Re: Rights - 2003 Server in Windows NT4 Domain

From: Herb Martin (news_at_LearnQuick.com)
Date: 03/07/04 

Date: Sun, 7 Mar 2004 13:02:39 -0600

"fubarsnafu2004" <fubarsnafu2004@yahoo.com> wrote in message
news:624f5166.0403070746.1fc65dcb@posting.google.com...
> I have a Windows NT 4 domain with one PDC - I just installed a Windows
> 2003 Server into the domain. The Domain name is called CARTOONS,
> before the domain came their was a workgroup called CARTOONS and the
> workgroup is still here. All most all computers are members of the
> workgroup CARTOONS, which I think is my problem.

NT-class machines should prefer being Domain machines but none
of that should interfere with the 2003 Server as a domain member.

If you logon to a workgroup machine that is NT-based you are NOT
going to be logging on to your DOMAIN account however so you will
need to authenticate separately to access "domain resources" (e.g., the
2003 server.)

> I login to the 2003 server and gave my self admin rights as a local
> user, I am also a member of the domain administrator group as well.

You can't be a Local user and a Domain user (for logon) at the same
time -- even if the account names look the same.

You might have given your domain account local privileges though.

> But when I login on a W/S and attach a drive to the 2003 server from
> this W/S that is a member of the Workgroup I don't have any rights.

How do you "attach the drive"? Do you authenticate explicitly?
If not, you may be getting authenticated not be the "user" you think you
are -- perhaps even "guest."

Remember, an NT-class machine that is not a DOMAIN member does
not allow you to logon to a domain account -- you will be using a
machine account that is irrelevant to the domain and to that member
2003 server.

> I
> attach fine, can attach to a shared folder but can't create any new
> folders. I have gave myself full rights to the root of the drive on
> 2003 server, both as my user name on 2003 server and through the
> domain admin group. But still can't create folders.I also gave all
> rights but full control to domain\users and authenticated\users at
> same location.

Try an explicitly logon -- the GUI allows this but it is easier to test
and troubleshoot from the command line:

net use * \\ServerName\ShareName * /user:DomainName\Username

(If it is a "server" machine account you use ServerName in place of
DomainName)
net use * \\ServerName\ShareName * /user:ServerName\Username

> I have had this problem on another Network where I had a 2000 server
> in a windows NT4 domain, I ended up have to create each user on the
> 2000 server and give them rights their instead of a the domain level,
> for a sql database applciations to work correctly. In this network all
> computers where members of the domain.
>
> I think my choices are
> 1) Make the 2003 server a member of workgroup and add all users as
> local users, create a group and give rights to the group.

Terrible idea. It CAN work for only a few users, but since you already
have a DOMAIN, there is zero advantage to this method and several
disadvantages.

> 2) Make all computers that need access to the Windows 2003 server
> members of the domain and manage rights for their, which may require
> me to create all users lcoal and give them rights local through a
> group anyway.

Do it this way -- it's the right thing to do.

> Seting up Active Directory is not an option at this time.

Not really an issue, since your problem is that ever user is logging on to
MACHINE specific account which does not allow transparent access
to the DOMAIN resources. Even putting the "server" out of the domain
would still not make the access to "server" resources transparent without
extra work. 

-- 
Herb Martin

Relevant Pages

  • Re: KRB Error
    ... approximately 4 pages of GP settings that include settings in User rights ... with no warranties and confers no rights] ... party vendor was used to harden security on this server and another ... both members of Domain A. Another member server on Domain A did not ...
    (microsoft.public.win2000.active_directory)
  • Re: no Domain Admin rights to a Domain Server
    ... If the computer is still a member of the domain with proper DNS name ... the domain it needs to be joined to the domain again and the domain admins ... I can logon locally to the machine but the rights are that of a ... the server belongs to engineering and the person in charge ...
    (microsoft.public.win2000.security)
  • Re: xp workstations unable to log-in to win 2003 domain at boot-up
    ... the workgroup, but when i then try to ... the win 2003 server PC. ... > If computer is already a member of domain then enter a name ... That might have been a result of my trying the network wizard 3 ...
    (microsoft.public.windows.server.setup)
  • SQL 6.5 - Rights - Not Working Correctly
    ... rights issue with for certain SQL users that are a member ... the server. ... that is a member of the group 'ReadOnly' in database XYZ. ...
    (microsoft.public.sqlserver.security)
  • Re: Rights - 2003 Server in Windows NT4 Domain
    ... >> of that should interfere with the 2003 Server as a domain member. ... >> You might have given your domain account local privileges though. ... >>> this W/S that is a member of the Workgroup I don't have any rights. ...
    (microsoft.public.win2000.active_directory)