Re: Weird security problem in my WIn2K domain
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/25/05
- Next message: Steven L Umbach: "Re: Upgrade Certificate Authority"
- Previous message: Steven L Umbach: "Re: How to force users to logoff each day"
- In reply to: achen: "Weird security problem in my WIn2K domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Mar 2005 23:36:03 -0600
Keep in mind that enterprise admins group has no administrative powers on
domain computers so make sure you are logged on as a domain admin in the
appropriate domain and try to connect to the administrative share [C$]on a
problem computer as a test. Another thing to try is to create a new account
in each domain for yourself, add that account to the local administrators
group on a domain computer and try using that account to manage it to see
what happens. Try using the remote computers IP address in addition to it's
name. DNS problems can also cause access denied for domain accounts to a
domain computer. You can use the support tool netdiag to check domain
controllers and domain members for proper domain configuration including
name resolution, kerberos, dc discovery, and trust/secure channel. Also
enable auditing of account logon events in Domain Controller Security Policy
and logon events in Domain Security Policy and check the security logs of
the domain controllers and the workstation you are trying to manage after a
failure for any helpful information. Event Comb is a free MS tool that can
make it easier to scan the security logs of multiple domain computers. File
and print sharing connectivity is needed to be able to manage computers
remotely. The XP SP2 firewall or ipsec policy could be blocking access. You
should be able to use telnet to port 139 or 445 if fps is available as in
telnet xxx.xxx.xxx.xxx 445 where xxx.xxx.xxx.xxx is the IP address of the
remote computer. If the port is open you will get a blank command windows
with a flashing cursor. If it is not you will get access denied.--- Steve
"achen" <achen2002@yahoo.com> wrote in message
news:1111645710.182912.14680@f14g2000cwb.googlegroups.com...
> There are three domains in our forest and I'll call them domain A (the
> root of forest), B and C here. For some reason I am having some bizard
> security problem in both domain B and C, here are some descriptions:
>
> When I had to modify the member of local security group (Administrators
> / Power Users) on workstations, what I always do is to open "Computer
> Management" from my own computer and connect to the destination
> workstation, then do the change I want to do. There was never a problem
> in the last 2 years since out Win2K forest was created. However
> recently I am getting error about access denied, the message looks like
> this:
>
> "The following error occured while attempting to save properties of
> group Administrators on computer XXX: Access is Denied"
>
> Of course my account is a member of Enterprise Admins and also Domain
> Admins of each domains, so the assumption that "My account does not
> have permission to make that change" has been eliminated.
>
> After failing to do this simple task from my own workstations, I
> checked the member of local "Administrators" to make sure that "Domain
> Admins" is still there, and it is there. Then I went to the DC of each
> domain and tried to do it from there (logging on as domain
> Administrator account) and still getting the same error. However if I
> visit the workstation and log on as domain administrator to it, I have
> no problem.
>
> This is happening to *ALL* workstations (Win2K/ XP) under domain B and
> C, and it happens all in a sudden, therefore I have eliminated the
> possibility that it is about security patch / service pack or something
> like that.
>
> All services running on these two domains are working fine, there is no
> event log about this from the server, although each failure was logged
> on the workstations, that does not help me to troubleshoot at all.
>
- Next message: Steven L Umbach: "Re: Upgrade Certificate Authority"
- Previous message: Steven L Umbach: "Re: How to force users to logoff each day"
- In reply to: achen: "Weird security problem in my WIn2K domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
