Access Denied on XP after joining domain

I have set up a test Win 2003 Enterprise server and installed active
directory. There are no patches, service packs etc installed on the server. I
am using XP Pro machine that is current with all patches.

I shared one of the server drives with full control for everyone.

I can join the domain on the XP machine OK. I wanted to copy files to the
shared server drive from the XP machine. I can copy some but not all of the
files from my C drive to the network share. The XP machine just says "access
denied".

I am a just domain user on the server and admin on the XP machine.

When I reboot the XP machine without logging into the domain everything is
fine again.

Obviously there is some AD policy causing this. I just don't know where to
look. Any help is appreciated.

In news:2FC46205-0CDD-41BF-A769-04C1DBAA5297@microsoft.com,
Dave G <Dave G@discussions.microsoft.com>, posted the following:
> I have set up a test Win 2003 Enterprise server and installed active
> directory. There are no patches, service packs etc installed on the
> server. I am using XP Pro machine that is current with all patches.
>
> I shared one of the server drives with full control for everyone.
>
> I can join the domain on the XP machine OK. I wanted to copy files to
> the shared server drive from the XP machine. I can copy some but not
> all of the files from my C drive to the network share. The XP machine
> just says "access denied".
>
> I am a just domain user on the server and admin on the XP machine.
>
> When I reboot the XP machine without logging into the domain
> everything is fine again.
>
> Obviously there is some AD policy causing this. I just don't know
> where to look. Any help is appreciated.

I would first suggest to update the server to the latest service pack and
updates. There have been many, and many are security related. If XP has
them, but the server does not, or the server does not have an update that
affects communication that the XP box does, it may contribute to the problem

Also, if after updating you are still seeing the problem, please post an
unedited ipconfig /all of the XP box and of the domain controller. It could
be related to DNS. The ipconfigs will help give us an excellent start
towards diagnosing this issue.

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Dave,
I'm not entirely clear based on your description what exactly is failing and
what "is fine again" means, but, in general, "access denied" message might
be resulting from number of conditions (e.g. files which are in-use,
read-only, or to which you don't have permissions to). But as Ace has
pointed out, you should start by making sure that your server is properly
patched...

hth
Marcin

"Dave G" <Dave G@discussions.microsoft.com> wrote in message
news:2FC46205-0CDD-41BF-A769-04C1DBAA5297@microsoft.com...
>I have set up a test Win 2003 Enterprise server and installed active
> directory. There are no patches, service packs etc installed on the
> server. I
> am using XP Pro machine that is current with all patches.
>
> I shared one of the server drives with full control for everyone.
>
> I can join the domain on the XP machine OK. I wanted to copy files to the
> shared server drive from the XP machine. I can copy some but not all of
> the
> files from my C drive to the network share. The XP machine just says
> "access
> denied".
>
> I am a just domain user on the server and admin on the XP machine.
>
> When I reboot the XP machine without logging into the domain everything is
> fine again.
>
> Obviously there is some AD policy causing this. I just don't know where to
> look. Any help is appreciated.

Hello Dave,

Update the server first to latest SP and patches.

Then make sure that the client and server only use domain internal DNS servers
on the NIC, NONE outside like your ISP's DNS server.

Also for XP configure following policy:
Computer Configuration, Administrative Templates, System, Logon, "Always
wait for the network at computer startup and logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have set up a test Win 2003 Enterprise server and installed active
> directory. There are no patches, service packs etc installed on the
> server. I am using XP Pro machine that is current with all patches.
>
> I shared one of the server drives with full control for everyone.
>
> I can join the domain on the XP machine OK. I wanted to copy files to
> the shared server drive from the XP machine. I can copy some but not
> all of the files from my C drive to the network share. The XP machine
> just says "access denied".
>
> I am a just domain user on the server and admin on the XP machine.
>
> When I reboot the XP machine without logging into the domain
> everything is fine again.
>
> Obviously there is some AD policy causing this. I just don't know
> where to look. Any help is appreciated.
>

I have download and installed all the patches. Ipconfigs are at the bottom of
this post.

Installing the patches changed nothing. Just to be clear the files I am
coping from XP to the network are data files used in testing a application.
They are not in use. I am using the same user id/password that I have always
had on the XP machine. The same id/pw are in AD. The drive share is setup for
full control for everyone.

If I do not log into the domain, just as the XP user I can map a drive to
the network share and copy at will. I am just doing a copy c:\data z:\data
from a cmd prompt.

If logged into the domain that same copy command returns "access denied" for
every file in c:\data. Why or where is AD keeping me from accessing files on
my c drive?

Also when logged into the domain my windows desktop only shows programs
installed in all users. None of the other short cuts or settings (themes etc)
I have set-up are there. That was not what I expected. Is that normal?

********************
XP ipconfig


Windows IP Configuration



Host Name . . . . . . . . . . . . : dellxppro

Primary Dns Suffix . . . . . . . : vxxi.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : vxxi.local



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller

Physical Address. . . . . . . . . : 00-1C-23-06-6A-EF

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.200

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.111

166.102.165.13



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-1B-FC-8F-90-C5

**************************
Server ipconfig


Windows IP Configuration



Host Name . . . . . . . . . . . . : training

Primary Dns Suffix . . . . . . . : vxxi.local

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : vxxi.local



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet

Physical Address. . . . . . . . . : 00-23-8B-03-E1-C0

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.111

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.1.111

In news:0DFDB372-91EC-45D6-B346-AC92705861FE@microsoft.com,
Dave G <DaveG@discussions.microsoft.com>, posted the following:
> I have download and installed all the patches. Ipconfigs are at the
> bottom of this post.
>
> Installing the patches changed nothing. Just to be clear the files I
> am coping from XP to the network are data files used in testing a
> application. They are not in use. I am using the same user
> id/password that I have always had on the XP machine. The same id/pw
> are in AD. The drive share is setup for full control for everyone.
>
> If I do not log into the domain, just as the XP user I can map a
> drive to the network share and copy at will. I am just doing a copy
> c:\data z:\data from a cmd prompt.
>
> If logged into the domain that same copy command returns "access
> denied" for every file in c:\data. Why or where is AD keeping me from
> accessing files on my c drive?
>
> Also when logged into the domain my windows desktop only shows
> programs installed in all users. None of the other short cuts or
> settings (themes etc) I have set-up are there. That was not what I
> expected. Is that normal?
>
> ********************
> XP ipconfig
>
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : dellxppro
> Primary Dns Suffix . . . . . . . : vxxi.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : vxxi.local
>
> Ethernet adapter Local Area Connection:
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
> Gigabit Controller
>
> Physical Address. . . . . . . . . : 00-1C-23-06-6A-EF
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.1.200
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.111
> 166.102.165.13
>
> Ethernet adapter Wireless Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
> Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
> Mini-Card
> Physical Address. . . . . . . . . : 00-1B-FC-8F-90-C5
>
> **************************
> Server ipconfig
>
> Windows IP Configuration
> Host Name . . . . . . . . . . . . : training
> Primary Dns Suffix . . . . . . . : vxxi.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : vxxi.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
> Ethernet
> Physical Address. . . . . . . . . : 00-23-8B-03-E1-C0
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.1.111
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.1.111

Dave,

Thanks for posting the ipconfigs.

Why is that DNS server IP 166.102.165.13 on the XP client? It resolves to
nsvip02.windstream.net, an external DNS server. I suggest to remove this IP
address. It is important for AD machines to only use the internal DNS
server(s). Configure a Forwarder to this server in DNS properties.

This can be the cause of a majority of problems. Keep in mind, when a
machine wants to logon, authenticate to other servers, to a printer, etc, it
queries DNS for an internal domain controller. An external DNS does not have
this info. Also, one may think putting it second in the list will provide
internet resolution, but that is not how the DNS resolver treats the
entries. They need to be for fault tolerance, and they do not go back and
forth until it finds the answer.

When a machine is joined to the domain, a whole new profile is created.
Hence what you are experiencing. You can logon as a user to create the
profile, then logoff, then back on again as the admin, then go to System
properties and copy the profile from the non-domain account that you've been
using, to the new user account.

As for C: drive on the server from the client, assuming it is a Domain User,
then yes, an access denied is expected behavior, assuming you are connecting
by \\training\c$. You need to be logged on as a domain admin to get to the
admin shares of any machine, server or other clients.

Also, the server does not have a default gateway address configured. Does
this server require internet access? If nothing else, it won't be able to
get Windows updates without a gateway.

Ace

Hello Dave,

The ip address 166.x.x.x is your ISP's DNs server. Remove that from the NIC,
your client problems result becuase of that. Domain internal use only the
domain DNS server. On the DNS server configure the FORWARDERS with the ISP's
DNS server in the DNS management console under the DNS server properties.

Domain users shouldn't be able to copy to the c-drive direct on the server.
That's by design.

Also i would configure the DG on the server so it can also update from the
internet.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have download and installed all the patches. Ipconfigs are at the
> bottom of this post.
>
> Installing the patches changed nothing. Just to be clear the files I
> am coping from XP to the network are data files used in testing a
> application. They are not in use. I am using the same user id/password
> that I have always had on the XP machine. The same id/pw are in AD.
> The drive share is setup for full control for everyone.
>
> If I do not log into the domain, just as the XP user I can map a drive
> to the network share and copy at will. I am just doing a copy c:\data
> z:\data from a cmd prompt.
>
> If logged into the domain that same copy command returns "access
> denied" for every file in c:\data. Why or where is AD keeping me from
> accessing files on my c drive?
>
> Also when logged into the domain my windows desktop only shows
> programs installed in all users. None of the other short cuts or
> settings (themes etc) I have set-up are there. That was not what I
> expected. Is that normal?
>
> ********************
> XP ipconfig
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : dellxppro
>
> Primary Dns Suffix . . . . . . . : vxxi.local
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : vxxi.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
> Gigabit Controller
>
> Physical Address. . . . . . . . . : 00-1C-23-06-6A-EF
>
> Dhcp Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 192.168.1.200
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 192.168.1.1
>
> DNS Servers . . . . . . . . . . . : 192.168.1.111
>
> 166.102.165.13
>
> Ethernet adapter Wireless Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
>
> Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
> Mini-Card
>
> Physical Address. . . . . . . . . : 00-1B-FC-8F-90-C5
>
> **************************
> Server ipconfig
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : training
>
> Primary Dns Suffix . . . . . . . : vxxi.local
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : vxxi.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
>
> Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
> Ethernet
>
> Physical Address. . . . . . . . . : 00-23-8B-03-E1-C0
>
> DHCP Enabled. . . . . . . . . . . : No
>
> IP Address. . . . . . . . . . . . : 192.168.1.111
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . :
>
> DNS Servers . . . . . . . . . . . : 192.168.1.111
>

One of directories I was trying to copy was encrypted on the xp machine. When
logged into the domain it was generating the "access denied". When I wasn't
loged in I could copy it. (my network drive is mapped to \\training\vxxi$
with full control for everyone). I'm not quite sure why the difference but I
can live with it.

I still have issues when logged into the domain. Why/what is keeping me from
making chages to network properties? There is something in AD that is
removing my ability to make changes to xp. Is there a default policy that is
causing this?

As you can tell AD is new to me. Thanks for your replies.

Hello Dave,

If you use enrcpting file system before joining to the domain it is normal
that the files are not readable. You domain user account is not allowed to
decrypt them, that's the design. If you need to have access, use the local
account and decrypt them.

Normal user accounts are not able to change network configuration. You can
add them to the "Network configuration operators" on the local machines with
restricted groups policy, see here how to: http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> One of directories I was trying to copy was encrypted on the xp
> machine. When logged into the domain it was generating the "access
> denied". When I wasn't loged in I could copy it. (my network drive is
> mapped to \\training\vxxi$ with full control for everyone). I'm not
> quite sure why the difference but I can live with it.
>
> I still have issues when logged into the domain. Why/what is keeping
> me from making chages to network properties? There is something in AD
> that is removing my ability to make changes to xp. Is there a default
> policy that is causing this?
>
> As you can tell AD is new to me. Thanks for your replies.
>

In news:AC72CC09-1A52-4836-AF0C-09E8912DE40E@microsoft.com,
Dave G <DaveG@discussions.microsoft.com>, posted the following:
> One of directories I was trying to copy was encrypted on the xp
> machine. When logged into the domain it was generating the "access
> denied". When I wasn't loged in I could copy it. (my network drive is
> mapped to \\training\vxxi$ with full control for everyone). I'm not
> quite sure why the difference but I can live with it.
>
> I still have issues when logged into the domain. Why/what is keeping
> me from making chages to network properties? There is something in AD
> that is removing my ability to make changes to xp. Is there a default
> policy that is causing this?
>
> As you can tell AD is new to me. Thanks for your replies.

The Domain Users group is added to the Local Users group on all machines
once the machine has been joined. If a Domain User is not in any groups
giving them administrative abilities, then they cannot change anything on
the local machine. There are ways around it. Meinolf had suggested one
method. There are other options as well, such as using GPO restricted
groups, or logging in as the Domain Admin account and adding that specific
AD user account to a local group that does have administrative abilities, as
was suggested by Meinolf.

Keep in mind, if a user cannot install software or change settings, it
gives you tighter control and consistency across the board, but more
importantly, it will alleviate any possiblities of spyware and viruses
getting installed, on top of that, changes made to a system that you may
have to waste time to sit and fix it.

Ace