greghess
asked on
Shared Windows User Accounts?
Hi Experts,
Hope you can help, I am stumped.
I have set up a Windows Server 2003 using Active Directory domain controller. The server is hosting an ASP offering. Basically clients subscribe to use applications and I install them and assign windows user account. Clients are accessing the applications via a web browser and using a client installed ActiveX control to stream the remote running app the the client pc. The client streaming software is provided by GraphOn and uses the assigned Windows Account to enable the clients removte access to the application.
My problem is that my applications do not support concurrent users. Each application is assigned a single Windows user account. Each application will have many users loging in at the same time using the same shared user account. What is happening is that one user can login and use the app no problem, another user comes along and login is successful but the app fails to load and reports an error message stating that it could not dynamically load functions from a .dll.
In trying to isolate the problem I tried using the Administrator account instead of my Windows user account. The Administrator can launch multiple application sessions using the same account no problem so it leads me to believe my problem lies in some policy setting some where...
I set up an Organisation unit with one user group, created a group policy that defined nothing but allow log on locally and blocked policy inheritance, still nothing and I am not sure what if any policy setting could rectify the issue. I am trying to identify how to set up user accounts so that they have the same multilple session rights as the Administrator account.
Any help is much appreciated.
Kind Regards,
Greg
Hope you can help, I am stumped.
I have set up a Windows Server 2003 using Active Directory domain controller. The server is hosting an ASP offering. Basically clients subscribe to use applications and I install them and assign windows user account. Clients are accessing the applications via a web browser and using a client installed ActiveX control to stream the remote running app the the client pc. The client streaming software is provided by GraphOn and uses the assigned Windows Account to enable the clients removte access to the application.
My problem is that my applications do not support concurrent users. Each application is assigned a single Windows user account. Each application will have many users loging in at the same time using the same shared user account. What is happening is that one user can login and use the app no problem, another user comes along and login is successful but the app fails to load and reports an error message stating that it could not dynamically load functions from a .dll.
In trying to isolate the problem I tried using the Administrator account instead of my Windows user account. The Administrator can launch multiple application sessions using the same account no problem so it leads me to believe my problem lies in some policy setting some where...
I set up an Organisation unit with one user group, created a group policy that defined nothing but allow log on locally and blocked policy inheritance, still nothing and I am not sure what if any policy setting could rectify the issue. I am trying to identify how to set up user accounts so that they have the same multilple session rights as the Administrator account.
Any help is much appreciated.
Kind Regards,
Greg
ASKER
Thanks James,
I have been performing minor alterations/testing but am starting to feel like I am looking for a needle in a hay stack.
I have followed your suggestion and edited my user group policy under Security Settings>Local Policies>User Rights Assignment> Act as part of the OS and added the user group. I also performed the same opperation under the Default Domain Controller Security Settings with no success.
I was unable to find a "allow batch processing" but did see the "deny batch processing" and the "deny" setting was undefined and block policy enheritance is disabled so it should not inherit it?
Do you know if a reboot is required after every policy change. The changes seem to take affect but not sure if I should be rebooting?
Thanks,
Greg
I have been performing minor alterations/testing but am starting to feel like I am looking for a needle in a hay stack.
I have followed your suggestion and edited my user group policy under Security Settings>Local Policies>User Rights Assignment> Act as part of the OS and added the user group. I also performed the same opperation under the Default Domain Controller Security Settings with no success.
I was unable to find a "allow batch processing" but did see the "deny batch processing" and the "deny" setting was undefined and block policy enheritance is disabled so it should not inherit it?
Do you know if a reboot is required after every policy change. The changes seem to take affect but not sure if I should be rebooting?
Thanks,
Greg
greghess
To force a policy refresh on Windows 2003 and XP use the command:
GPUPDATE /FORCE
There is a similar command under Windows 2000 look at secedit.EXE if you need it.
An undefined setting is exactly that, regardless of inheritance
There is also a set of policy settings under user rights assignment that will probably help you, but you still have lots of testing to do :)
Cheers
JamesDS
To force a policy refresh on Windows 2003 and XP use the command:
GPUPDATE /FORCE
There is a similar command under Windows 2000 look at secedit.EXE if you need it.
An undefined setting is exactly that, regardless of inheritance
There is also a set of policy settings under user rights assignment that will probably help you, but you still have lots of testing to do :)
Cheers
JamesDS
ASKER
James,
From you experience do you think that my problem resides under User Rights Assignment?
If I have a group policy defined and inheritance is blocked is it also nessesary to alter the Default Domain Controller Security settings? Currently I am duplicating all entries maid in the Group Policy in the Defalut Domain Controller Security Settings, but am not sure if that is needed.
Many of the policy entries seem unrelated, any help at identifying applicable settings would be much appreciated.
Cheers,
Greg
From you experience do you think that my problem resides under User Rights Assignment?
If I have a group policy defined and inheritance is blocked is it also nessesary to alter the Default Domain Controller Security settings? Currently I am duplicating all entries maid in the Group Policy in the Defalut Domain Controller Security Settings, but am not sure if that is needed.
Many of the policy entries seem unrelated, any help at identifying applicable settings would be much appreciated.
Cheers,
Greg
greghess
If the Administrator is able to use the app, but a user is not then try using the security options and user rights to duplicate the administrator privs as much as possible.
It is also possible that the problem is related to rights in IIS and rights to the files opened by the web browser so look there as well.
Security options and user rights assignment is the first place i'd look, but you dont need to duplicate the settings in the default domain policy, you should leave that alone.
Cheers
JamesDS
If the Administrator is able to use the app, but a user is not then try using the security options and user rights to duplicate the administrator privs as much as possible.
It is also possible that the problem is related to rights in IIS and rights to the files opened by the web browser so look there as well.
Security options and user rights assignment is the first place i'd look, but you dont need to duplicate the settings in the default domain policy, you should leave that alone.
Cheers
JamesDS
ASKER
Thanks for your help JamesDS,
It seems I have identified the problem and solution. My network configuration had a single server as the Domain Controller and application host. By simply setting up another server to act as the Domain Controller and having my applications hosted on a separate server node within the domain it all works fine. I have yet to identify the core cause but am just happy is has been identified and a viable solution is at hand.
Unfortunatly I am new to Windows Networking and setup and was not aware of any potential problems with my network design even though it was just for testing/integration with limited server resources.
What is the standard for setting up a Domain, in that do most administrators have the Domain Controller on a separate server and that is the sole job of that server and all work horse servers act as nodes under the Domain?
Are there guidelines for such network configuration?
Also as a side question, as a result of farming the Domain Controller out to a separate server I have a new issue found with a posting here: https://www.experts-exchange.com/questions/21090835/Creating-Domain-user-accounts-script.html#11780074 maybe you could help with.
Cheers,
Greg
It seems I have identified the problem and solution. My network configuration had a single server as the Domain Controller and application host. By simply setting up another server to act as the Domain Controller and having my applications hosted on a separate server node within the domain it all works fine. I have yet to identify the core cause but am just happy is has been identified and a viable solution is at hand.
Unfortunatly I am new to Windows Networking and setup and was not aware of any potential problems with my network design even though it was just for testing/integration with limited server resources.
What is the standard for setting up a Domain, in that do most administrators have the Domain Controller on a separate server and that is the sole job of that server and all work horse servers act as nodes under the Domain?
Are there guidelines for such network configuration?
Also as a side question, as a result of farming the Domain Controller out to a separate server I have a new issue found with a posting here: https://www.experts-exchange.com/questions/21090835/Creating-Domain-user-accounts-script.html#11780074 maybe you could help with.
Cheers,
Greg
greghess
It is normal practice to seperate the DC from the other functions on the network, this practice is largely to reduce the impact other applications have on the operation of the DC and to ease backup and restore.
Your script is probably failing because of DNS.
Make sure you have your DC and ALL internal machines pointing to the SAME INTERNALLY CONTROLLED DNS Server that hosts the zone for your AD domain. AD will not work where DNS is pointing to the DC that you do not have full read/write access to.
Cheers
JamesDS
It is normal practice to seperate the DC from the other functions on the network, this practice is largely to reduce the impact other applications have on the operation of the DC and to ease backup and restore.
Your script is probably failing because of DNS.
Make sure you have your DC and ALL internal machines pointing to the SAME INTERNALLY CONTROLLED DNS Server that hosts the zone for your AD domain. AD will not work where DNS is pointing to the DC that you do not have full read/write access to.
Cheers
JamesDS
Dammit - Mods, I meant PAQ - REFUND
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Take a look at the security options available in Group Policy or local system policy. The need to load multiple copies of your .DLL may be related to batch prosessing or the ability to act as part of the OS. You can assign these rights in bulk and then remove them one by one until you find the one that makes the difference.
Cheers
JamesDS