Solved

Problem logging into Windows 2000 domain from Win2K professional workstation

Posted on 2002-03-13
6
195 Views
Last Modified: 2010-04-14
I have a windows 2000 server set up as the domain controller running AD. I have 7 workstations running windows 98se and three workstations running windows 2000 professional. I have no problem logging into the doamin from any of the windows 98 workstations, but cannot log into the domain from the windows 2000 prof workstations unless the user has administrative rights on the server. If the user logs into the local workstation he can then see the server and I can map drives and access the internet through the firewall and router. However, if that same user tries to log into the domain, I get the error "the local policy of this system does not permit you to logon interactively". I have searched everywhere for an answer and cannot find a solution. I have checked in the domain controller security policy and the domain security policy and there are no entries that "deny logon locally" and I have added this user in "allow logon locally" and this does not solve the problem. I really do not think that I am trying to logon locally, just log into the domain. What is really baffeling me is that the problem is limited to the windows 2000 prof machines and not the windows 98 ones. I could use some help.
0
Comment
Question by:dashman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 25

Expert Comment

by:dew_associates
ID: 6863657
Hi Dashman,

This shouldn't be difficult.

1. Connect to the problem computer with a Net use x: \\ProblemComputerName\C$ <Password> /u:Administrator

2. Navigate to the %SystemRoot%\Security\Database folder.

3. Rename Secedit.sdb to Secedit.old_sdb.

4. Copy an operational Secedit.sdb from a Windows 2000 platform of the same edition (Server to Server or Professional to Professional).

5. Shutdown and restart the problem computer.

NOTE: NTRights can be used to add the Log On Locally right remotely.

Or, log on to another client with Domain Admin rights and use Ntrights to remove the deny right:

ntrights -m \\computer -u <group or user to remove> -r SeDenyInteractiveLogonRight

Dennis
0
 

Author Comment

by:dashman
ID: 6864392
Do I do these steps on the workstation(s) that cannot log onto the domain controller or on the domain controller?
I saw this as one possible solution but in an attempt to understand the problem I cannot figure out why the win98 machines are not having the same problem.
0
 
LVL 1

Expert Comment

by:TedSenn
ID: 6864725
Has a computer security account been established? Only the Win NT (and above) systems require this. Win 98 doesn't. Since I don't have AD runninng here I cannot do any more that point you to your AD system, computer management.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Accepted Solution

by:
MPimentel earned 200 total points
ID: 6865538
To your comment of "I cannot figure out
why the win98 machines are not having the same problem." That's because win 98 does not have a local SAM database and the windows 2000 does.

It seems to me that your computers are not properly joined to the domain and don't have a computer account and the admin password for the domain and the local machine are the same. The computers access all resources simply because they are in the same subnet and broadcast when you use Windows Explorer, not because they get authenticated. Logon as admin to the local machine, disjoing the computer from the domain, then remove all profiles in the machine and join them back.

If you use DHCP, make sure you send the option 15 (domain name) and send the appropriate DNS info.

If you can join them, from the command prompt type ipconfig /flushdns and then ipconfig/registerdns.

Hope this helps.
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6866831
You can do this either by logging into computers able to see th network and/or logon as long as they can be pinged and reached. Otherwise, do it locally.
0
 

Expert Comment

by:mbrown
ID: 6870879
Hi Dashman,
Did you checked on the Domain Conroller security policy under user rights and assignment; ACCESS THIS COMPUTER FROM THE NETWORK,if you have given right to authenticated users or to everyones group?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Code that checks the QuickBooks schema table for non-updateable fields and then disables those controls on a form so users don't try to update them.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question