Solved

How to  fix "Net use" in XPMode\DOS on Domain system error 5

Posted on 2014-11-03
15
572 Views
Last Modified: 2014-11-06
I have a an old program running that requires an LPT printer. We have been using the net use command and it has worked for years.    Example: net use lpt1 \\computername\device /persistent:yes
We have Windows Server 2008 R2, Win 7 workstations running XP Mode. This week the server which had been little more than a glorified peer to peer server was converted to a active directory domain controller. This command no longer works. The startup file runs and prompts for a user and password. It doesn't matter what user/password combo that is used. Everything returns System error 5 Access denied. I have tried a standard domain user, the local pc user, and the system admin. Nothing works. I welcome suggestions to try.
0
Comment
Question by:jbcbussoft
15 Comments
 
LVL 9

Expert Comment

by:bas2754
Comment Utility
The XP Mode system runs under a username.  I forget what it is, but essentially you need to create that username in the AD and give permissions to the printer.   I wish I had the steps I used, but it was over a year ago that I did this.  Exact same problem though.
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 250 total points
Comment Utility
This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers.
This is by design.

You can try the following workaround mention in TechNet or you can follow this link or see the steps below.

1.Log on to a Windows Server 2008-based domain controller.
2.Click Start, click Run, type gpmc.msc, and then click OK.
3.In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4.In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5.In the Properties dialog box, click the Enabled option, and then click OK.

Notes◦By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):◾Default Domain Policy
◾Default Domain Controllers Policy
◾Local Computer Policy
By default, the behavior for the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers is to programmatically prevent connections from using cryptography algorithms that are used in Windows NT 4.0. Therefore, tools that enumerate effective policy settings on a member computer or on a domain controller will not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy unless you explicitly enable or disable the policy.
◦      Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. Therefore, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers even if the client computers use the old cryptography algorithms that are used in Windows NT 4.0. If security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.

6.Install third-party software updates that fix the problem, or remove client computers that use incompatible cryptography algorithms.
7.Repeat steps 1 through 4.
8.In the Properties dialog box, click the Disabled option, and then click OK.

And by the way did you try to run the command with elevated privileges?

Right click in cmd and then run as Administrator?

Hope it helps
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
0
 

Author Comment

by:jbcbussoft
Comment Utility
David Paris Vicente - I will try this in the morning.

jkaios - I can log in to windows without a problem. My problem is that after joining the domain the net use command returns an error. This command is issued after the system is logged into.
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
The problem, as suggested by David and Bas, is authentication.  The default user that the XP Mode uses to log in to the XP Virtual Environment is NOT in your Active Directory, hence the error "access denied".

One of the tutorials I provided is to make the XP Mode log in "AS" some valid user in your AD or an Administrator that has the same password as the Administrator user in your AD.
0
 

Author Comment

by:jbcbussoft
Comment Utility
jkaios - Removing XPMUser as the default user was done the day XP Mode was installed several months ago. XP Mode users were in the list of users on the server before the change to AD. They have since been elevated to domain users. In XP Mode they were the users that joined the domain. Their usernames are domain\username or username@domain so they have rights on the domain.
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 250 total points
Comment Utility
It could be that the Networking settings in your Virtual XP is set to the default Shared Networking (NAT).  If so, then try these steps on your Virtual XP:

1. log in to your Virtual XP (the default XPMUser is fine)
2. go to Tools and select Settings...
3. in the Windows XP Mode settings dialog box, click Networking
4. next to Adapter 1, select the actual network interface that is installed on your computer
5. click OK to save the changes
6. run a Command Prompt and try to ping a running PC on your network (if u see Reply from... then continue to step 7)
7. go to Computer Management -> Local Users and Groups
8. enable the built-in Administrator account
9. reset the Administrator account password to the password of your domain Administrator user
10. now try to browse any share on any computer on your network or try the NET USE command

If command completed successfully, then congratulations!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 12

Accepted Solution

by:
jkaios earned 250 total points
Comment Utility
...forgot the additional steps...

10. log off the Virtual XP
11. log on with Administrator and your current password
12. now try to browse any share on any computer on your network or try the NET USE command

Please note that you can also join the Virtual XP to your domain if you can successfully log in with the Administrator account.
0
 

Author Comment

by:jbcbussoft
Comment Utility
OK I will try these as well. I was unable to try the other suggestions today.
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
I can assure you that the 12 above steps I've just posted will work.  I tried them myself.  The key was step 4 (the networking adapter setting) AND steps 8 - 12.
0
 

Author Closing Comment

by:jbcbussoft
Comment Utility
Although my problem is not completely solved (yet), my question has been answered and it works. Thanks for your help.
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
I don't understand: The problem is not solved, but it works?

Does the NET USE command in XP Mode now work after following my 12 steps?  Or did you try something else and what was it?
0
 

Author Comment

by:jbcbussoft
Comment Utility
I typed a comment before giving points but I must have not submitted it.
I made the policy change but I was unable to use the net use command without an error. I completed the  your 12 steps and was able to issue the command while logged in as the admin but when I returned to the normal user account I was unable to print. I can't have the domain admin logged in to resolve this problem on each workstation.  David Paris Vicente had suggested I use an elevated prompt. This works but only for the current session. If I shutdown XP Mode I lose the use of 'net use' even though I had included the '/persistent:yes' switch. If I close the XP Mode session and let it hibernate I also lose the statement. So I am left with having to issue this command each morning to get this to print.

So it works but not as I need it to.
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
OK point taken, thanks for clarifying.

In your XP Mode Settings, is the Undo Disks enabled or disabled?  This could cause the XP Mode to lose or not save its session data.

For my XP Mode, I closed it two days ago (so it was hibernated).  I even shut down my host Windows 7 last night before I went home.  But now as of this writing, after I ran XP Mode, all the programs I ran are still there.  The DOS command window I opened two days ago is still there in the virtual XP.  So obviously, all commands I used that day are still in effect.

Regarding the "persistent" switch in the NET USE command, I sort of recall that I used to have this kind of problem even when running on pure Windows XP machines.  We've upgraded our old DOS-based programs and no longer had to deal with the tedious NET USE LPT[n] command again, but I still remember that every morning we had to RE-run this command again on all the user workstations.  And this is why as described here http://support2.microsoft.com/default.aspx?scid=kb;en-us;Q313644

I completely agree with you on the idea of not having to use a priveleged user (such as a domin admin) for security reason.

WORKAROUND: There are couple of methods you can use to circumvent this problem. Either one of the following can work, you don't have to do all of them.  And as usual, start with the first one first.

1. use a script (preferrably a batch file) that contains the NET USE command, and then put this file on the "Startup" folder in the XP Mode under the ALLUSERSPROFILE so that it runs for every user on that machine.

2. create a special domain user or group (with standard user privileges) and then assign that domain user/group to the local Power Users group on each XP Mode.  This helps saves the "persistent" setting.

3. change the program (if you have the original source code) to use or print to LPT2 port instead as port LPT1 is somewhat reserved by the OS or other processes as in this KB http://support2.microsoft.com/default.aspx?scid=kb;en-us;Q313644
0
 

Author Comment

by:jbcbussoft
Comment Utility
I will give this a whirl.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now