tgrizzel
asked on
Cannot access C$ or Admin$ on some computers but can on others.
Cannot access C$ or Admin$ on some computers but can on others. All computers are part of the same domain, same OU, same GP's. Some computers are XP and some are Vista, however I have had success and problems on both OS's. All users computers are configured the same, and I am logged in from the DC trying to run: \\<computer name>\C$ .... some will work and others will not. Again, the PC's should be configed the same, the firewalls are completely off, no antivirus (this issue spawned from trying to install symantec endpoint clients from the deployment wizard to all computers) Windows defender is off, Network Discovery is on (on Vista machines) Simple file sharing is off.
I am a local admin by being a member of Domain Admin, which is set as a admin on every local computer.
Any thoughts?
I am a local admin by being a member of Domain Admin, which is set as a admin on every local computer.
Any thoughts?
I had this issue with Symantec Endpoint Protection when it was first released. I had to uninstall it and reinstall it to get it to shake loose. It may say off, but it still blocks stuff. Make sure that the check boxes under network threat protection are all unchecked as well. This will help you to diagnose it.
ASKER
Actually I should clarify a bit more:
I have been using Symantec just fine with local installs up unitl this point. I have now manually removed the clients and I am trying to deploy them under via a anitvirus server that i have setup. I began running into a few problems deploying the clients via the new server, and after hours of being on the phone with tech support (Symantec) I have gotten no where.
It seems to me that the issue doesnt actually reside in the symantec software but rather my network: on the computers that i was able to push the client to, I can open up run and type \\<computer name>\C$ and I can access this folder, however in the same session I cannot access other members computers in my domain with the same exact command. These also happen to be the same computers that I cannot push the client to.
FYI, as you can probably tell, this is all part of a domain, not a workgroup or anything.
I have been using Symantec just fine with local installs up unitl this point. I have now manually removed the clients and I am trying to deploy them under via a anitvirus server that i have setup. I began running into a few problems deploying the clients via the new server, and after hours of being on the phone with tech support (Symantec) I have gotten no where.
It seems to me that the issue doesnt actually reside in the symantec software but rather my network: on the computers that i was able to push the client to, I can open up run and type \\<computer name>\C$ and I can access this folder, however in the same session I cannot access other members computers in my domain with the same exact command. These also happen to be the same computers that I cannot push the client to.
FYI, as you can probably tell, this is all part of a domain, not a workgroup or anything.
Now the ones you cannot get to can you at least ping the workstation?
ASKER
yes i can ping them. I have also logged on locally to their machines, and verified that the local admin includes the domain admin.
How with any 2 XP machines that one can connect and one that cannot are they physically in the same location meaning same segement on the network?
ASKER
They are physically in the same building, same floor, same dang firewalls and hubs. I cannot understand this issue at all... it seems as though permissions are getting lost on some computers, however I have ran gpupdate /force on all computers involved to confirm consistency.
This is nuts!!!
This is nuts!!!
Try this out, disconnect it from the domain, reboot then reattch it to the domain and try it again.
ASKER
I will try this in a bit and let you know what i find. I had thought about this as well....i will also 'reset' the computers account within the AD to ensure that it joins back into the domain correct.
Cool...Post with the results
I just had a similar issue that I had to fix today. Take a look here and please at least read the first few sections to get an understanding of why this was the issue. Strange, but it worked for me. The first article links to the second. Please go to link 1 first.
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216494948?Open&docid=2007102613484948&nsf=ent-security.nsf&view=docid
http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216494948?Open&docid=2007102613484948&nsf=ent-security.nsf&view=docid
You have one of two issues, in my opinion:
1) Connecting through shares using the UNC path is the master browser's responsibility.
2) Also, Internet Explorer Enhanced Security may prevent you from accessing Operating system intrusive files from remote locations: These files include, but are not limited to (*.EXE, *.REG, *.MSI)
Decifering between the two is in the syntax of the error: Please look at the error and decide wich issue you have:
1) https://www.experts-exchange.com/questions/23463433/domain-is-not-accessible-you-may-not-have-permission-to.html
2) https://www.experts-exchange.com/questions/23351830/Admin-Permission-issue.html
Let me know what problem you have and we can fix it.
1) Connecting through shares using the UNC path is the master browser's responsibility.
2) Also, Internet Explorer Enhanced Security may prevent you from accessing Operating system intrusive files from remote locations: These files include, but are not limited to (*.EXE, *.REG, *.MSI)
Decifering between the two is in the syntax of the error: Please look at the error and decide wich issue you have:
1) https://www.experts-exchange.com/questions/23463433/domain-is-not-accessible-you-may-not-have-permission-to.html
2) https://www.experts-exchange.com/questions/23351830/Admin-Permission-issue.html
Let me know what problem you have and we can fix it.
ASKER
This problem is on hold until tomorrow as we had some major network issues today... ill get back to both of you and let you know where we are at....thanks for the info.
ASKER
Cheif,
I looked at both of these briefly, however I am not sure that either of these would be my issue....
We are not using Netbios for any of this, we are not going through 'network places'. Also Firewalls are completely off, there is no ports to allow.
I am not trying to install or copy anything to these shared drives....only access C$ and Admin$ which should be accessible to any domain admin. This would rule out the IE security blocks.
Thanks for the reply, let me know if i am misunderstanding your answers.
Travis
I looked at both of these briefly, however I am not sure that either of these would be my issue....
We are not using Netbios for any of this, we are not going through 'network places'. Also Firewalls are completely off, there is no ports to allow.
I am not trying to install or copy anything to these shared drives....only access C$ and Admin$ which should be accessible to any domain admin. This would rule out the IE security blocks.
Thanks for the reply, let me know if i am misunderstanding your answers.
Travis
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Cheif,
I read through this article and took the following steps:
Changed my Wins server from running on my secondary DC to running on the PDC. Set the correct WINS server in DHCP and on the client updated this information via ipconfig /renew. I also insured to unchecked "enable lmhost lookup" on the client, and selected "enable Net Bios Over TCP/IP". Browser services are started on all DC's as well as client computer. Tried several times within a few hour time span and I am still unable to access the users \\computername\c$ or admin$. I am however able to access a users computer on the exact same network (even same 5 port hub) right now. I do not see any discrepancy in this users network settings.
However, I am starting to agree that this is a Netbios issue. In network places or just network on vista, the computers that I cannot push this client to (the original problem) I also cannot access there shares from here....however the ones that are successful are the ones i can push the antivirus too...also I can access there \\computername\c$. Again, same network, no vpn or diff subnets, all firewalls and old antivirus are off, network discovery and file sharing is on. I am using 2 diff computers as main testing pcs....1 is almost brand new (new hire started on monday) and the other is a laptop that has been deployed for several months. Computer Browser is running on both of these as well.
Could i be missing something?
I read through this article and took the following steps:
Changed my Wins server from running on my secondary DC to running on the PDC. Set the correct WINS server in DHCP and on the client updated this information via ipconfig /renew. I also insured to unchecked "enable lmhost lookup" on the client, and selected "enable Net Bios Over TCP/IP". Browser services are started on all DC's as well as client computer. Tried several times within a few hour time span and I am still unable to access the users \\computername\c$ or admin$. I am however able to access a users computer on the exact same network (even same 5 port hub) right now. I do not see any discrepancy in this users network settings.
However, I am starting to agree that this is a Netbios issue. In network places or just network on vista, the computers that I cannot push this client to (the original problem) I also cannot access there shares from here....however the ones that are successful are the ones i can push the antivirus too...also I can access there \\computername\c$. Again, same network, no vpn or diff subnets, all firewalls and old antivirus are off, network discovery and file sharing is on. I am using 2 diff computers as main testing pcs....1 is almost brand new (new hire started on monday) and the other is a laptop that has been deployed for several months. Computer Browser is running on both of these as well.
Could i be missing something?
With the changes in WINS, you might have to refresh and repair your WINS cache. This is the netbios equivallent of DNS cache. You probably need to do this on the clients. To do this, you need a couple utilities. One is called NBTstat. The other is called Browstat.
For XP and 2003 server, these utilities are found on 2003 server support tools.
For vista, I don't know, the tools may already exist.
Go to the command prompt and type:
NBTSTAT -RR
then take a gander on what computer is listed as your master browser by typing at the command prompt:
Browstat /status
THE REST OF THIS IS JUST THEORY:
I don't know how well Vista machines work with 2003 server on the browser service. By default, the highest operating system, then holder of roles, wins the election as being the master browser. As a little troubleshooting, you might go into both the local server and client's event logs and see if you see any errors that says, something like:
""ClientXXX thinks it is the master browser, the browser service on clientXXX was shut down and an election has been forced. ""
I think this is event 8032 and 8031
In that case, you need to make a registry edit on the "IsDomainMaster" Registry Key ON THE CLIENT. The NT4 article can help you out on that. You want the client to not think itself as a candidate for the domain master election.
If you have two operating systems competing to be the domain master> I can see your Vista client getting its browser service shut down. But, since Netbios is on, It will send out the netbios broadcast saying "I am Here". So, it will be a member of the browselist through the Netbios broadcasts, but you can't access the files because the browser service is shut down on the client.
For XP and 2003 server, these utilities are found on 2003 server support tools.
For vista, I don't know, the tools may already exist.
Go to the command prompt and type:
NBTSTAT -RR
then take a gander on what computer is listed as your master browser by typing at the command prompt:
Browstat /status
THE REST OF THIS IS JUST THEORY:
I don't know how well Vista machines work with 2003 server on the browser service. By default, the highest operating system, then holder of roles, wins the election as being the master browser. As a little troubleshooting, you might go into both the local server and client's event logs and see if you see any errors that says, something like:
""ClientXXX thinks it is the master browser, the browser service on clientXXX was shut down and an election has been forced. ""
I think this is event 8032 and 8031
In that case, you need to make a registry edit on the "IsDomainMaster" Registry Key ON THE CLIENT. The NT4 article can help you out on that. You want the client to not think itself as a candidate for the domain master election.
If you have two operating systems competing to be the domain master> I can see your Vista client getting its browser service shut down. But, since Netbios is on, It will send out the netbios broadcast saying "I am Here". So, it will be a member of the browselist through the Netbios broadcasts, but you can't access the files because the browser service is shut down on the client.
ASKER
still no go.
I ran nbtstat -RR and flushed the Netbios names on all computers involved - DC's and all. Also, When moving the Wins to a diff server (main PDC) I set this as the master browser via the reg key and did test to make sure that this was actually true.
I am going to take some time and think this over some more....I may jump back to mekkattiljj and try and remove and re-add these specific computer accounts into the domain.
Thanks for the continued, detailed responses....this is the first time that I feel i have received a decent lead off of this forum....for that, thank you.
I ran nbtstat -RR and flushed the Netbios names on all computers involved - DC's and all. Also, When moving the Wins to a diff server (main PDC) I set this as the master browser via the reg key and did test to make sure that this was actually true.
I am going to take some time and think this over some more....I may jump back to mekkattiljj and try and remove and re-add these specific computer accounts into the domain.
Thanks for the continued, detailed responses....this is the first time that I feel i have received a decent lead off of this forum....for that, thank you.
You know, lately, I have had to run NBTSTAT -RR a couple times to get it to work right. I have also had to run it by just NBTSAT -R. I don't know why it doesn't repair/refresh the netbios connection the first time.
ASKER
I would like to close this question, not that I ever got the problem fixed, but that I am no longer pursuing this. This is too much work for a simple antivirus server! I beleive that CheifIT is correct and that I do have Netbios issues, although the nbtstat never ended up helping the situation.
Thanks for you help.
Thanks for you help.
Hi,
Am suffering with the same issue, unable to view c$ shares on certain machines in a domain.
As with Trivious, came across this issue when attempting to remotely deploy Symantec endpoint protection.
Trivious, did you ever come across a solution?
thanks
Am suffering with the same issue, unable to view c$ shares on certain machines in a domain.
As with Trivious, came across this issue when attempting to remotely deploy Symantec endpoint protection.
Trivious, did you ever come across a solution?
thanks