Re: Local authentication errors on Windows 2003 Server
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Feb 2006 12:43:09 -0600
Is this server a domain controller?? If so I would also run dcdiag on it and
gpotool on it also though I was under the impressions that it is a non
domain controller. You can enable suditing of logon events on a computer
with a share and look for type 3 logon events you can get an indication of
what is going on to see if a succes, failure, or no event is recorded when
access is attempted. Beyond that sniffing the packet exchnage with something
like netmon could provide more detailed info. Have any security policies
[security options, security templates applied, etc] been changed in the
domain or locally as of late? I would also check the group membership of
the server to make sure it is not a member of a group that has deny
permissions to the share or access this computer from the network user
right. The support tool gpresult or whoami will show group membership. ---
Steve
"PCSL" <neil@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1140779715.901158.209830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for the suggestion Steve,
Still no joy, I'm afraid.
netdiag passes every test that is applicable to the servr (IP security
and WAN tests skipped). A verbose log revealed nothing unusual,
particularly any mention of the old domain XXXXXXXX.net (as opposed to
the XXXXXXXX.local it was changed to 18 months ago).
Since the original post I have questioned the validity of the GPOs, not
least because there was at least one .pol file missing. I bit the
bullet and tried DcGPOFix. This tells me:
====================
Unable to open the GPO due to access denied. Verify that permissions
on the file system path
C:\WINDOWS\sysvol\sysvol\XXXXXXXX.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
MACHINE\Registry.pol and the active directory path
LDAP://XXXXXXXX-server.XXXXXXXX.local/CN=
{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=XXXXXXXX,DC=local
are
sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the
Default Domain Policy GPO
Access is denied.
====================
Again this leads me to think it's some sort of ACL related problem. I
have checked the folder permissions and while it is not my forte the
LDAP permissions look acceptable too.
In case the Administrator user was somehow corrupted, I have created a
new user with full administrative group access and get exactly the same
errors...
I want to confirm the authentication process is operating correctly as
I suspect the authentication is either being subverted, misdirected or
misinterpreted somewhere. How would I go about tracing the
authentication process undertaken when a secured object is accessed,
such accessing a file share?
Note again that this only affects the server, not any of the client
machines therefore it is most likely, IMHO, to be a local setting as
opposed to a global domain issue...
Thanks,
Neil
.
- Follow-Ups:
- References:
- Local authentication errors on Windows 2003 Server
- From: PCSL
- Re: Local authentication errors on Windows 2003 Server
- From: Steven L Umbach
- Re: Local authentication errors on Windows 2003 Server
- From: PCSL
- Local authentication errors on Windows 2003 Server
- Prev by Date: w32.spybot.worm
- Next by Date: Re: w32.spybot.worm
- Previous by thread: Re: Local authentication errors on Windows 2003 Server
- Next by thread: Re: Local authentication errors on Windows 2003 Server
- Index(es):
Relevant Pages
|
