• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Can access all servers except one, get Access Denied

We have 12 servers (mainly W2k, some W2003) and 20 workstations (mainly XP Pro). One user, on an XP Pro notebook, can browse the shares on every machine except one, and that gives "Access Denied". I can browse it as an administrator, other people can too.

I suspect that a past administrator has tried to lock it down in some way, to restrict access to the developers only, but I can't find where he's done it. All the other machines you can see the shares, but may not be able to open them, this server (W2K) you can't even see the shares, as soon as you click on the computer's icon in network neighbourhood it errors.

Can anyone tell me exactly where to look?
0
crescendo
Asked:
crescendo
  • 10
  • 8
1 Solution
 
ZnalostCommented:
Hi crescendo,
Do you use AD (Active Directory) and are all servers and workstations domain members?

Cheers!
0
 
crescendoAuthor Commented:
Hi,

Yes to all of those. We have one domain, everything belongs to it. It's a pretty simple setup really.

0
 
ZnalostCommented:
crescendo,
Can you browse the server's shares if you logon to the affected computer (XP Pro notebook) as domain admin (not local computer admin)?
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
bmquintasCommented:
Znalost gave a good point regarding the permissions, if you can access it from the laptop with an admin account, the past administrator must have changed the Domain Controller Security Policy, maybe the definition "Access this computer from network"
0
 
crescendoAuthor Commented:
Znalost:

Yes, I can see the shares as domain administrator.

I was on site yesterday and it gets stranger and stranger. A colleague can see the server OK when logged in as a normal user, so I set the affected user up in exactly the same domain groups, but still no joy. Also, when logged on to the server itself, I can't see the shares on the notebook!
0
 
ZnalostCommented:
crescendo,
A question for the start. Did the user logged off and then logged on after you had changed the group membership?

OK, the domain admin can access the shares located on the affected server from the affected computer/desktop but the user cannot. That points to a permission issue related to the user account. Also the user cannot access the shares just and only on the affected server but he can see shares on all remining servers. Therefore please check following:
- local group policy (Local Security Settings/Local Policies/User Rights Assignment) on the affected server (Deny access to this computer from the network).
- In ADUC (Active Directory Users and Computer) locate the OU (Organization unit) where a computer account of the affected server resides. Check the group policy for the same settings as above for the local group policy.
0
 
ZnalostCommented:
Hi crescendo,
Any luck? Let me know.
     Znalost
0
 
crescendoAuthor Commented:
Znalost:

Sorry for the delay in getting back, I have only just gone back on site. The policies have no settings, i.e. no one is denied access.

Also, I set the user's group membership to be exactly the same as another user's, still no joy, but the other user works fine.
0
 
crescendoAuthor Commented:
A bit more info, when I try to access the weird computer in Windows Explorer, I get Event ID 4, a Kerberos KRB_AP_ERR_MODIFIED error. The text isn't very helpful, says I have accounts in the local and target domains with the same name, but I can't see any duplicates.
0
 
ZnalostCommented:
Crescendo,
What is the username and domainname for the problematic useraccount (read it from the logon screen you receive after the computer boots or after CTRL+Alt+DEL)? What is the domainname for the administrator account you have successfully used?
0
 
crescendoAuthor Commented:
Both are same domain, NMS. So user is NMS\AP and admin is NMS\Administrator. Computer is APSAM.
0
 
crescendoAuthor Commented:
Error message from system event log is:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server APSAM$.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DEV.SOMEWHERE.CO.UK), and the client realm.   Please contact your system administrator.
0
 
ZnalostCommented:
OK, it looks like there is a problem with computer accounts.
Is the APSAM name of the problematic desktop or server?
What is the name of the other one (desktop or server)?

In any case, I would remove the computer from the domain (done localy on the computer/desktop, reboot necessary), then delete the computer account of the Active directory, then change the computer name (if possible and probably only for the desktop, not the server) and then join the domain with the computer again. Make sure that the computer doesn't have any encrypted files/folders before you remove it from the domain!!!
0
 
crescendoAuthor Commented:
APSAM is the desktop, tyhe server is DEV1.

We've already left and re-joined the domain, but I didn't delete the computer account from AD. I'll try what you say.

Thanks
0
 
crescendoAuthor Commented:
No joy renaming.
0
 
ZnalostCommented:
I have just reviewed what we have done so far.
We have new computer account for the affected desktop.
Can the affected user account logon to a different computer (desktop/notebook) than the affected notebook and access shares of the affected server?
0
 
crescendoAuthor Commented:
Znalost:

Yes, the user can go to a different machine and see the shares OK, it's just the one notebook that has a problem.
0
 
ZnalostCommented:
Hi crescendo,
Looking at the history of the case and time spent on your side on this issue I would opt for complete reinstallation of the notebook (using different name to be on the safe side) if access to shares on the server from the notebook is necessary for the user.
Sorry I couldn't help more but certain issues are hard to troubleshoot remotely.
Good luck
             Znalost
0
 
crescendoAuthor Commented:
I think you're right. Didn't want to do that as there are a lot of apps, but I'll leave the decision up to the user. He will be without the notebook for a while, so that will test how important the share access is.

Thanks for you help.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now