Re: Issue after establishing a 2-way trust between 2 forests

Hello vdz,

You're welcome.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Thank you again every thing I am doing it actually.

Best Regards

"Meinolf Weber [MVP-DS]" wrote:

Hello vdz,

Use restricted groups with GPO of course. This article describes in
detail
how to configure it:
http://www.frickelsoft.net/blog/?p=13
Keep atttention of the parts "Members of this group" and "This group
is a member of".

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

One more question pls, as you know that I had to manually assign the
local admin to each user on each their PC, is there any ways/scripts
to remove this automatically? therefor I don't have remove one by
one manually.Thanks

Regards,

"vdz" wrote:

Hello Meinolf,

Thought I'd let you know a new good news, they can logon without
local admin. Briefly, somehow all the appropriate users in "allow
log on locally" were removed.

All good now.

Much appreciated.
I think it worked because of your wish :).
Regards
"Meinolf Weber [MVP-DS]" wrote:

Hello vdz,

I assume that account is deleted, so you can normally remove it.

Well, that's easy good luck.:-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf

Yes you r right about Guest and users account in default DC
policy.
I
already removed them.
With the SID issue, I used the sidtoname as per your suggestion.
But
it does
not resolve the SID in "allow logon locally".
Thanks again for your help, I have to wait until tomorrow to see
if
they can logon without local admin. Wish me luck :)
kind regards
"Meinolf Weber [MVP-DS]" wrote:

Hello vdz,

In the Default domain controllers policy i would nopt have the
users and guests. Normally there is no need for them to logon to
a DC, espcially GUESTS.

The long number is a SID if starting with
S-1-5xxxxxxxxxxxxxxxxxxxxxxxxxxxx, this will be shown if there
is a deleted account from the database, the SID's will then be
shown instead of the name.

This can help you to resolve SID's:
http://www.joeware.net/freetools/tools/sidtoname/index.htm Best
regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf

Thanks again for your help,
I had a closer look at all GPOs in use again.
Here is what I found:
in default domain controller policy
"Allow log on locally" is defined and including Administrators,
users,
guests, backup operators, server operators etc...
In default domain policy
"Allow log on locally" is defined but only including
Administrators
and
another account which is a long number, that is all. So I am
going
to
add
appropriate users to see if it works.
Regards,
vdz
"Meinolf Weber [MVP-DS]" wrote:
Hello vdz,

I am really sure that has nothing to do with the trust. Then
it should appear if you remove the trust, which doesn't help
as you said.

Sounds for me still like policy issue. I would go back to the
default user account settings/policy, without adding them to
remote desktop users group or "Allow logon to TS" etc. Seems
for me that the "allow logon locally" setting is now
configured only for the servers and removed/overrides the
ability to logon to their local machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Yes the problem is at their end, they logon locally and "log
on to" their domain that was the first thing I told them to
check. I did check every single GPO in use, I also added a
particular user to "Allow log on locally" and asked her to
logon to her PC, she could not at all, but weird thing I can
log on as her (her username and password) using RDC on her
PC. And I eventually removed the 2-way trust but the issue
still persists. :(

I ran out of clues, thanks a lot for your help so far.

Regards
"Meinolf Weber [MVP-DS]" wrote:
Hello vdz,

Just to be sure, you did check the policy in the problem
domain and the users trying to logon are also from the OTHER
domain logging on THEIR domain?

Also check this:
Computer Configuration\Windows Settings\Security
Settings\Local
Policies\User
Rights Assignment, "Log on locally"
by default, Administrators, Backup Operators, Power Users,
Users,
and
Guest should be available to logon locally.
You have to check all GPO's in use not only the default
one's.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

I did check this GPO but they are not defined (both Default
domain policy and default domain controller policy). The
CEO at their end seems not to be happy at all.

Regards,

"Meinolf Weber [MVP-DS]" wrote:

Hello vdz,

If they get the error message on there local computer,
when trying to logon with domain user account, password
and choosing there OWN domain in "Logon to", check that
none GPO in the domain is configured with "Deny logon
locally".

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Sorry for confusion.
They can logon Terminal Server using RDC, they have no
problems
with
this
logon,
They did have the problem with logon on their PCs and I
had
to
assign
each
users to local administrator of his/her PC.
What I meant was that because they have the TS up and
running
and
users have
logon to this TS, somehow it might cause this issue.
At my end, I have done a trust between 2 forests before
with
another
partner, we did not have any issues and we did not have
TS.
Thanks a lot
Regards
"Meinolf Weber [MVP-DS]" wrote:
Hello vdz,

On which of them did they have the problem, please give
some more detail's? Or did they logon to the DC for
work, same for exchange?

Or did they work only on the TS? If that is the case,
did they use the correct amount of TS Client access
licenses? Which mode is the TS running, application or
remote administration?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
they have:
1X 2003 terminal server
1x 2003 DC
1x 2003 file server + Exchange 07
Apparently they all have logon locally and remote
desktop
(Terminal
services) as well where I think the issue lies on.
Thanks a lot Meinolf
Regards
"Meinolf Weber [MVP-DS]" wrote:
Hello vdz,

Where do they logon, sounds like on the server? Is
that a terminal server or domain controller or member
server? Are the users allowed to logon locally and in
the remote desktop user group?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
The local policy of this system does not permit you
to logon interactively



.

Relevant Pages
Loading