Solved

Shared Windows User Accounts?

Posted on 2004-08-04
11
277 Views
Last Modified: 2010-04-19
Hi Experts,

Hope you can help, I am stumped.

I have set up a Windows Server 2003 using Active Directory domain controller. The server is hosting an ASP offering. Basically clients subscribe to use applications and I install them and assign  windows user account. Clients are accessing the applications via a web browser and using a client installed ActiveX control to stream the remote running app the the client pc. The client streaming software is provided by GraphOn and uses the assigned Windows Account to enable the clients removte access to the application.

My problem is that my applications do not support concurrent users. Each application is assigned a single Windows user account. Each application will have many users loging in at the same time using the same shared user account. What is happening is that one user can login and use the app no problem, another user comes along and login is successful but the app fails to load and reports an error message stating that it could not dynamically load functions from a .dll.

In trying to isolate the problem I tried using the Administrator account instead of my Windows user account. The Administrator can launch multiple application sessions using the same account no problem so it leads me to believe my problem lies in some policy setting some where...

I set up an Organisation unit with one user group, created a group policy that defined nothing but allow log on locally and blocked policy inheritance, still nothing and I am not sure what if any policy setting could rectify the issue. I am trying to identify how to set up user accounts so that they have the same multilple session rights as the Administrator account.

Any help is much appreciated.

Kind Regards,

Greg

0
Comment
Question by:greghess
11 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 11717674
greghess

Take a look at the security options available in Group Policy or local system policy. The need to load multiple copies of your .DLL may be related to batch prosessing or the ability to act as part of the OS. You can assign these rights in bulk and then remove them one by one until you find the one that makes the difference.

Cheers

JamesDS
0
 

Author Comment

by:greghess
ID: 11718172
Thanks James,

I have been performing minor alterations/testing but am starting to feel like I am looking for a needle in a hay stack.

I have followed your suggestion and edited my user group policy under Security Settings>Local Policies>User Rights Assignment> Act as part of the OS and added the user group. I also performed the same opperation under the Default Domain Controller Security Settings with no success.

I was unable to find a "allow batch processing" but did see the "deny batch processing" and the "deny" setting was undefined and block policy enheritance is disabled so it should not inherit it?

Do you know if a reboot is required after every policy change. The changes seem to take affect but not sure if I should be rebooting?

Thanks,

Greg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11718878
greghess

To force a policy refresh on Windows 2003 and XP use the command:

GPUPDATE /FORCE

There is a similar command under Windows 2000 look at secedit.EXE if you need it.

An undefined setting is exactly that, regardless of inheritance

There is also a set of policy settings under user rights assignment that will probably help you, but you still have lots of testing to do :)

Cheers

JamesDS
0
 

Author Comment

by:greghess
ID: 11719009
James,

From you experience do you think that my problem resides under User Rights Assignment?

If I have a group policy defined and inheritance is blocked is it also nessesary to alter the Default Domain Controller Security settings? Currently I am duplicating all entries maid in the Group Policy in the Defalut Domain Controller Security Settings, but am not sure if that is needed.

Many of the policy entries seem unrelated, any help at identifying applicable settings would be much appreciated.

Cheers,

Greg
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:JamesDS
ID: 11723404
greghess
If the Administrator is able to use the app, but a user is not then try using the security options and user rights to duplicate the administrator privs as much as possible.

It is also possible that the problem is related to rights in IIS and rights to the files opened by the web browser so look there as well.

Security options and user rights assignment is the first place i'd look, but you dont need to duplicate the settings in the default domain policy, you should leave that alone.

Cheers

JamesDS
0
 

Author Comment

by:greghess
ID: 11785527
Thanks for your help JamesDS,

It seems I have identified the problem and solution. My network configuration had a single server as the Domain Controller and application host. By simply setting up another server to act as the Domain Controller and having my applications hosted on a separate server node within the domain it all works fine. I have yet to identify the core cause but am just happy is has been identified and a viable solution is at hand.

Unfortunatly I am new to Windows Networking and setup and was not aware of any potential problems with my network design even though it was just for testing/integration with limited server resources.

What is the standard for setting up a Domain, in that do most administrators have the Domain Controller on a separate server and that is the sole job of that server and all work horse servers act as nodes under the Domain?

Are there guidelines for such network configuration?

Also as a side question, as a result of farming the Domain Controller out to a separate server I have a new issue found with a posting here: http://www.experts-exchange.com/Programming/Programming_Languages/Visual_Basic/Q_21090835.html#11780074 maybe you could help with.

Cheers,

Greg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11785702
greghess

It is normal practice to seperate the DC from the other functions on the network, this practice is largely to reduce the impact other applications have on the operation of the DC and to ease backup and restore.

Your script is probably failing because of DNS.

Make sure you have your DC and ALL internal machines pointing to the SAME INTERNALLY CONTROLLED DNS Server that hosts the zone for your AD domain. AD will not work where DNS is pointing to the DC that you do not have full read/write access to.

Cheers

JamesDS
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12602381
Dammit - Mods, I meant PAQ - REFUND
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12637507
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now