log in name into the "enter object names to select" box at the bottom. It found him and came up with something like:

I typed in "dude."

It came back with "CORPORATE\dude."

I clicked okay. Now I have a group, "encoding," with one member, "CORPORATE\dude." I think that's so far so good.

Next, I created a folder at the top level of my default shared drive. I created a share on it called "encoding." In permissions I deleted "everyone" and "users." I added the new user group. I gave it full control. I did the same for administrators.

Next, I went to the "security" tab. I added the group and Administrators and gave them both full control.

Now's where I'm not getting it. The workstation I went to test this setup on was a member of the corporate domain, but is on the production subnet. I tried logging in and got the response that I posted. It just keeps asking for the name and password over and over.

Does that make it clearer? Can you maybe point out something that I might have missed?


Report •

#12
June 3, 2010 at 15:07:37
It would appear the account you logged into was not in the group you assigned to the share.

You would create an account "test" and assign it a password. Add test to the group. You would then logon at a workstation as test. Then you would browse to the server and then the share.


Report •

#13
June 3, 2010 at 15:15:17
It was definitely in the group because after his account couldn't log in I tried my own. I have a local admin account on the server and I added my corporate log in to the group and got the same result from multiple workstations. Again, the funny thing is, they work from a Samba mount on a Mac, but not on a Windows workstation. I can log in smb://server on a Mac with my corporate ID and my local admin ID which are different. He can log in on a Mac as well. Neither of us can log in on a Windows workstation, but I can log in with my local admin account.

I don't think it's that simple. I've asked corporate IT and they haven't been able to help and production IT won't touch local servers. As far as they're concerned their job ends at the end of the Cat 6 cable.


Report •

#14
June 3, 2010 at 15:33:53
What do you mean you couldn't logon from any workstation with your domain account?
Don't you do that 5 days a week?

Samba working is no test of this server. False positive.

If this is a member server and you added yourself to the group on the share you should be able to logon the domain as yourself and browse to this server and then the share.

Can you do this?


Report •

#15
June 4, 2010 at 07:53:00
I can log onto the server directly with both my corporate account and my admin account. In fact, anyone can log onto the server directly with their corporate account. They just wouldn't have access to Aspera and other transfer tools or to the Media drives. It would essentially just behave like a workstation for them only it would be really fast with a 10 Gb connection to the network.

I can also use my corporate account to log onto any workstation. So can anyone else.

I can map the server as a network drive to any Windows workstation on the production network using my local admin account credentials. Some people who I have given local user accounts to can do that as well.

What I need is for certain people to be able to map the server as a network drive to their workstations using their corporate credentials. In this way, it is easy to track who has been accessing media.

My solution is to create work groups on the server based on departments - encoding, nonlinear, VFX, etc... - and to add members of those departments to those work groups by looking them up on the corporate domain and then giving those work groups rights on the media drives.

My test case is encoding because that's where I work. I have successfully looked up myself and my colleague and added both of us to the encoding work group. I then went through the steps I outlined and am now stumped as to why I cannot use my corporate credentials to map the server as a network drive once my corporate credentials have been added to a work group with rights on the server.


Report •

#16
June 4, 2010 at 08:27:04
Not to be rude but you really need an Active Directory book.

You are talking in peer to peer networking terms [workgroup]. In AD we have universal/domain/domainlocal groups with the choices of security or distribution for type.

Saying you can logon using a local admin account [whatever that means] or that users you have given local accounts [assuming on the server] to have access doesn't sound correct. In active directory you don't "logon to the server" [again a confusion in terms] but you authenicate to the Domain.

Let's try this again. Using your domain logon at a workstation get authenicated to the domain. Go to Entire Network and browse to the server in question. Do you see the server? Double clicking on the server do you see the share you created?


Report •

#17
June 4, 2010 at 08:47:12
Yes, but when I click on it it asks for a log on. I can use what I am calling my local admin account, meaning that it is only good to log into that server and not into any other computer in the network and that it gives me administrative privileges on the server, but I cannot use my corporate credentials even though I have created a work group and added my credentials to that work group.

What I'd like to be able to do, rather than browsing to the server through the whole network which has thousands and thousands of computers on it, I'd like to just hit "Map Network Drive" and log in using my corporate creds.

Sorry if my lingo isn't making sense. I don't have a CS degree and have never even taken a computer course. I have learned what I know through a combination of osmosis, necessity and by sitting in front of a computer for most of my life. I do appreciate your trying to help me.


Report •

#18
June 4, 2010 at 10:18:19
Please don't use the term workgroup. It is not a term that should be used when discussing AD.

This server can not be a member of the corporate network if you are being asked for credencials.

Who installed/setup this server?

If you right mouse click on My Computer when on the server and go to the Computer Name tab does it say

Full Computer Name= servername.forestname
Domain = forestname [like domain.com]


Report •

#19
June 4, 2010 at 10:31:57
Yes it does. It says:

servername.productiondomain.com

I physically built the server and added it to the production domain.

Our workstations all are called:

workstationname.corporatedomain.com

We have a corporate network at 10.18.*.* and a production network at 10.99.*.* The Corporate domain is available on both networks but the production domain is only available on the production network. For my purposes I am only worried about the production network but am dealing with both domains.

I should mention that this server, and many others on the production network, has extremely sensitive data on it and is probably subject to extraordinary security measures. Could that be why I can see it in the network but am asked for creds when I try to open it?

I should may be also mention the point of this exorcise a little more precisely. For many years this server was intended for just me to receive files and do with them what I do.

Now, the operation has grown to big for just me so I need to spread out the workload. Because the data is so sensitive we need to make sure only people I want to have access can get in and we need to track them.

Also, no one but me and Risk Management should have operation control of the server.

Maybe there is a better way to go about this?


Report •

#20
June 4, 2010 at 12:13:47
productiondomain.com
corporatedomain.com

These are two different forests [namespaces]

Is there a forest trust between the forests? [there should be if each can access resources on the other].

Your workstation has to go thru the corporatedomain.com to get to the server in productiondomain.com.

It would appear you can't get to production via corporate. There may not be a forest to forest trust which would give you access.

Why is this server not in the forest your workstation is in?


Report •

#21
June 4, 2010 at 12:24:50
I wish I could answer that, but as you can probably tell by now I'm not the network architect.

What I would think is that, if trusts can flow one way and not the other, that corporate trusts production but not the other way around. For example, I can reach servers on 10.18.*.* from my workstation on 10.99.*.*, but comps on 10.18.*.* cannot touch comps on 10.99.*.*. I know this is different than the domains question, but I would imagine they organized it the same way if that is possible.

I think the reason our workstations are on the corporate domain but on the production network is so we can do things like get email, interact with services, etc... that live on 10.18.*.* and are members of the corporate domain while still being able to work with media that live on the production network in the production domain.


Report •

#22
June 4, 2010 at 12:41:48
Can you add YOURSELF from the corp forest to a group on your server in the production forest?

Report •

#23
June 4, 2010 at 12:45:56
Yes. That's what I did. My corporate ID, me@corporate.com, I added to the group "encoding" on the server which is in the production forest.

Report •

#24
June 4, 2010 at 14:58:06
I don't have an answer why you can add yourself from the corporate network, which indicates a trust, but you can not access the server in production without it asking you for credencials.

I would ask that question of the production network/server administrator.


Report •

#25
June 4, 2010 at 15:07:47
Okay, well, thanks for your help anyway.

Report •

Ask Question