How to  fix "Net use" in XPMode\DOS on Domain system error 5

Posted on 2014-11-03
Last Modified: 2014-11-06
I have a an old program running that requires an LPT printer. We have been using the net use command and it has worked for years.    Example: net use lpt1 \\computername\device /persistent:yes
We have Windows Server 2008 R2, Win 7 workstations running XP Mode. This week the server which had been little more than a glorified peer to peer server was converted to a active directory domain controller. This command no longer works. The startup file runs and prompts for a user and password. It doesn't matter what user/password combo that is used. Everything returns System error 5 Access denied. I have tried a standard domain user, the local pc user, and the system admin. Nothing works. I welcome suggestions to try.
Question by:jbcbussoft
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 40420607
The XP Mode system runs under a username.  I forget what it is, but essentially you need to create that username in the AD and give permissions to the printer.   I wish I had the steps I used, but it was over a year ago that I did this.  Exact same problem though.
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 250 total points
ID: 40420608
This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers.
This is by design.

You can try the following workaround mention in TechNet or you can follow this link or see the steps below.

1.Log on to a Windows Server 2008-based domain controller.
2.Click Start, click Run, type gpmc.msc, and then click OK.
3.In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4.In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5.In the Properties dialog box, click the Enabled option, and then click OK.

Notes◦By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):◾Default Domain Policy
◾Default Domain Controllers Policy
◾Local Computer Policy
By default, the behavior for the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers is to programmatically prevent connections from using cryptography algorithms that are used in Windows NT 4.0. Therefore, tools that enumerate effective policy settings on a member computer or on a domain controller will not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy unless you explicitly enable or disable the policy.
◦      Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. Therefore, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers even if the client computers use the old cryptography algorithms that are used in Windows NT 4.0. If security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.

6.Install third-party software updates that fix the problem, or remove client computers that use incompatible cryptography algorithms.
7.Repeat steps 1 through 4.
8.In the Properties dialog box, click the Disabled option, and then click OK.

And by the way did you try to run the command with elevated privileges?

Right click in cmd and then run as Administrator?

Hope it helps
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 40420779
David Paris Vicente - I will try this in the morning.

jkaios - I can log in to windows without a problem. My problem is that after joining the domain the net use command returns an error. This command is issued after the system is logged into.
LVL 12

Expert Comment

ID: 40420869
The problem, as suggested by David and Bas, is authentication.  The default user that the XP Mode uses to log in to the XP Virtual Environment is NOT in your Active Directory, hence the error "access denied".

One of the tutorials I provided is to make the XP Mode log in "AS" some valid user in your AD or an Administrator that has the same password as the Administrator user in your AD.

Author Comment

ID: 40421375
jkaios - Removing XPMUser as the default user was done the day XP Mode was installed several months ago. XP Mode users were in the list of users on the server before the change to AD. They have since been elevated to domain users. In XP Mode they were the users that joined the domain. Their usernames are domain\username or username@domain so they have rights on the domain.
LVL 12

Assisted Solution

jkaios earned 250 total points
ID: 40423113
It could be that the Networking settings in your Virtual XP is set to the default Shared Networking (NAT).  If so, then try these steps on your Virtual XP:

1. log in to your Virtual XP (the default XPMUser is fine)
2. go to Tools and select Settings...
3. in the Windows XP Mode settings dialog box, click Networking
4. next to Adapter 1, select the actual network interface that is installed on your computer
5. click OK to save the changes
6. run a Command Prompt and try to ping a running PC on your network (if u see Reply from... then continue to step 7)
7. go to Computer Management -> Local Users and Groups
8. enable the built-in Administrator account
9. reset the Administrator account password to the password of your domain Administrator user
10. now try to browse any share on any computer on your network or try the NET USE command

If command completed successfully, then congratulations!
LVL 12

Accepted Solution

jkaios earned 250 total points
ID: 40423115
...forgot the additional steps...

10. log off the Virtual XP
11. log on with Administrator and your current password
12. now try to browse any share on any computer on your network or try the NET USE command

Please note that you can also join the Virtual XP to your domain if you can successfully log in with the Administrator account.

Author Comment

ID: 40423134
OK I will try these as well. I was unable to try the other suggestions today.
LVL 12

Expert Comment

ID: 40423187
I can assure you that the 12 above steps I've just posted will work.  I tried them myself.  The key was step 4 (the networking adapter setting) AND steps 8 - 12.

Author Closing Comment

ID: 40426412
Although my problem is not completely solved (yet), my question has been answered and it works. Thanks for your help.
LVL 12

Expert Comment

ID: 40427300
I don't understand: The problem is not solved, but it works?

Does the NET USE command in XP Mode now work after following my 12 steps?  Or did you try something else and what was it?

Author Comment

ID: 40427343
I typed a comment before giving points but I must have not submitted it.
I made the policy change but I was unable to use the net use command without an error. I completed the  your 12 steps and was able to issue the command while logged in as the admin but when I returned to the normal user account I was unable to print. I can't have the domain admin logged in to resolve this problem on each workstation.  David Paris Vicente had suggested I use an elevated prompt. This works but only for the current session. If I shutdown XP Mode I lose the use of 'net use' even though I had included the '/persistent:yes' switch. If I close the XP Mode session and let it hibernate I also lose the statement. So I am left with having to issue this command each morning to get this to print.

So it works but not as I need it to.
LVL 12

Expert Comment

ID: 40427466
OK point taken, thanks for clarifying.

In your XP Mode Settings, is the Undo Disks enabled or disabled?  This could cause the XP Mode to lose or not save its session data.

For my XP Mode, I closed it two days ago (so it was hibernated).  I even shut down my host Windows 7 last night before I went home.  But now as of this writing, after I ran XP Mode, all the programs I ran are still there.  The DOS command window I opened two days ago is still there in the virtual XP.  So obviously, all commands I used that day are still in effect.

Regarding the "persistent" switch in the NET USE command, I sort of recall that I used to have this kind of problem even when running on pure Windows XP machines.  We've upgraded our old DOS-based programs and no longer had to deal with the tedious NET USE LPT[n] command again, but I still remember that every morning we had to RE-run this command again on all the user workstations.  And this is why as described here;en-us;Q313644

I completely agree with you on the idea of not having to use a priveleged user (such as a domin admin) for security reason.

WORKAROUND: There are couple of methods you can use to circumvent this problem. Either one of the following can work, you don't have to do all of them.  And as usual, start with the first one first.

1. use a script (preferrably a batch file) that contains the NET USE command, and then put this file on the "Startup" folder in the XP Mode under the ALLUSERSPROFILE so that it runs for every user on that machine.

2. create a special domain user or group (with standard user privileges) and then assign that domain user/group to the local Power Users group on each XP Mode.  This helps saves the "persistent" setting.

3. change the program (if you have the original source code) to use or print to LPT2 port instead as port LPT1 is somewhat reserved by the OS or other processes as in this KB;en-us;Q313644

Author Comment

ID: 40427666
I will give this a whirl.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question