How to  fix "Net use" in XPMode\DOS on Domain system error 5

Posted on 2014-11-03
Medium Priority
Last Modified: 2014-11-06
I have a an old program running that requires an LPT printer. We have been using the net use command and it has worked for years.    Example: net use lpt1 \\computername\device /persistent:yes
We have Windows Server 2008 R2, Win 7 workstations running XP Mode. This week the server which had been little more than a glorified peer to peer server was converted to a active directory domain controller. This command no longer works. The startup file runs and prompts for a user and password. It doesn't matter what user/password combo that is used. Everything returns System error 5 Access denied. I have tried a standard domain user, the local pc user, and the system admin. Nothing works. I welcome suggestions to try.
Question by:jbcbussoft
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 40420607
The XP Mode system runs under a username.  I forget what it is, but essentially you need to create that username in the AD and give permissions to the printer.   I wish I had the steps I used, but it was over a year ago that I did this.  Exact same problem though.
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 1000 total points
ID: 40420608
This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers.
This is by design.

You can try the following workaround mention in TechNet or you can follow this link or see the steps below.

1.Log on to a Windows Server 2008-based domain controller.
2.Click Start, click Run, type gpmc.msc, and then click OK.
3.In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4.In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5.In the Properties dialog box, click the Enabled option, and then click OK.

Notes◦By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):◾Default Domain Policy
◾Default Domain Controllers Policy
◾Local Computer Policy
By default, the behavior for the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers is to programmatically prevent connections from using cryptography algorithms that are used in Windows NT 4.0. Therefore, tools that enumerate effective policy settings on a member computer or on a domain controller will not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy unless you explicitly enable or disable the policy.
◦      Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. Therefore, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers even if the client computers use the old cryptography algorithms that are used in Windows NT 4.0. If security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.

6.Install third-party software updates that fix the problem, or remove client computers that use incompatible cryptography algorithms.
7.Repeat steps 1 through 4.
8.In the Properties dialog box, click the Disabled option, and then click OK.

And by the way did you try to run the command with elevated privileges?

Right click in cmd and then run as Administrator?

Hope it helps
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 40420779
David Paris Vicente - I will try this in the morning.

jkaios - I can log in to windows without a problem. My problem is that after joining the domain the net use command returns an error. This command is issued after the system is logged into.
LVL 12

Expert Comment

ID: 40420869
The problem, as suggested by David and Bas, is authentication.  The default user that the XP Mode uses to log in to the XP Virtual Environment is NOT in your Active Directory, hence the error "access denied".

One of the tutorials I provided is to make the XP Mode log in "AS" some valid user in your AD or an Administrator that has the same password as the Administrator user in your AD.

Author Comment

ID: 40421375
jkaios - Removing XPMUser as the default user was done the day XP Mode was installed several months ago. XP Mode users were in the list of users on the server before the change to AD. They have since been elevated to domain users. In XP Mode they were the users that joined the domain. Their usernames are domain\username or username@domain so they have rights on the domain.
LVL 12

Assisted Solution

jkaios earned 1000 total points
ID: 40423113
It could be that the Networking settings in your Virtual XP is set to the default Shared Networking (NAT).  If so, then try these steps on your Virtual XP:

1. log in to your Virtual XP (the default XPMUser is fine)
2. go to Tools and select Settings...
3. in the Windows XP Mode settings dialog box, click Networking
4. next to Adapter 1, select the actual network interface that is installed on your computer
5. click OK to save the changes
6. run a Command Prompt and try to ping a running PC on your network (if u see Reply from... then continue to step 7)
7. go to Computer Management -> Local Users and Groups
8. enable the built-in Administrator account
9. reset the Administrator account password to the password of your domain Administrator user
10. now try to browse any share on any computer on your network or try the NET USE command

If command completed successfully, then congratulations!
LVL 12

Accepted Solution

jkaios earned 1000 total points
ID: 40423115
...forgot the additional steps...

10. log off the Virtual XP
11. log on with Administrator and your current password
12. now try to browse any share on any computer on your network or try the NET USE command

Please note that you can also join the Virtual XP to your domain if you can successfully log in with the Administrator account.

Author Comment

ID: 40423134
OK I will try these as well. I was unable to try the other suggestions today.
LVL 12

Expert Comment

ID: 40423187
I can assure you that the 12 above steps I've just posted will work.  I tried them myself.  The key was step 4 (the networking adapter setting) AND steps 8 - 12.

Author Closing Comment

ID: 40426412
Although my problem is not completely solved (yet), my question has been answered and it works. Thanks for your help.
LVL 12

Expert Comment

ID: 40427300
I don't understand: The problem is not solved, but it works?

Does the NET USE command in XP Mode now work after following my 12 steps?  Or did you try something else and what was it?

Author Comment

ID: 40427343
I typed a comment before giving points but I must have not submitted it.
I made the policy change but I was unable to use the net use command without an error. I completed the  your 12 steps and was able to issue the command while logged in as the admin but when I returned to the normal user account I was unable to print. I can't have the domain admin logged in to resolve this problem on each workstation.  David Paris Vicente had suggested I use an elevated prompt. This works but only for the current session. If I shutdown XP Mode I lose the use of 'net use' even though I had included the '/persistent:yes' switch. If I close the XP Mode session and let it hibernate I also lose the statement. So I am left with having to issue this command each morning to get this to print.

So it works but not as I need it to.
LVL 12

Expert Comment

ID: 40427466
OK point taken, thanks for clarifying.

In your XP Mode Settings, is the Undo Disks enabled or disabled?  This could cause the XP Mode to lose or not save its session data.

For my XP Mode, I closed it two days ago (so it was hibernated).  I even shut down my host Windows 7 last night before I went home.  But now as of this writing, after I ran XP Mode, all the programs I ran are still there.  The DOS command window I opened two days ago is still there in the virtual XP.  So obviously, all commands I used that day are still in effect.

Regarding the "persistent" switch in the NET USE command, I sort of recall that I used to have this kind of problem even when running on pure Windows XP machines.  We've upgraded our old DOS-based programs and no longer had to deal with the tedious NET USE LPT[n] command again, but I still remember that every morning we had to RE-run this command again on all the user workstations.  And this is why as described here http://support2.microsoft.com/default.aspx?scid=kb;en-us;Q313644

I completely agree with you on the idea of not having to use a priveleged user (such as a domin admin) for security reason.

WORKAROUND: There are couple of methods you can use to circumvent this problem. Either one of the following can work, you don't have to do all of them.  And as usual, start with the first one first.

1. use a script (preferrably a batch file) that contains the NET USE command, and then put this file on the "Startup" folder in the XP Mode under the ALLUSERSPROFILE so that it runs for every user on that machine.

2. create a special domain user or group (with standard user privileges) and then assign that domain user/group to the local Power Users group on each XP Mode.  This helps saves the "persistent" setting.

3. change the program (if you have the original source code) to use or print to LPT2 port instead as port LPT1 is somewhat reserved by the OS or other processes as in this KB http://support2.microsoft.com/default.aspx?scid=kb;en-us;Q313644

Author Comment

ID: 40427666
I will give this a whirl.

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question