Win XP Pro Lockout After Using On Home LAN With Workgroup Name Same As NT Domain Name At Work

From: davie@attcanada.ca
Date: 04/02/03

  • Next message: Bruce Chambers: "Re: Question"
    From: davie@attcanada.ca
    Date: Wed, 02 Apr 2003 03:52:13 GMT
    
    

    Hi,

    All users, including the Administrator could not log on to Office
    Domain after I connected my notebook to my LAN at home (also running
    Win XPPro).

    When running Win 98 SE on old notebook I had two distinct profiles for
    the two connections - Office LAN had static IP on router with NAT and
    used "XXX" as the company's NT domain.

    At home, I called my Workgroup by the same name ("XXX"), but the
    profile (using Netswitcher) emplyed DHCP IP addresses.

    File sharing in both cases was active, and used NETBEUI as the only
    protocol with file & print sharing turned on (since it's a
    non-routable protocol, it seemd like it was better security for the
    file-sharing even behind the hardware firewall with NAT running at
    both locations.

    Been running on my home machine under XP Pro set up this way for more
    than a year. All I had to do each day was tell Netswitcher to boot
    with the "Other" profile on shut-down, so I was easily taking files
    back and forth to and from the office without a hitch.

    My new, just-arrived notebook, together with new machines at the
    office, are all XP Pro, and the Network IT guy has enabled DHCP on the
    Cisco router for all of us, eliminating the static IP assignments.

    He further agreed to leave file and printer sharing active on the
    Office LAN, becasue they're behind a firewall with NAT active.

    So, I take home my new notebook configrued this way, hook it up to my
    home LAN (remember same Workgroup name as the office's domain name).
    Distinction being that there is no separate profile on the notebook.

    Thinking that nothing should go wrong, I click away the message that
    no domain can be found (makes sense, as I'm not on the line through
    the Cisco router which has the gateway addresses specified.

    I get to browse the Internet through my broadband connection at home,
    and it appears I can "see" the notebook from Network Neighbourhood,
    and vice versa. Looks like I can easily work FROM the notebook Windows
    Explorer to save from the LAN machines TO the notebook, or also use
    the notebook to copy to a local machine. The other way seems to
    require a password dialog box to go FROM a LAN machine TO the
    notebook.

    But that's OK, I had a few "glitches" with other desktops at home when
    first setting up the file sharing on the XP Pro machine.

    The next day, the crap hit the fan, but not before the Network guy had
    been messing around with the programs freshly installed and being
    configured on the notebook.

    Suddenly he claimed no log on was possible -- on my user account, on
    his user account, as an administrator - Nothing worked!

    Not only could he not log on to our company domain, he could not even
    log on to the local machine -- with any account!

    This was promptly blamed on my having connected to my home LAN, which
    destroyed all the "Group Policies" because my Workgroup Name was the
    same as our NT Domain name. He said this meant the machine was now set
    to treat this name as a Workgroup and would not even try to go outside
    to locate the NT Domain any more.

    The machine was screwed up, and would need to be blown away, and
    reloaded from scratch, and I was in deep doo-doo for what appeared to
    be the innocent step of trying to browse with it at home, hoping to
    continue my long practice of working in both places and file-sharing
    through the LANs to take stuff home, work on it, and bring it back to
    the office (and the LAN there).

    He went out to lunch, and by some mysterious means, the machine was
    functional by the time he returned. Local rights as Administrator were
    now possible, and he proceeded with the loading and configuring that
    he'd planned to do.

    He said he had to "UNJOIN" what was maybe the workgroup, destroy and
    recreate some user accounts, and then he got logged on to the Domain.

    Strangely though, after installing (again )IBM Client Access software
    to talk to our A/S 400, things went screwy!

    We could no longer get to our company's web page from IE browser,
    unless my user name was given full Administrator privileges. Downgrade
    to power userr and neither Client Access nor the company web page
    would function. Restore Administrator and back they both came. Worked
    with his Administrator account as well!

    Un-installed and reinstalled Client Access twice more, with the same
    effects after doing each step. Then he loaded Client Access, and
    didn't even run it, and the same problem.

    Neither non-working function should rely on security settings he
    thought, but when asked, I suggested helook into boot-up programs and
    the registry as suspects for activating something that wrecks it
    BEFORE the program (Client Access) is ever executed. Nothing he could
    detect to account for this puzzling issue.

    Solution was to remove the IBM Client Access software -- alternate for
    leaving me as an Administrator seemed very improbable!

    Anyone who can comment on the negative effects found when an NT Domain
    Name matches a subsequent connection to a Workgroup with the identical
    name?

    With DHCP active on the routers at both ends, and file sharing turned
    on, how could this wreck all the User accounts for both the Domain as
    weall as for the Local Machine, when not hooked up to any network?

    I would welcome any informed comment or opinion, as the stated effects
    of what I may have done seem out of proportion to the severe effects
    on the functioning of the network.

    Surely people have setups that allow other Domains or Workgroups to
    coexist with the main office Domain?

    Since I am barred from connecting this ever to my home LAN, the
    interest may be academic, but I'm still convinced that the IBM Client
    Access software was not installed right, or configured properly, and
    that this blew away the user settings and made the machine
    inaccessible, even to an Administrator.

    The later problems eeem to bear out that something with Client Access
    is not right, even though the desktops on the same network are running
    this properly.

    Thanks for sticking with me through the long-winded elaboration of my
    problems.

          Davie...


  • Next message: Bruce Chambers: "Re: Question"

    Relevant Pages

    • LAN Connection state
      ... I am looking for an easy way to control the LAN ... connection state via VB6.0. ... a notebook, but when the notebook is connecting to a LAN, ...
      (microsoft.public.vb.general.discussion)
    • Administrators cannot disable/enable LAN connection
      ... the users in the Administrator Group can disable/enable ... the LAN from the "Network Connections" dialog. ... ERROR DISABLING CONNECTION ...
      (microsoft.public.windowsxp.security_admin)
    • Re[2]: [fw-wiz] Worms, Air Gaps and Responsibility
      ... > Is it not possible to run a script when a notebook connects to the LAN ... It is the purpose of 802.1X to enable authentication before the full connection ...
      (Firewall-Wizards)
    • Multiple Flaws in Huawei D100
      ... Huawei D100 firmware and its default configuration has flaws, which allows LAN users to gain unauthorized full access to device. ... This account has nothing in common with the administrator account in web based managment console. ... At the moment no fixes were provided by the vendor. ... No response from the vendor. ...
      (Bugtraq)
    • Re: Open Suse 11.0 ist da
      ... offensichtlich auch keine Ahnung hast welches Problem Herrmanns ... Notebook nun genau hatte. ... Du weist nichtmal ob er über WLan oder Lan geht. ...
      (de.talk.tagesgeschehen)