Re: Accessing Windows 2000 Server Remote Registry

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/14/04 

Date: Sun, 14 Nov 2004 17:52:25 GMT

Keep in mind that when you change Local Security Policy on a Windows 2000
computer that you need to see the desired settings as the "effective"
settings after a refresh via secedit /refreshpolicy machine_policy /enforce
or a reboot. Unlike Windows 2003 it is not apparent that there is an
overriding domain/OU policy when you change local policy.

If you have name resolution and connectivity [ping, etc] to the server in
question and domain controller most likely your problem is security policy
security options or an ipsec policy [ such as require policy ] enabled on
the W2K server that does not allow access from non ipsec aware computers
such as NT4.0. If you run the support tool netdiag as in " netdiag
/test:ipsec /debug " on the W2K server it will display any ipsec policy
assigned and details of it.

As far as security policy make sure that the effective setting for the
security option on the W2K server in question for additional restrictions
for anonymous access is NOT set to " no access without explicit anonymous
permissions". I would also try setting the lan manager authentication level
to "send ntlmv2 responses only" assuming it does not need to access shares
on W9X computers. I believe you said you already disable the two "always"
settings for digitally sign communications and have left the "when possible"
settings enabled. Beyond that if you do not have luck I would monitor both
sides of the packet exchange sequence with netmon, which is available to
server operating systems via add and remove programs - Windows components,
or use Ethereal to see what is going on at the packet level. --- Steve

http://support.microsoft.com/?kbid=243270 -- netmon, how to install and
link on how to use.

"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
> No events in the security log. Arrgh!
>
> "Steven L Umbach" wrote:
>
>> Hmm. Can you access the W2K servers in question from another W2K
>> computer??
>> Do you have at least service pack 4 installed on the NT and W2K servers?
>> Try
>> enabling audting of logon events in the local security policy of one of
>> the
>> W2K servers you are trying to access to see if any logon failures are
>> recorded in the security log that may be helpful. --- Steve
>>
>>
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > I can resolve the name fine. It is accessing it when I run into issues.
>> > Access Denied is the message I get. I have looked at the article you
>> > suggested but so far none of the settings are relevant or have made a
>> > differnce if I changed them. I can get to the same NT server from the
>> > W2K
>> > server but not the other way around. Strange and frustrating.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> > > It might be a name resolution problem. Try connecting via the
>> > > computers
>> IP
>> > > address instead of name to see if that helps and verify that you can
>> ping
>> > > the computer from the source computer. Since you are still using
>> > > wins,
>> make
>> > > sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > when you try to connect?? The link below explains problems that can
>> arise
>> > > from incompatible security settings [security options in security
>> > > policy
>> > > such as Local Security Policy] on a W2K computer. --- Steve
>> > >
>> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> > > look
>> at
>> > > Examples of Compatibility Problems particularly for anonymous access
>> > > and
>> > > digitally sign communications.
>> > >
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > > Not sure if this is related to GPO but I am unable to access the
>> registry,
>> > > > browse via network neighborhood, etc. to a Windows 2000 member
>> > > > server
>> from
>> > > > another Windows NT 4 member server. I cannot do this from any of my
>> > > > NT
>> 4
>> > > > member servers. Both are logged in as the domain admin. Any
>> > > > thoughts
>> are
>> > > > appreciated.
>> > > >
>> > > > --
>> > > > netwerktek
>> > >
>> > >
>> > >
>>
>>
>>

Relevant Pages

  • Re: Backing out Complex passwords enabled in Domain Group policy.
    ... Most documentation I have seen states that all account policies can only be defined ... Define settings for all account polices at the domain level, ... and check the Local Security policy on the domain controller for effective settings. ...
    (microsoft.public.win2000.security)
  • Re: Users should not shutdown or restart servers
    ... controllers that user right is defined in Domain Controller Security Policy ... We have one server ... > I have looked at the Local Security Settings for server #2, ...
    (microsoft.public.win2000.security)
  • Re: how to stop deleting docs&settuser folders with logging off?
    ... I still believe that there *is* a policy affecting the server. ... won't find it in the security policy, but in the path I wrote in my ... > This problem concers mostly the settings in Internet Explorer, ...
    (microsoft.public.win2000.termserv.clients)
  • Re: NIC disconnecting frequently
    ... There are known issues with SMB signing between Windows 2000 and XP Pro in certain ... cases that can cause irregular network connectivity. ... option configured in their effective settings in Local Security Policy you can ... configure your Windows 2000 server to not use SMB signing. ...
    (microsoft.public.win2000.networking)
  • Re: I cant logon to my server with an Administrator .
    ... Mine is a DC with a AD so that's no any local security policy tho. ... Default Domain controller security settings. ...
    (microsoft.public.win2000.group_policy)