RegProctor
asked on
Accessing Clients through Active Directory Denied
Hello,
I have a windows 2000 server with AD & DNS setup on it.
I have a client computer that logs onto the domain of the server computer.
When I go to "A. D. Users and Computers/Computers" I see my client computer. I then right-click on it and select manage and then up comes the management console for the client.
I want to set a share on the client from this point so I click on shares. Then the message "Error 5: Access is Denied" comes up. I have no idea why.
When I click on other parts of the management console similar things happen. For example, when I clicked on "System Summary" I got: "The connection to WS1 could not be established" which I find strange given that the client is logged onto the domain at the time.
I've only just setup this A.D. so I am a newbie. Below is the output from the security analysis:
Any help greatly appreciated.
View Log File
-------------------------- ---------- -------
08/12/2007 19:17:15
----Analysis engine is initialized successfully.----
----Reading Configuration info...
----Analyze User Rights...
Analyze SeNetworkLogonRight.
Mismatch - SeNetworkLogonRight.
Analyze SeTcbPrivilege.
Analyze SeMachineAccountPrivilege.
Analyze SeBackupPrivilege.
Analyze SeChangeNotifyPrivilege.
Not Configured - SeChangeNotifyPrivilege.
Analyze SeSystemtimePrivilege.
Analyze SeCreatePagefilePrivilege.
Analyze SeCreateTokenPrivilege.
Analyze SeCreatePermanentPrivilege .
Analyze SeDebugPrivilege.
Analyze SeRemoteShutdownPrivilege.
Analyze SeAuditPrivilege.
Analyze SeIncreaseQuotaPrivilege.
Analyze SeIncreaseBasePriorityPriv ilege.
Analyze SeLoadDriverPrivilege.
Analyze SeLockMemoryPrivilege.
Not Configured - SeLockMemoryPrivilege.
Analyze SeBatchLogonRight.
Mismatch - SeBatchLogonRight.
Analyze SeServiceLogonRight.
Not Configured - SeServiceLogonRight.
Analyze SeInteractiveLogonRight.
Not Configured - SeInteractiveLogonRight.
Analyze SeSecurityPrivilege.
Analyze SeSystemEnvironmentPrivile ge.
Analyze SeProfileSingleProcessPriv ilege.
Analyze SeSystemProfilePrivilege.
Analyze SeAssignPrimaryTokenPrivil ege.
Analyze SeRestorePrivilege.
Analyze SeShutdownPrivilege.
Not Configured - SeShutdownPrivilege.
Analyze SeTakeOwnershipPrivilege.
Analyze SeDenyNetworkLogonRight.
Not Configured - SeDenyNetworkLogonRight.
Analyze SeDenyBatchLogonRight.
Not Configured - SeDenyBatchLogonRight.
Analyze SeDenyServiceLogonRight.
Not Configured - SeDenyServiceLogonRight.
Analyze SeDenyInteractiveLogonRigh t.
Not Configured - SeDenyInteractiveLogonRigh t.
Analyze SeUndockPrivilege.
Not Configured - SeUndockPrivilege.
Analyze SeSyncAgentPrivilege.
Not Configured - SeSyncAgentPrivilege.
Analyze SeEnableDelegationPrivileg e.
Not Configured - SeEnableDelegationPrivileg e.
Analyze SeImpersonatePrivilege.
Not Configured - SeImpersonatePrivilege.
Analyze SeCreateGlobalPrivilege.
User Rights analysis completed successfully.
----Reading Configuration info...
----Analyze Group Membership...
Analyze Pre-Windows 2000 Compatible Access.
Not Configured - Pre-Windows 2000 Compatible Access__Members.
Analyze Print Operators.
Not Configured - *S-1-5-32-550__Members.
Analyze Account Operators.
Not Configured - *S-1-5-32-548__Members.
Analyze Server Operators.
Not Configured - *S-1-5-32-549__Members.
Analyze Replicator.
Not Configured - *S-1-5-32-552__Members.
Analyze Backup Operators.
Not Configured - *S-1-5-32-551__Members.
Analyze Guests.
Not Configured - *S-1-5-32-546__Members.
Analyze Users.
Not Configured - *S-1-5-32-545__Members.
Analyze Administrators.
Not Configured - *S-1-5-32-544__Members.
Group Membership analysis completed successfully.
----Reading Configuration info...
----Analyze Registry Keys...
Not Configured - CLASSES_ROOT.
Not Configured - users.
Not Configured - users\.default\software\mi crosoft\pr otected storage system provider.
0 mismatches are found under users.
Not Configured - machine.
Mismatch - machine\software\microsoft \EventSyst em\{26c409 cc-ae86-11 d1-b616-00 805fc79216 }\Subscrip tions\{3CE 5891C-0268 -4DA9-BFBE -F81CF6EAE 7E3}.
Not Configured - machine\software\microsoft \protected storage system provider.
Not Configured - machine\software\microsoft \windows\c urrentvers ion\group policy.
Not Configured - machine\software\microsoft \windows\c urrentvers ion\instal ler.
Not Configured - machine\software\microsoft \windows\c urrentvers ion\polici es.
Mismatch - machine\software\microsoft \windows nt\currentversion\Print\Pr inters.
Not Configured - machine\software\microsoft \windows nt\currentversion\perflib\ 009.
Not Configured - machine\software\microsoft \windows nt\currentversion\profilel ist.
Mismatch - machine\software\policies.
Mismatch - machine\system\RAdmin\v2.0 \Server\ip list.
Mismatch - machine\system\RAdmin\v2.0 \Server\Nt Users.
Mismatch - machine\system\RAdmin\v2.0 \Server\Pa rameters.
Not Configured - machine\system\clone.
Not Configured - machine\system\controlset0 01.
Not Configured - machine\system\controlset0 02.
Not Configured - machine\system\controlset0 03.
Not Configured - machine\system\controlset0 04.
Not Configured - machine\system\controlset0 05.
Not Configured - machine\system\controlset0 06.
Not Configured - machine\system\controlset0 07.
Not Configured - machine\system\controlset0 08.
Not Configured - machine\system\controlset0 09.
Not Configured - machine\system\controlset0 10.
Mismatch - machine\system\currentcont rolset\con trol\Netwo rkProvider \HwOrder.
Mismatch - machine\system\currentcont rolset\con trol\Servi ceCurrent.
Not Configured - machine\system\currentcont rolset\con trol\class .
Not Configured - machine\system\currentcont rolset\enu m.
Not Configured - machine\system\currentcont rolset\har dware profiles.
8 mismatches are found under machine.
Registry keys analysis completed successfully.
----Reading Configuration info...
----Analyze File Security...
Not Configured - F:.
Not Configured - c:\.
Warning 2: The system cannot find the file specified.
Error querying security of c:\ntbootdd.sys.
Not Available - c:\ntbootdd.sys.
Mismatch - c:\winnt\ntfrs.
Mismatch - c:\winnt\SYSVOL\staging\do main.
Mismatch - c:\winnt\debug\NtFrs_0002. log.
Mismatch - c:\winnt\debug\NtFrs_0003. log.
Mismatch - c:\winnt\debug\NtFrs_0004. log.
Mismatch - c:\winnt\debug\NtFrs_0005. log.
Not Configured - c:\winnt\installer.
Not Configured - c:\winnt\profiles.
Mismatch - c:\winnt\security\Database \secedit.s db.
Mismatch - c:\winnt\system32\inetsrv\ MetaBase.b in.
Not Configured - c:\winnt\system32\ntmsdata .
Not Configured - c:\winnt\tasks.
8 mismatches are found under c:\.
File security analysis completed successfully.
----Analyze General Service Settings...
Analyze WZCSVC.
Not Configured - WZCSVC.
Analyze wuauserv.
Not Configured - wuauserv.
Analyze Wmi.
Not Configured - Wmi.
Analyze WMDM PMSP Service.
Not Configured - WMDM PMSP Service.
Analyze WINS.
Not Configured - WINS.
Analyze WinMgmt.
Not Configured - WinMgmt.
Analyze WinMBR.
Not Configured - WinMBR.
Analyze W3SVC.
Not Configured - W3SVC.
Analyze W32Time.
Not Configured - W32Time.
Analyze UtilMan.
Not Configured - UtilMan.
Analyze UPS.
Not Configured - UPS.
Analyze TrkWks.
Not Configured - TrkWks.
Analyze TrkSvr.
Not Configured - TrkSvr.
Analyze TlntSvr.
Not Configured - TlntSvr.
Analyze TermService.
Not Configured - TermService.
Analyze TapiSrv.
Not Configured - TapiSrv.
Analyze SysmonLog.
Not Configured - SysmonLog.
Analyze StiSvc.
Not Configured - StiSvc.
Analyze Spooler.
Not Configured - Spooler.
Analyze SNMPTRAP.
Not Configured - SNMPTRAP.
Analyze SNMP.
Not Configured - SNMP.
Analyze SMTPSVC.
Not Configured - SMTPSVC.
Analyze SimpTcp.
Not Configured - SimpTcp.
Analyze SharedAccess.
Not Configured - SharedAccess.
Analyze SENS.
Not Configured - SENS.
Analyze seclogon.
Not Configured - seclogon.
Analyze Schedule.
Not Configured - Schedule.
Analyze SCardSvr.
Not Configured - SCardSvr.
Analyze SCardDrv.
Not Configured - SCardDrv.
Analyze SamSs.
Not Configured - SamSs.
Analyze r_server.
Not Configured - r_server.
Analyze RSVP.
Not Configured - RSVP.
Analyze RpcSs.
Not Configured - RpcSs.
Analyze RpcLocator.
Not Configured - RpcLocator.
Analyze RemoteRegistry.
Not Configured - RemoteRegistry.
Analyze RemoteAccess.
Not Configured - RemoteAccess.
Analyze RasMan.
Not Configured - RasMan.
Analyze RasAuto.
Not Configured - RasAuto.
Analyze ProtectedStorage.
Not Configured - ProtectedStorage.
Analyze PolicyAgent.
Not Configured - PolicyAgent.
Analyze PlugPlay.
Not Configured - PlugPlay.
Analyze NtmsSvc.
Not Configured - NtmsSvc.
Analyze NtLmSsp.
Not Configured - NtLmSsp.
Analyze NtFrs.
Not Configured - NtFrs.
Analyze NntpSvc.
Not Configured - NntpSvc.
Analyze Netman.
Not Configured - Netman.
Analyze Netlogon.
Not Configured - Netlogon.
Analyze NetDDEdsdm.
Not Configured - NetDDEdsdm.
Analyze NetDDE.
Not Configured - NetDDE.
Analyze MySQL.
Not Configured - MySQL.
Analyze MSIServer.
Not Configured - MSIServer.
Analyze MSFTPSVC.
Not Configured - MSFTPSVC.
Analyze MSDTC.
Not Configured - MSDTC.
Analyze mnmsrvc.
Not Configured - mnmsrvc.
Analyze Messenger.
Not Configured - Messenger.
Analyze LmHosts.
Not Configured - LmHosts.
Analyze LicenseService.
Not Configured - LicenseService.
Analyze LDAPSVCX.
Not Configured - LDAPSVCX.
Analyze lanmanworkstation.
Not Configured - lanmanworkstation.
Analyze lanmanserver.
Not Configured - lanmanserver.
Analyze kdc.
Not Configured - kdc.
Analyze IsmServ.
Not Configured - IsmServ.
Analyze IISADMIN.
Not Configured - IISADMIN.
Analyze IAS.
Not Configured - IAS.
Analyze Fax.
Not Configured - Fax.
Analyze EventSystem.
Not Configured - EventSystem.
Analyze Eventlog.
Not Configured - Eventlog.
Analyze Dnscache.
Not Configured - Dnscache.
Analyze DNS.
Not Configured - DNS.
Analyze dmserver.
Not Configured - dmserver.
Analyze dmadmin.
Not Configured - dmadmin.
Analyze Dhcp.
Not Configured - Dhcp.
Analyze Dfs.
Not Configured - Dfs.
Analyze clr_optimization_v2.0.5072 7_32.
Not Configured - clr_optimization_v2.0.5072 7_32.
Analyze ClipSrv.
Not Configured - ClipSrv.
Analyze cisvc.
Not Configured - cisvc.
Analyze Browser.
Not Configured - Browser.
Analyze brmfrmps.
Not Configured - brmfrmps.
Analyze brmfbags.
Not Configured - brmfbags.
Analyze BITS.
Not Configured - BITS.
Analyze aspnet_state.
Not Configured - aspnet_state.
Analyze AppMgmt.
Not Configured - AppMgmt.
Analyze Alerter.
Not Configured - Alerter.
Analyze Adobe LM Service.
Not Configured - Adobe LM Service.
General Service analysis completed successfully.
----Analyze available attachment engines...
Load attachment LanManServer.
LanManServer: Query configuration information
Attachment engines analysis completed successfully.
----Reading Configuration info...
----Analyze Security Policy...
Mismatch - MaximumPasswordAge.
Mismatch - MinimumPasswordAge.
Analyze password information.
Analyze account lockout information.
Mismatch - ForceLogOffWhenHourExpire.
Analyze account force logoff information.
Not Configured - NewAdministratorName.
Warning 5: Access is denied.
Error analyzing guest account.
Not Available - SecureSystemPartition.
System Access analysis completed with error.
Analyze log settings.
Not Configured - AuditSystemEvents.
Analyze event audit settings.
Not Configured - CrashOnAuditFull.
Audit/Log analysis completed successfully.
Mismatch - MaxTicketAge.
Mismatch - MaxServiceAge.
Mismatch - TicketValidateClient.
Analyze kerberos policy.
Kerberos policy analysis completed successfully.
Analyze machine\software\microsoft \driver signing\policy.
Mismatch - machine\software\microsoft \driver signing\policy.
Analyze machine\software\microsoft \non-drive r signing\policy.
Mismatch - machine\software\microsoft \non-drive r signing\policy.
Analyze machine\software\microsoft \windows nt\currentversion\setup\re coverycons ole\securi tylevel.
Analyze machine\software\microsoft \windows nt\currentversion\setup\re coverycons ole\setcom mand.
Mismatch - machine\software\microsoft \windows nt\currentversion\setup\re coverycons ole\setcom mand.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \allocatec droms.
Mismatch - machine\software\microsoft \windows nt\currentversion\winlogon \allocatec droms.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \allocated asd.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \allocatef loppies.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \cachedlog onscount.
Mismatch - machine\software\microsoft \windows nt\currentversion\winlogon \cachedlog onscount.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \passworde xpirywarni ng.
Mismatch - machine\software\microsoft \windows nt\currentversion\winlogon \passworde xpirywarni ng.
Analyze machine\software\microsoft \windows nt\currentversion\winlogon \scremoveo ption.
Analyze machine\software\microsoft \windows\c urrentvers ion\polici es\system\ disablecad .
Mismatch - machine\software\microsoft \windows\c urrentvers ion\polici es\system\ disablecad .
Analyze machine\software\microsoft \windows\c urrentvers ion\polici es\system\ dontdispla ylastusern ame.
Mismatch - machine\software\microsoft \windows\c urrentvers ion\polici es\system\ dontdispla ylastusern ame.
Analyze machine\software\microsoft \windows\c urrentvers ion\polici es\system\ legalnotic ecaption.
Mismatch - machine\software\microsoft \windows\c urrentvers ion\polici es\system\ legalnotic ecaption.
Analyze machine\software\microsoft \windows\c urrentvers ion\polici es\system\ legalnotic etext.
Mismatch - machine\software\microsoft \windows\c urrentvers ion\polici es\system\ legalnotic etext.
Analyze machine\software\microsoft \windows\c urrentvers ion\polici es\system\ shutdownwi thoutlogon .
Analyze machine\system\currentcont rolset\con trol\lsa\a uditbaseob jects.
Analyze machine\system\currentcont rolset\con trol\lsa\c rashonaudi tfail.
Analyze machine\system\currentcont rolset\con trol\lsa\f ullprivile geauditing .
Mismatch - machine\system\currentcont rolset\con trol\lsa\f ullprivile geauditing .
Analyze machine\system\currentcont rolset\con trol\lsa\l mcompatibi litylevel.
Mismatch - machine\system\currentcont rolset\con trol\lsa\l mcompatibi litylevel.
Analyze machine\system\currentcont rolset\con trol\lsa\r estrictano nymous.
Mismatch - machine\system\currentcont rolset\con trol\lsa\r estrictano nymous.
Analyze machine\system\currentcont rolset\con trol\lsa\s ubmitcontr ol.
Analyze machine\system\currentcont rolset\con trol\print \providers \lanman print services\servers\addprinte rdrivers.
Mismatch - machine\system\currentcont rolset\con trol\print \providers \lanman print services\servers\addprinte rdrivers.
Analyze machine\system\currentcont rolset\con trol\sessi on manager\memory management\clearpagefileat shutdown.
Mismatch - machine\system\currentcont rolset\con trol\sessi on manager\memory management\clearpagefileat shutdown.
Analyze machine\system\currentcont rolset\con trol\sessi on manager\protectionmode.
Analyze machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ autodiscon nect.
Mismatch - machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ autodiscon nect.
Analyze machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ enableforc edlogoff.
Mismatch - machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ enableforc edlogoff.
Analyze machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ enablesecu ritysignat ure.
Analyze machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ requiresec uritysigna ture.
Mismatch - machine\system\currentcont rolset\ser vices\lanm anserver\p arameters\ requiresec uritysigna ture.
Analyze machine\system\currentcont rolset\ser vices\lanm anworkstat ion\parame ters\enabl eplaintext password.
Analyze machine\system\currentcont rolset\ser vices\lanm anworkstat ion\parame ters\enabl esecuritys ignature.
Analyze machine\system\currentcont rolset\ser vices\lanm anworkstat ion\parame ters\requi resecurity signature.
Mismatch - machine\system\currentcont rolset\ser vices\lanm anworkstat ion\parame ters\requi resecurity signature.
Analyze machine\system\currentcont rolset\ser vices\netl ogon\param eters\disa blepasswor dchange.
Mismatch - machine\system\currentcont rolset\ser vices\netl ogon\param eters\disa blepasswor dchange.
Analyze machine\system\currentcont rolset\ser vices\netl ogon\param eters\requ iresignors eal.
Analyze machine\system\currentcont rolset\ser vices\netl ogon\param eters\requ irestrongk ey.
Analyze machine\system\currentcont rolset\ser vices\netl ogon\param eters\seal securechan nel.
Mismatch - machine\system\currentcont rolset\ser vices\netl ogon\param eters\seal securechan nel.
Analyze machine\system\currentcont rolset\ser vices\netl ogon\param eters\sign securechan nel.
Mismatch - machine\system\currentcont rolset\ser vices\netl ogon\param eters\sign securechan nel.
Registry values analysis completed successfully.
----Analyze available attachment engines...
Attachment engines analysis completed successfully.
----Un-initialize analysis engine...
Warning 5: Access is denied.
Error occurs.
I have a windows 2000 server with AD & DNS setup on it.
I have a client computer that logs onto the domain of the server computer.
When I go to "A. D. Users and Computers/Computers" I see my client computer. I then right-click on it and select manage and then up comes the management console for the client.
I want to set a share on the client from this point so I click on shares. Then the message "Error 5: Access is Denied" comes up. I have no idea why.
When I click on other parts of the management console similar things happen. For example, when I clicked on "System Summary" I got: "The connection to WS1 could not be established" which I find strange given that the client is logged onto the domain at the time.
I've only just setup this A.D. so I am a newbie. Below is the output from the security analysis:
Any help greatly appreciated.
View Log File
--------------------------
08/12/2007 19:17:15
----Analysis engine is initialized successfully.----
----Reading Configuration info...
----Analyze User Rights...
Analyze SeNetworkLogonRight.
Mismatch - SeNetworkLogonRight.
Analyze SeTcbPrivilege.
Analyze SeMachineAccountPrivilege.
Analyze SeBackupPrivilege.
Analyze SeChangeNotifyPrivilege.
Not Configured - SeChangeNotifyPrivilege.
Analyze SeSystemtimePrivilege.
Analyze SeCreatePagefilePrivilege.
Analyze SeCreateTokenPrivilege.
Analyze SeCreatePermanentPrivilege
Analyze SeDebugPrivilege.
Analyze SeRemoteShutdownPrivilege.
Analyze SeAuditPrivilege.
Analyze SeIncreaseQuotaPrivilege.
Analyze SeIncreaseBasePriorityPriv
Analyze SeLoadDriverPrivilege.
Analyze SeLockMemoryPrivilege.
Not Configured - SeLockMemoryPrivilege.
Analyze SeBatchLogonRight.
Mismatch - SeBatchLogonRight.
Analyze SeServiceLogonRight.
Not Configured - SeServiceLogonRight.
Analyze SeInteractiveLogonRight.
Not Configured - SeInteractiveLogonRight.
Analyze SeSecurityPrivilege.
Analyze SeSystemEnvironmentPrivile
Analyze SeProfileSingleProcessPriv
Analyze SeSystemProfilePrivilege.
Analyze SeAssignPrimaryTokenPrivil
Analyze SeRestorePrivilege.
Analyze SeShutdownPrivilege.
Not Configured - SeShutdownPrivilege.
Analyze SeTakeOwnershipPrivilege.
Analyze SeDenyNetworkLogonRight.
Not Configured - SeDenyNetworkLogonRight.
Analyze SeDenyBatchLogonRight.
Not Configured - SeDenyBatchLogonRight.
Analyze SeDenyServiceLogonRight.
Not Configured - SeDenyServiceLogonRight.
Analyze SeDenyInteractiveLogonRigh
Not Configured - SeDenyInteractiveLogonRigh
Analyze SeUndockPrivilege.
Not Configured - SeUndockPrivilege.
Analyze SeSyncAgentPrivilege.
Not Configured - SeSyncAgentPrivilege.
Analyze SeEnableDelegationPrivileg
Not Configured - SeEnableDelegationPrivileg
Analyze SeImpersonatePrivilege.
Not Configured - SeImpersonatePrivilege.
Analyze SeCreateGlobalPrivilege.
User Rights analysis completed successfully.
----Reading Configuration info...
----Analyze Group Membership...
Analyze Pre-Windows 2000 Compatible Access.
Not Configured - Pre-Windows 2000 Compatible Access__Members.
Analyze Print Operators.
Not Configured - *S-1-5-32-550__Members.
Analyze Account Operators.
Not Configured - *S-1-5-32-548__Members.
Analyze Server Operators.
Not Configured - *S-1-5-32-549__Members.
Analyze Replicator.
Not Configured - *S-1-5-32-552__Members.
Analyze Backup Operators.
Not Configured - *S-1-5-32-551__Members.
Analyze Guests.
Not Configured - *S-1-5-32-546__Members.
Analyze Users.
Not Configured - *S-1-5-32-545__Members.
Analyze Administrators.
Not Configured - *S-1-5-32-544__Members.
Group Membership analysis completed successfully.
----Reading Configuration info...
----Analyze Registry Keys...
Not Configured - CLASSES_ROOT.
Not Configured - users.
Not Configured - users\.default\software\mi
0 mismatches are found under users.
Not Configured - machine.
Mismatch - machine\software\microsoft
Not Configured - machine\software\microsoft
Not Configured - machine\software\microsoft
Not Configured - machine\software\microsoft
Not Configured - machine\software\microsoft
Mismatch - machine\software\microsoft
Not Configured - machine\software\microsoft
Not Configured - machine\software\microsoft
Mismatch - machine\software\policies.
Mismatch - machine\system\RAdmin\v2.0
Mismatch - machine\system\RAdmin\v2.0
Mismatch - machine\system\RAdmin\v2.0
Not Configured - machine\system\clone.
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Not Configured - machine\system\controlset0
Mismatch - machine\system\currentcont
Mismatch - machine\system\currentcont
Not Configured - machine\system\currentcont
Not Configured - machine\system\currentcont
Not Configured - machine\system\currentcont
8 mismatches are found under machine.
Registry keys analysis completed successfully.
----Reading Configuration info...
----Analyze File Security...
Not Configured - F:.
Not Configured - c:\.
Warning 2: The system cannot find the file specified.
Error querying security of c:\ntbootdd.sys.
Not Available - c:\ntbootdd.sys.
Mismatch - c:\winnt\ntfrs.
Mismatch - c:\winnt\SYSVOL\staging\do
Mismatch - c:\winnt\debug\NtFrs_0002.
Mismatch - c:\winnt\debug\NtFrs_0003.
Mismatch - c:\winnt\debug\NtFrs_0004.
Mismatch - c:\winnt\debug\NtFrs_0005.
Not Configured - c:\winnt\installer.
Not Configured - c:\winnt\profiles.
Mismatch - c:\winnt\security\Database
Mismatch - c:\winnt\system32\inetsrv\
Not Configured - c:\winnt\system32\ntmsdata
Not Configured - c:\winnt\tasks.
8 mismatches are found under c:\.
File security analysis completed successfully.
----Analyze General Service Settings...
Analyze WZCSVC.
Not Configured - WZCSVC.
Analyze wuauserv.
Not Configured - wuauserv.
Analyze Wmi.
Not Configured - Wmi.
Analyze WMDM PMSP Service.
Not Configured - WMDM PMSP Service.
Analyze WINS.
Not Configured - WINS.
Analyze WinMgmt.
Not Configured - WinMgmt.
Analyze WinMBR.
Not Configured - WinMBR.
Analyze W3SVC.
Not Configured - W3SVC.
Analyze W32Time.
Not Configured - W32Time.
Analyze UtilMan.
Not Configured - UtilMan.
Analyze UPS.
Not Configured - UPS.
Analyze TrkWks.
Not Configured - TrkWks.
Analyze TrkSvr.
Not Configured - TrkSvr.
Analyze TlntSvr.
Not Configured - TlntSvr.
Analyze TermService.
Not Configured - TermService.
Analyze TapiSrv.
Not Configured - TapiSrv.
Analyze SysmonLog.
Not Configured - SysmonLog.
Analyze StiSvc.
Not Configured - StiSvc.
Analyze Spooler.
Not Configured - Spooler.
Analyze SNMPTRAP.
Not Configured - SNMPTRAP.
Analyze SNMP.
Not Configured - SNMP.
Analyze SMTPSVC.
Not Configured - SMTPSVC.
Analyze SimpTcp.
Not Configured - SimpTcp.
Analyze SharedAccess.
Not Configured - SharedAccess.
Analyze SENS.
Not Configured - SENS.
Analyze seclogon.
Not Configured - seclogon.
Analyze Schedule.
Not Configured - Schedule.
Analyze SCardSvr.
Not Configured - SCardSvr.
Analyze SCardDrv.
Not Configured - SCardDrv.
Analyze SamSs.
Not Configured - SamSs.
Analyze r_server.
Not Configured - r_server.
Analyze RSVP.
Not Configured - RSVP.
Analyze RpcSs.
Not Configured - RpcSs.
Analyze RpcLocator.
Not Configured - RpcLocator.
Analyze RemoteRegistry.
Not Configured - RemoteRegistry.
Analyze RemoteAccess.
Not Configured - RemoteAccess.
Analyze RasMan.
Not Configured - RasMan.
Analyze RasAuto.
Not Configured - RasAuto.
Analyze ProtectedStorage.
Not Configured - ProtectedStorage.
Analyze PolicyAgent.
Not Configured - PolicyAgent.
Analyze PlugPlay.
Not Configured - PlugPlay.
Analyze NtmsSvc.
Not Configured - NtmsSvc.
Analyze NtLmSsp.
Not Configured - NtLmSsp.
Analyze NtFrs.
Not Configured - NtFrs.
Analyze NntpSvc.
Not Configured - NntpSvc.
Analyze Netman.
Not Configured - Netman.
Analyze Netlogon.
Not Configured - Netlogon.
Analyze NetDDEdsdm.
Not Configured - NetDDEdsdm.
Analyze NetDDE.
Not Configured - NetDDE.
Analyze MySQL.
Not Configured - MySQL.
Analyze MSIServer.
Not Configured - MSIServer.
Analyze MSFTPSVC.
Not Configured - MSFTPSVC.
Analyze MSDTC.
Not Configured - MSDTC.
Analyze mnmsrvc.
Not Configured - mnmsrvc.
Analyze Messenger.
Not Configured - Messenger.
Analyze LmHosts.
Not Configured - LmHosts.
Analyze LicenseService.
Not Configured - LicenseService.
Analyze LDAPSVCX.
Not Configured - LDAPSVCX.
Analyze lanmanworkstation.
Not Configured - lanmanworkstation.
Analyze lanmanserver.
Not Configured - lanmanserver.
Analyze kdc.
Not Configured - kdc.
Analyze IsmServ.
Not Configured - IsmServ.
Analyze IISADMIN.
Not Configured - IISADMIN.
Analyze IAS.
Not Configured - IAS.
Analyze Fax.
Not Configured - Fax.
Analyze EventSystem.
Not Configured - EventSystem.
Analyze Eventlog.
Not Configured - Eventlog.
Analyze Dnscache.
Not Configured - Dnscache.
Analyze DNS.
Not Configured - DNS.
Analyze dmserver.
Not Configured - dmserver.
Analyze dmadmin.
Not Configured - dmadmin.
Analyze Dhcp.
Not Configured - Dhcp.
Analyze Dfs.
Not Configured - Dfs.
Analyze clr_optimization_v2.0.5072
Not Configured - clr_optimization_v2.0.5072
Analyze ClipSrv.
Not Configured - ClipSrv.
Analyze cisvc.
Not Configured - cisvc.
Analyze Browser.
Not Configured - Browser.
Analyze brmfrmps.
Not Configured - brmfrmps.
Analyze brmfbags.
Not Configured - brmfbags.
Analyze BITS.
Not Configured - BITS.
Analyze aspnet_state.
Not Configured - aspnet_state.
Analyze AppMgmt.
Not Configured - AppMgmt.
Analyze Alerter.
Not Configured - Alerter.
Analyze Adobe LM Service.
Not Configured - Adobe LM Service.
General Service analysis completed successfully.
----Analyze available attachment engines...
Load attachment LanManServer.
LanManServer: Query configuration information
Attachment engines analysis completed successfully.
----Reading Configuration info...
----Analyze Security Policy...
Mismatch - MaximumPasswordAge.
Mismatch - MinimumPasswordAge.
Analyze password information.
Analyze account lockout information.
Mismatch - ForceLogOffWhenHourExpire.
Analyze account force logoff information.
Not Configured - NewAdministratorName.
Warning 5: Access is denied.
Error analyzing guest account.
Not Available - SecureSystemPartition.
System Access analysis completed with error.
Analyze log settings.
Not Configured - AuditSystemEvents.
Analyze event audit settings.
Not Configured - CrashOnAuditFull.
Audit/Log analysis completed successfully.
Mismatch - MaxTicketAge.
Mismatch - MaxServiceAge.
Mismatch - TicketValidateClient.
Analyze kerberos policy.
Kerberos policy analysis completed successfully.
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Analyze machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Mismatch - machine\software\microsoft
Analyze machine\software\microsoft
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Analyze machine\system\currentcont
Mismatch - machine\system\currentcont
Registry values analysis completed successfully.
----Analyze available attachment engines...
Attachment engines analysis completed successfully.
----Un-initialize analysis engine...
Warning 5: Access is denied.
Error occurs.
ASKER
The client is XP Professional. I've just turned off it's firewall, which is just Windows built in firewall, no change.
Try logging onto the XP client as the domain administrator. Then run compmgmt.msc on the client and see if you can add the share.
ASKER
I am logged onto the client as a domain administrator. I can add a share. However, the available permissions are very basic, just Admin, User and two others. All the available users you see the domain controller are certainly not available.
For the short term, just so I can continue to use my network and get work done, I have set the client back to Simple File Sharing until I figure this out.
For the short term, just so I can continue to use my network and get work done, I have set the client back to Simple File Sharing until I figure this out.
Are you accessing this computer from a computer logged in as a user in the Domain Administrators group?
Is this computer in the same domain as the logged on user?
Is this computer in the same domain as the logged on user?
ASKER
The server is a domain server.
The client is XP Pro.
The client is logged onto the domain
I have only one domain, and two computers - a server and a client.
When I logged the client onto the domain, I used the main admin. for the network. This account is a member of every account there is.
When I logged onto the server, I logged on with the same account.
This means, on both the server and the client, the account being used is the domain user account with every right that there is.
On the server, I made the client computer, like the main user account, a member of every account there is so the client computer shouldn't have any restrictions on it either.
While on the client, it seems so far that I can do everything that I can normally do as if I was logged onto it locally as an administrator such as create shares. However, I cannot manage the client from the server.
The client is XP Pro.
The client is logged onto the domain
I have only one domain, and two computers - a server and a client.
When I logged the client onto the domain, I used the main admin. for the network. This account is a member of every account there is.
When I logged onto the server, I logged on with the same account.
This means, on both the server and the client, the account being used is the domain user account with every right that there is.
On the server, I made the client computer, like the main user account, a member of every account there is so the client computer shouldn't have any restrictions on it either.
While on the client, it seems so far that I can do everything that I can normally do as if I was logged onto it locally as an administrator such as create shares. However, I cannot manage the client from the server.
You only have to make the user a member of "Domain Admins" on the server in Active Directory.
Check on the client computer that "Domain Admins" is a member of the local Administrators group
Check on the client computer that "Domain Admins" is a member of the local Administrators group
FYI - The computer does not need to be a member of any groups other than Domain Computers. All the permissions required to do what you are trying are related to the user and not the computer.
ASKER
Ok, the computer is just a member of Domain Computers now.
Locally, the only Users available are Administrator, Guest, HelpAsistant, Reg (this is me), and SUPPORT_388945a0.
Out of these the HelpAsistant, and SUPPORT_388945a0 have crosses indicating they are disabled.
The Groups available are:
Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Remote Desktop Users, Replicator, Users, HelpServicesGroup and 3 for SQLServer2005.
I cannot find a domain admin. anywhere. I even went to:
New Group:Add:Advanced:Find Now and looked through the list of all the found accounts.
Locally, the only Users available are Administrator, Guest, HelpAsistant, Reg (this is me), and SUPPORT_388945a0.
Out of these the HelpAsistant, and SUPPORT_388945a0 have crosses indicating they are disabled.
The Groups available are:
Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Remote Desktop Users, Replicator, Users, HelpServicesGroup and 3 for SQLServer2005.
I cannot find a domain admin. anywhere. I even went to:
New Group:Add:Advanced:Find Now and looked through the list of all the found accounts.
ASKER
Here's some more information which gives a clue but I am still not sure where to look:
I can ping the server by name from the client
I can ping the client by name from the server
I cannot manage the client by name from the server, BUT, I can manage the client by IP address from the server.
I checked the NetBIOS setting in the server and it is set to "Enable NetBIOS over IP".
I can ping the server by name from the client
I can ping the client by name from the server
I cannot manage the client by name from the server, BUT, I can manage the client by IP address from the server.
I checked the NetBIOS setting in the server and it is set to "Enable NetBIOS over IP".
ASKER
Another check, the system is running in mixed mode.
If you can manage the client by it's IP but not by it's Name then you are having a DNS issue.
Do you have DNS installed on the server?
If DNS is installed is there a forward lookup zone with the same name as your domain?
Is the client setup to use the server as it's primary DNS server in TCP/IP settings?
Is the server setup to use itself as the primary DNS server in TCP/IP settings?
Domain Admins is a group in Active Directory, not a local group on the PC. The Domain Admins group gets added to the local Administrator's group on the client when you join it to the domain. The account you use to manage should be an Active Directory account and be a member of Domain Admins.
Do you have DNS installed on the server?
If DNS is installed is there a forward lookup zone with the same name as your domain?
Is the client setup to use the server as it's primary DNS server in TCP/IP settings?
Is the server setup to use itself as the primary DNS server in TCP/IP settings?
Domain Admins is a group in Active Directory, not a local group on the PC. The Domain Admins group gets added to the local Administrator's group on the client when you join it to the domain. The account you use to manage should be an Active Directory account and be a member of Domain Admins.
ASKER
I've been looking into the DNS, here's what I can tell you:
On the client I can do a NSLookup of the server 192.168.17.151 just fine.
On the server I can do a NSLookup of the client 192.168.17.152 just fine.
A. D. is in Mixed Mode.
The DNS server is the same machine as the server (domain controller) 192.168.17.151.
And from above just so all the checks are in one place:
I can ping the server [dc1] by name from the client
I can ping the client [ws1] by name from the server
I checked the NetBIOS setting in the server and it is set to "Enable NetBIOS over IP".
So agree, it looks like a DNS issue but I don't know what else to check, both lookup and reverse lookup seem to be fine from both the client and the server.
On the client I can do a NSLookup of the server 192.168.17.151 just fine.
On the server I can do a NSLookup of the client 192.168.17.152 just fine.
A. D. is in Mixed Mode.
The DNS server is the same machine as the server (domain controller) 192.168.17.151.
And from above just so all the checks are in one place:
I can ping the server [dc1] by name from the client
I can ping the client [ws1] by name from the server
I checked the NetBIOS setting in the server and it is set to "Enable NetBIOS over IP".
So agree, it looks like a DNS issue but I don't know what else to check, both lookup and reverse lookup seem to be fine from both the client and the server.
This is a very strange issue unless I'm missing something. Try to do an
ipconfig /flushdns
from the server, and
ipconfig /flushdns
ipconfig /registerdns
from the client. I know you said NSLookup works but something weird is definatly going on here.
Mixed mode should have nothing to do with this issue.
ipconfig /flushdns
from the server, and
ipconfig /flushdns
ipconfig /registerdns
from the client. I know you said NSLookup works but something weird is definatly going on here.
Mixed mode should have nothing to do with this issue.
ASKER
Well, that's interesting. I now get errors from the client (dc1=server, ws1=client):
>nslookup 192.168.17.152
*** Can't find server name for address 192.168.17.1: Non-existent domain
Server: dc1.capio.net
Address: 192.168.17.151
*** dc1.capio.net can't find 192.168.17.152: Non-existent domain
>nslookup 192.168.17.151
*** Can't find server name for address 192.168.17.1: Non-existent domain
Server: dc1.capio.net
Address: 192.168.17.151
Name: dc1.capio.net
Address: 192.168.17.151
192.168.17.1 = my router and therefore shouldn't have a computer name. The way the DNS is set up is for the client to look on my DNS server and then if that can't find it then the DNS server forwards the request to the internet, i.e.: my router.
I'll post the results from doing the same on the server in just a moment.
>nslookup 192.168.17.152
*** Can't find server name for address 192.168.17.1: Non-existent domain
Server: dc1.capio.net
Address: 192.168.17.151
*** dc1.capio.net can't find 192.168.17.152: Non-existent domain
>nslookup 192.168.17.151
*** Can't find server name for address 192.168.17.1: Non-existent domain
Server: dc1.capio.net
Address: 192.168.17.151
Name: dc1.capio.net
Address: 192.168.17.151
192.168.17.1 = my router and therefore shouldn't have a computer name. The way the DNS is set up is for the client to look on my DNS server and then if that can't find it then the DNS server forwards the request to the internet, i.e.: my router.
I'll post the results from doing the same on the server in just a moment.
ASKER
I just pinged 192.168.17.151 and 192.168.17.152 from both the server and the client. In each case there was no problem. In short, now NSLookup has problems but Ping doesn't. Previously, NSLookup was fine as well.
Results from server:
>nslookup 192.168.17.152
Server: dc1.capio.net
Address: 192.168.17.151
*** dc1.capio.net can't find 192.168.17.152: Non-existent domain
>nslookup 192.168.17.151
Server: dc1.capio.net
Address: 192.168.17.151
Name: dc1.capio.net
Address: 192.168.17.151
Results from server:
>nslookup 192.168.17.152
Server: dc1.capio.net
Address: 192.168.17.151
*** dc1.capio.net can't find 192.168.17.152: Non-existent domain
>nslookup 192.168.17.151
Server: dc1.capio.net
Address: 192.168.17.151
Name: dc1.capio.net
Address: 192.168.17.151
ASKER
Added the PTR record back into the Reverse lookup records and the NSLookup worked again. However I don't know if I also need a SOA and NS record which also exists for the dc1 computer.
ASKER
I should mention, still the same problem.
ASKER
This DNS flushing has also changed the behavior of logging onto the client with an IP and I think it's getting to the heart of the matter. Now, I get this error when trying to log on with the IP (before it just logged on):
-------------------------- --------
You are logged on with an account that does not have access to: 192.168.17.152
Enter name and password of account with permissions...
-------------------------- --------
But here's what I don't get. I am logged into the server with the account with the most permissions. If this account doesn't have access nothing should. I am also logged into the client with the same account. So why can't I remote log into and administer the client with this account?
--------------------------
You are logged on with an account that does not have access to: 192.168.17.152
Enter name and password of account with permissions...
--------------------------
But here's what I don't get. I am logged into the server with the account with the most permissions. If this account doesn't have access nothing should. I am also logged into the client with the same account. So why can't I remote log into and administer the client with this account?
ASKER
I just checked, the user I am logging on with is set to "All Computers". Also, just as test I tried specifying dc1 & ws1 but it made no difference.
You should be using nslookup on the name
nslookup computername
or
nslookup domain.local
or
nslookup computername.domain.local
When you use nslookup on the IP you are doing what's called a reverse lookup which is used very infrequently.
nslookup computername
or
nslookup domain.local
or
nslookup computername.domain.local
When you use nslookup on the IP you are doing what's called a reverse lookup which is used very infrequently.
ASKER
As I said, I can ping which I believe is the same as a forward lookup so I am using NSLookup to test the reverse.
ASKER
In any case I think the problem is elsewhere now.
For whatever reason once the DNS was flushed I couldn't access the ws1 machine through networking at all. That is, now if I click on it in network neighborhood I am given an access denied error.
I think this was always the underlying problem but for some reason without flushing the DNS it didn't show up.
For whatever reason once the DNS was flushed I couldn't access the ws1 machine through networking at all. That is, now if I click on it in network neighborhood I am given an access denied error.
I think this was always the underlying problem but for some reason without flushing the DNS it didn't show up.
ping will fail over to NetBIOS if a dns lookup fails
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator
Also, check the client firewall settings. Turn it off for testing if you can isolate your network from your Internet connection.