Re: Problem with NT4 domain trusting W2003 domain
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Fri, 22 Jul 2005 09:28:54 GMT
Hi Franz,
I'm sorry to hear that my suggestions didn't help. But I'm glad to hear
that you have workaround for your customer.
I have delivery your problem in an internal disscussion group and I will
let you know if there are any further information.
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
| From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
| References: <u0xnOOHjFHA.3936@xxxxxxxxxxxxxxxxxxxx>
<gEXo4hRjFHA.588@xxxxxxxxxxxxxxxxxxxxx>
<uiWYSUSjFHA.3960@xxxxxxxxxxxxxxxxxxxx>
<y9WORNcjFHA.940@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Problem with NT4 domain trusting W2003 domain
| Date: Thu, 21 Jul 2005 10:54:09 +0200
| Lines: 856
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| Message-ID: <eXtcdGdjFHA.3316@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:11340
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Hi Vincent
|
| Thank you very much for your help. Unfortunately, still the same problem,
| although it's a good idea to disable SMB signing (we always have problems
| with that since Microsoft enabled this options by default..). I also have
| implemented the settings you suggested in the "default domain controller
| GPO" and not in the local GPO, and verified with GPMC that they are
| successfully applied. A html report of the effective GPO settings is in
the
| attached ZIP file.
|
| Although I don't understand why I have this problem (seems not logical to
| me), we have a workaround in the customer site (installed VNC Remote
Control
| Tool on the NT4 machine, and the Exchange 5.5 Admin Tools work fine). And
we
| can share NT4 ressources for the W2003 domain users by entering all ACL
| information manually.
| If you have another idea, I'm very glad know about it (according to the
| security eventlog on the Windows 2003 DC, NT4 tries to logon with the
| <NT4-domain>\Administrator account on the Windows 2003 DC for retrieving
the
| list of Windows 2003 groups and users, thats the point I don't
understand).
| But I think that there is no need that you have too much work for us for
| this issue.
|
| Thank you again for the excellent support!
| Franz
|
| "Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag
| news:y9WORNcjFHA.940@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Franz,
| >
| > Thank you for your update.
| >
| > I have performed further research on your issue. For your situation (in
a
| > mix domain environment and the issue didn't occur in two way trust), I
| > suspect there are some settings in security options caused this problem,
| > please check:
| >
| > 1. Run "gpedit.msc"
| > 2. Expand to "Computer configuration\Windows Settings\local
| > policies\Security options\"
| > 3. Check following policies:
| >
| > "Microsoft Network Server: Digitally sign communications" set to
disable.
| > "Network access: Allow anonymous SID/Name translation" set to enable.
| > "Network access: Do not allow anonymous enumeration of SAM accounts"
set
| > to
| > disable.
| > "Network access: Do not allow anonymous enumeration of SAM accounts and
| > shares" set to disable.
| > "Network access: Restrict anonymous access to Named Pipes and Shares"
set
| > to disable
| >
| > I hope the suggestions can helps.
| >
| > Best regards,
| >
| > Vincent Xu
| > Microsoft Online Partner Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| >
| > --------------------
| > | From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
| > | References: <u0xnOOHjFHA.3936@xxxxxxxxxxxxxxxxxxxx>
| > <gEXo4hRjFHA.588@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Problem with NT4 domain trusting W2003 domain
| > | Date: Wed, 20 Jul 2005 14:19:06 +0200
| > | Lines: 530
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| > | Message-ID: <uiWYSUSjFHA.3960@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.migration
| > | NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.migration:11324
| > | X-Tomcat-NG: microsoft.public.windows.server.migration
| > |
| > | Hi Vincent
| > |
| > | Thank you so far for the support! But it still doesn't work. What I've
| > done
| > | so far:
| > |
| > | - Recreated the trust according KB 325874: Same result. I can choose
the
| > | Windows 2003 domain in the ACL Editor, but instead of displaying the
| > user
| > | list of the Windows 2003 domain, I'm still getting the Error "Unable
to
| > | browse the selected domain because the following error occured:
Access
| > is
| > | denied".
| > |
| > | - Accessing ressources on the NT4 Server from the Windows 2003 domain
| > work
| > | as it should (Even with the error message in the NT4 ACL Editor, it's
| > | possible to add an ACL Entry by writing the username manually)
| > |
| > | - When adding a two way trust, the problem does not occur! It's
possible
| > to
| > | browse the Windows 2003 domain in the NT4 ACL Editor.
| > |
| > | I've tested this with two VM's on our Virtual Server, but the reason
for
| > | that is because we have the same problem in a customer location with
an
| > NT4
| > | domain trusting a Windows 2003 domain. Granting access to files on the
| > NT4
| > | servers is possible by manually entering user/group names in the ACL
| > Editor.
| > | But the problem we have in the cusomer site is that there is Exchange
| > 5.5
| > | running in the NT4 domain. Despite we granted Admin rights to a
Windows
| > 2003
| > | user to the exchange 5.5 organisation, we are getting access denied
| > errors
| > | when running Exchange 5.5 Admin with the Windows 2003 user.
| > | Before digging into Exchange, I want to be sure that the trust is ok,
| > and
| > | the behaviour we have is wrong in my opinion. It should be possible to
| > | browse the Windows 2003 Users in the NT4 ACL Editor even with a one
way
| > | trust (NT4 --> Windows 2003).
| > |
| > | Attached gplog.txt at the end of this message
| > | Thank you in advance for any further advice!
| > | Franz
| > | -----------------------
| > |
| > |
| > | Microsoft (R) Windows (R) Operating System Group Policy Result tool
v2.0
| > | Copyright (C) Microsoft Corp. 1981-2001
| > |
| > | Created On 20.07.2005 at 13:36:32
| > |
| > |
| > |
| > | RSOP data for STADTBIEL\Administrator on GHOSTSRVBIEL : Logging Mode
| > | ---------------------------------------------------------------------
| > |
| > | OS Type: Microsoft(R) Windows(R) Server 2003,
| > Enterprise
| > | Edition
| > | OS Configuration: Primary Domain Controller
| > | OS Version: 5.2.3790
| > | Terminal Server Mode: Remote Administration
| > | Site Name: Default-First-Site-Name
| > | Roaming Profile:
| > | Local Profile: C:\Documents and Settings\Administrator
| > | Connected over a slow link?: No
| > |
| > |
| > | COMPUTER SETTINGS
| > | ------------------
| > | CN=GHOSTSRVBIEL,OU=Domain Controllers,DC=stadtbiel,DC=local
| > | Last time Group Policy was applied: 20.07.2005 at 13:32:39
| > | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
| > | Group Policy slow link threshold: 500 kbps
| > | Domain Name: STADTBIEL
| > | Domain Type: Windows 2000
| > |
| > | Applied Group Policy Objects
| > | -----------------------------
| > | Default Domain Controllers Policy
| > | 1stSW
| > | Default Domain Policy
| > |
| > | The following GPOs were not applied because they were filtered out
| > |
-------------------------------------------------------------------
| > | Local Group Policy
| > | Filtering: Not Applied (Empty)
| > |
| > | The computer is a part of the following security groups
| > | -------------------------------------------------------
| > | BUILTIN\Administrators
| > | Everyone
| > | BUILTIN\Users
| > | BUILTIN\Pre-Windows 2000 Compatible Access
| > | Windows Authorization Access Group
| > | NT AUTHORITY\NETWORK
| > | NT AUTHORITY\Authenticated Users
| > | This Organization
| > | GHOSTSRVBIEL$
| > | Exchange Domain Servers
| > | Domain Controllers
| > | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
| > | Exchange Enterprise Servers
| > |
| > | Resultant Set Of Policies for Computer
| > | ---------------------------------------
| > |
| > | Software Installations
| > | ----------------------
| > | N/A
| > |
| > | Startup Scripts
| > | ---------------
| > | N/A
| > |
| > | Shutdown Scripts
| > | ----------------
| > | N/A
| > |
| > | Account Policies
| > | ----------------
| > | GPO: Default Domain Policy
| > | Policy: MaxServiceAge
| > | Computer Setting: 600
| > |
| > | GPO: Default Domain Policy
| > | Policy: MaxTicketAge
| > | Computer Setting: 10
| > |
| > | GPO: Default Domain Policy
| > | Policy: MinimumPasswordAge
| > | Computer Setting: 1
| > |
| > | GPO: Default Domain Policy
| > | Policy: PasswordHistorySize
| > | Computer Setting: 24
| > |
| > | GPO: Default Domain Policy
| > | Policy: MaxClockSkew
| > | Computer Setting: 5
| > |
| > | GPO: Default Domain Policy
| > | Policy: MinimumPasswordLength
| > | Computer Setting: 5
| > |
| > | GPO: Default Domain Policy
| > | Policy: LockoutBadCount
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Policy
| > | Policy: MaximumPasswordAge
| > | Computer Setting: 42
| > |
| > | GPO: Default Domain Policy
| > | Policy: MaxRenewAge
| > | Computer Setting: 7
| > |
| > | Audit Policy
| > | ------------
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditPolicyChange
| > | Computer Setting: Success
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditPrivilegeUse
| > | Computer Setting: No Auditing
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditDSAccess
| > | Computer Setting: Success
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditAccountLogon
| > | Computer Setting: Success, Failure
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditObjectAccess
| > | Computer Setting: No Auditing
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditAccountManage
| > | Computer Setting: Success, Failure
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditLogonEvents
| > | Computer Setting: Success, Failure
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditProcessTracking
| > | Computer Setting: No Auditing
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditSystemEvents
| > | Computer Setting: Success
| > |
| > | User Rights
| > | -----------
| > | GPO: Default Domain Controllers Policy
| > | Policy: MachineAccountPrivilege
| > | Computer Setting: Authenticated Users
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: DenyNetworkLogonRight
| > | Computer Setting: STADTBIEL\SUPPORT_388945a0
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: RestorePrivilege
| > | Computer Setting: STADTBIEL\Administrator
| > | Server Operators
| > | Backup Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: TcbPrivilege
| > | Computer Setting: STADTBIEL\Administrator
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: SystemProfilePrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: DenyServiceLogonRight
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: ServiceLogonRight
| > | Computer Setting: NETWORK SERVICE
| > | STADTBIEL\Administrator
| > | BUILTIN
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: UndockPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: CreatePermanentPrivilege
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AuditPrivilege
| > | Computer Setting: STADTBIEL\Administrator
| > | NETWORK SERVICE
| > | LOCAL SERVICE
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: TakeOwnershipPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: CreatePagefilePrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: EnableDelegationPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: DebugPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: SystemTimePrivilege
| > | Computer Setting: Server Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: DenyBatchLogonRight
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: BackupPrivilege
| > | Computer Setting: Server Operators
| > | Backup Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: CreateTokenPrivilege
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: ChangeNotifyPrivilege
| > | Computer Setting: Pre-Windows 2000 Compatible Access
| > | Authenticated Users
| > | Administrators
| > | Everyone
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: SyncAgentPrivilege
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: ProfileSingleProcessPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: LoadDriverPrivilege
| > | Computer Setting: Print Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: InteractiveLogonRight
| > | Computer Setting: Print Operators
| > | Server Operators
| > | Account Operators
| > | Backup Operators
| > | Administrators
| > | STADTBIEL\IUSR_GHOSTSRVBIEL
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: RemoteShutdownPrivilege
| > | Computer Setting: Server Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: IncreaseBasePriorityPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: NetworkLogonRight
| > | Computer Setting: Pre-Windows 2000 Compatible Access
| > | ENTERPRISE DOMAIN CONTROLLERS
| > | Authenticated Users
| > | Administrators
| > | Everyone
| > | STADTBIEL\IWAM_GHOSTSRVBIEL
| > | STADTBIEL\IUSR_GHOSTSRVBIEL
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: LockMemoryPrivilege
| > | Computer Setting: N/A
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: ShutdownPrivilege
| > | Computer Setting: Print Operators
| > | Server Operators
| > | Backup Operators
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: SecurityPrivilege
| > | Computer Setting: STADTBIEL\Exchange Enterprise
Servers
| > | Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: AssignPrimaryTokenPrivilege
| > | Computer Setting: NETWORK SERVICE
| > | LOCAL SERVICE
| > | STADTBIEL\IWAM_GHOSTSRVBIEL
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: SystemEnvironmentPrivilege
| > | Computer Setting: Administrators
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: IncreaseQuotaPrivilege
| > | Computer Setting: Administrators
| > | NETWORK SERVICE
| > | LOCAL SERVICE
| > | STADTBIEL\IWAM_GHOSTSRVBIEL
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: BatchLogonRight
| > | Computer Setting: STADTBIEL\SQLDebugger
| > | STADTBIEL\IIS_WPG
| > | STADTBIEL\IUSR_GHOSTSRVBIEL
| > | STADTBIEL\SUPPORT_388945a0
| > | LOCAL SERVICE
| > | STADTBIEL\IWAM_GHOSTSRVBIEL
| > | STADTBIEL\Administrator
| > |
| > | GPO: Default Domain Controllers Policy
| > | Policy: DenyInteractiveLogonRight
| > | Computer Setting: STADTBIEL\SQLDebugger
| > | STADTBIEL\SUPPORT_388945a0
| > |
| > | Security Options
| > | ----------------
| > | GPO: Default Domain Policy
| > | Policy: TicketValidateClient
| > | Computer Setting: Enabled
| > |
| > | GPO: Default Domain Policy
| > | Policy: RequireLogonToChangePassword
| > | Computer Setting: Not Enabled
| > |
| > | GPO: Default Domain Policy
| > | Policy: PasswordComplexity
| > | Computer Setting: Not Enabled
| > |
| > | GPO: Default Domain Policy
| > | Policy: ForceLogoffWhenHourExpire
| > | Computer Setting: Not Enabled
| > |
| > | GPO: Default Domain Policy
| > | Policy: ClearTextPassword
| > | Computer Setting: Not Enabled
| > |
| > | Event Log Settings
| > | ------------------
| > | N/A
| > |
| > | Restricted Groups
| > | -----------------
| > | N/A
| > |
| > | System Services
| > | ---------------
| > | N/A
| > |
| > | Registry Settings
| > | -----------------
| > | N/A
| > |
| > | File System Settings
| > | --------------------
| > | N/A
| > |
| > | Public Key Policies
| > | -------------------
| > | N/A
| > |
| > | Administrative Templates
| > | ------------------------
| > | N/A
| > |
| > |
| > | USER SETTINGS
| > | --------------
| > | CN=Administrator,CN=Users,DC=stadtbiel,DC=local
| > | Last time Group Policy was applied: 20.07.2005 at 13:12:47
| > | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
| > | Group Policy slow link threshold: 500 kbps
| > | Domain Name: STADTBIEL
| > | Domain Type: Windows 2000
| > |
| > | Applied Group Policy Objects
| > | -----------------------------
| > | Default Domain Policy
| > |
| > | The following GPOs were not applied because they were filtered out
| > |
-------------------------------------------------------------------
| > | 1stSW
| > | Filtering: Not Applied (Empty)
| > |
| > | Local Group Policy
| > | Filtering: Not Applied (Empty)
| > |
| > | The user is a part of the following security groups
| > | ---------------------------------------------------
| > | Domain Users
| > | Everyone
| > | BUILTIN\Administrators
| > | BUILTIN\Users
| > | BUILTIN\Pre-Windows 2000 Compatible Access
| > | NT AUTHORITY\INTERACTIVE
| > | NT AUTHORITY\Authenticated Users
| > | This Organization
| > | LOCAL
| > | Domain Admins
| > | Group Policy Creator Owners
| > | Exchange Services
| > | Exchange Domain Servers
| > | Schema Admins
| > | Enterprise Admins
| > | Exchange Enterprise Servers
| > |
| > | The user has the following security privileges
| > | ----------------------------------------------
| > |
| > | Bypass traverse checking
| > | Manage auditing and security log
| > | Back up files and directories
| > | Restore files and directories
| > | Change the system time
| > | Shut down the system
| > | Force shutdown from a remote system
| > | Take ownership of files or other objects
| > | Debug programs
| > | Modify firmware environment values
| > | Profile system performance
| > | Profile single process
| > | Increase scheduling priority
| > | Load and unload device drivers
| > | Create a pagefile
| > | Adjust memory quotas for a process
| > | Remove computer from docking station
| > | Perform volume maintenance tasks
| > | Impersonate a client after authentication
| > | Create global objects
| > | Enable computer and user accounts to be trusted for delegation
| > | Add workstations to domain
| > |
| > | Resultant Set Of Policies for User
| > | -----------------------------------
| > |
| > | Software Installations
| > | ----------------------
| > | N/A
| > |
| > | Logon Scripts
| > | -------------
| > | N/A
| > |
| > | Logoff Scripts
| > | --------------
| > | N/A
| > |
| > | Public Key Policies
| > | -------------------
| > | N/A
| > |
| > | Administrative Templates
| > | ------------------------
| > | N/A
| > |
| > | Folder Redirection
| > | ------------------
| > | N/A
| > |
| > | Internet Explorer Browser User Interface
| > | ----------------------------------------
| > | N/A
| > |
| > | Internet Explorer Connection
| > | ----------------------------
| > | N/A
| > |
| > | Internet Explorer URLs
| > | ----------------------
| > | N/A
| > |
| > | Internet Explorer Security
| > | --------------------------
| > | N/A
| > |
| > | Internet Explorer Programs
| > | --------------------------
| > | N/A
| > |
| > |
| > |
| >
|
|
|
.
- References:
- Problem with NT4 domain trusting W2003 domain
- From: Franz Schenk
- RE: Problem with NT4 domain trusting W2003 domain
- From: Vincent Xu [MSFT]
- Re: Problem with NT4 domain trusting W2003 domain
- From: Franz Schenk
- Re: Problem with NT4 domain trusting W2003 domain
- From: Vincent Xu [MSFT]
- Problem with NT4 domain trusting W2003 domain
- Prev by Date: RE: ADMT GROUP command line syntax
- Next by Date: RE: global catalog error! Need Help!
- Previous by thread: Re: Problem with NT4 domain trusting W2003 domain
- Next by thread: Moving roaming profiles from Windows 2000 to Windows XP
- Index(es):
Relevant Pages
|
|
