domain / workgroup problem

[crcmapper]

Hi all, hopefully someone will have an answer to this one.

I'm the recently appointed local sysadmin for the company I work for. The previous sysadmin and his boss (and 3 other IT people) recently quit, and left no notes as to how anything is configured (nice of them isn't it?). So, bear with me as I'm only about halfway through a degree in IT so I can't solve this one.

Our network has one domain and 4 workgroups. I'm finding that I can only access the workgroups from certain PC's on the network. If I try to access the workgroups from most PC's, I get a message that reads "your account is not authorized to log in from this station". However, my account has full administrative priveleges and permissions on our NT server.
I should mention that we have an NT server (sp4) and most of the other PC's in question are running W98, W95, and W2000.
So, I have full access to any PC that is a member of just the domain, and not a workgroup, but no access to any of the workgroups from my laptop (a member of the domain, not workgroup). If I log into a pC that is a workgroup member, I can access everything, and a few select PC's on the domain (not a workgroup) will also allow this access.
My thinking is that somewhere I haven't found is a list of PC's with access to the domains, but I can't find it from this end. I should also note that our main NT server is in another state and the guy running it is in about the same position I'm in as far as sysadmin knowledge, so he can't find anything out of sorts from his end either.
frustrating to say the least, this is the only problem I have found yet that I can't get around.

I hope I gave enough info, if I left anything out, let me know.
Help?? anyone have an idea? I'm open to any suggestions.

P.S., I have tried making my laptop a workgroup member, but I still have the same results (my workgroup is empty... but the domain is there).

[This message has been edited by crcmapper (edited 07-13-2000).]

[vitalstatistix]

goto User Manager (or damager :P) in ur PDC

select the user account that u are concerned wrt the access, select properties for that user account

Click on 'Logon to' button, add the workstation that u want access to or click access to all work stations

hth

gtfx

[crcmapper]

Thanks for the reply vitalstatistix, but no luck. I had already checked this, but checked again to be sure. When you click the 'logon to' button, the screen that comes up gives two choices, the first choice is 'allow user to logon to all workstations'
This is the one that is checked.
The second choice is 'allow user to logon to these workstations' and that one has a list of workstations to allow access to. However, this list is gray'd out as the first choice (allow user to logon to all workstations) is checked.
Now, this is all in the 'user manager for domains' dialog box, is there (or should there be, because I don't have one) a 'user manager for workgroups' dialog somewhere? It seems to me that my access to the PC's on the domain is just fine, my problem starts when dealing with workgroups.
My logon and Pword access everything on the network from certain PC's, so I'm thinking that there is a list of workstations allowed to logon to the workgroup somewhere. This seems to be un-related to my user name, and more related to the actuall workstation I'm logging in from (and yes, all the workstations are configured with the same network protocols and such).
Any more ideas??

[bob]

Change the workgroup name on the pc to the workgroup you need to access.

[crcmapper]

Tried it (on 3 different PC's), no luck.
The previous sysadmin considered himself to be a network security expert (he wasn't even close, but he though of himself this way anyhow) and told people he had set up the network to allow very strict access to the workgroups, I just can't figure out how he did it.

Thanks for the response however I'm still trying to figure this one out.

P.S. does anyone else consider it to be a bit irresponsible for him to have left no notes and intentionaly passed on no info when he left?


[This message has been edited by crcmapper (edited 07-14-2000).]

[bob]

Run poledit
Open policy - file is \\YourPDC\winnt\system32\repl\imports\scripts\ntconfig.pol

[crcmapper]

Hmmm, sounds promising Bob, I'll give that a try tomorrow morning (I'm at home now, but I'm working tomorrow.. ).
I did find some recent text files in a temp folder concerning the use of poledit and the management of policy and wondered if this might have something to do with it, so your suggestion sounds good.
I'll let you know in the morning.

P.S., can you change access to the workgroups with the poledit? I thought it was only usefull for setting up certain workstations to keep users out of the controll panel and other sensitive settings.
(but then again, I'm still learning so I could be completely wrong)

[vitalstatistix]

if the machine in the workgroup u r trying to access is Win2K, turn on security audit of each machine for login failures and access failures. Try connecting again, the error will be recorded in detail in the eventviewer, post that error here or search for that error on M$ TechNet.

Unless there is some sort of a trust ralaionship with your domain controllers for the workgroup members, i doubt there is much role played by the PDC or BDC.

regards


gtfx

PS: No crime bigger then NO documentation.

[This message has been edited by vitalstatistix (edited 07-14-2000).]

[vitalstatistix]

any information about the rest of the questions i asked earlier in my prev post!

[crcmapper]

vitalstatistix - sorry, here are the rest of the answers.

b) tmoret is running Win98

c) ADR-PITTSBURGH is a workgroup, ADR-PENNSAUKEN is a NT domain

d) not too sure about LDAP or m$ Active directory, but this problem isn't just from my laptop. If I log on to any machine that is a Domain Member, I can't see the workgroups(I can see the actuall workgroup, but if I try to expand it I get the error). If I log onto a workgroup member I can see everything. If I change my laptop from a domain member to a workgroup member, nothing changes at all.. I can see the domain, but not the rest of the workgroup and I get the same 'your account is not authorized to log in from this station' message if I try to see the workgroup members .




[This message has been edited by crcmapper (edited 07-15-2000).]

[vitalstatistix]

is ccrawford part of administrators group in the NT Domain?

[crcmapper]

once again, at the risk of sounding ignorant:
Do you mean ccrawford the PC or ccrawford the user? (my laptop is named ccrawford, which is also my user name)

as the user, I'm a member of the administrators group as well as the domain administrators group.

I didn't think you could assign a PC to a certain group (but hey, if I knew it all I wouldn't be asking for help )

[crcmapper]

bob - no luck, there is no file at all in \winnt\system32\repl\imports\scripts

vitalstatistix - my laptop is the only Win2k machine for now, the machines I'm trying to access range from Win95, 98, NT, and even our Solaris server. I have full access to any of these systems if I'm sitting at them, the problem comes when working through the network.
At the risk of sounding ignorant, does PDC = primary domain controller and BDC = backup domain controller?

The NT server in my office is the backup to our primary domain controller (which of course is in another state). I'm also told by the sysadmin at the other office that we seem to have some problems with trusted domains and workgroups, but he's not too sure how to fix it (or maybe just hasn't had the time to dig into it, I'm not too sure).
But he seems to think that this is un-related to the problems I'm having.

An interesting side note, this network is set up to use tcp/ip on all the PC's, but if I add netbeui to one or two of the PC's in a workgroup I can't access, all of a sudden I can see them (and only them) in the workgroup. hmmmm. But of course I dont realy want to add netbeui to all the PC's when that's not the real problem.

[vitalstatistix]

Crcmapper

you are correct as regards PDC & BDC.

You mention, accessing Solaris? Are u running Samba on Solaris to access it as a M$ Network node or u mean to access it with Telnet or Ftp or Http etc!

Questions:
a) Are you using any WINS server?
b) Whats the network structure, TCP/IP, and Bindings for WINS/M$ Network (is it TCP/IP or ??)

Try this
1) try pinging the desktops in the workgroup (that u cannot access) from your win2k, if u can ping them (using the hostname not the IP address) try doing a traceroute to the (tracert remote-hostname), please post how many hops does tracrt takes (ideally 1)

2) if you cannot ping using the hostname, on ur winnt(i am not sure of location for win2k, but try still) machine in ur 'hosts' (c:\winnt\system32\drivers\etc\hosts) make entries for each of the workstation that is not in your workgroup
format
>>>
a.b.c.d remote1
>>>

a.b.c.d is the ip address for the remote desktop 'remote1'

try repeating 1) above now, and see if pinging works, if it does, try accessing the desktops in the workgroup now and post!

3) try nbtstat -A a.b.c.d where a.b.c.d is the remote desktop ip address and check if u can see the netbios parameters of ur remote dsktop

hopefully answers to above will help framing a solution!

regards


gtfx

[crcmapper]

Vitalstatistix - Thanks for all the info, I truly appreciate it

Yes, we use Samba to allow our Windows machines to see the Solaris. Our main network is Windows based with a workgroup of Solaris machines for production.

a) yes, our BDC in my office appears to be set up as a WINS server.
b) our entire network appears to be set up using tcp/ip

1) Yes, I can ping them. A tracert shows 1 hop (tried it on a few different machines).

2) didn't try this as the ping and traceRT seems to work just fine. (but I did look, the path is the same in Win2K FYI )

3) nbtstat gave the following result:

code:

---

c:\>nbtstat -A a.b.c.d



Local Area Connection:

Node Ipaddress: [a.b.c.d] Scope Id: []

	

		NetBios Remote Machine Name Table

	   Name                 Type         Status

	-----------------------------------------------

	TMORET         <00>    UNIQUE        Registered

	ADR-PITTSBURGH <00>    GROUP         Registered

	TMORET	       <03>    UNIQUE        Registered

	TMORET         <20>    UNIQUE        Registered

	ADR-PITTSBURGH <1E>    GROUP         Registered



	MAC Address = x-x-x-x-x-



[/code]

So, does this info help any or just confuse things further?     







[This message has been edited by crcmapper (edited 07-15-2000).]
		

[vitalstatistix]

Crcmapper

Can you please edit the ip addresses in ur post and replace them with a.b.c.d, in case u r on internet live with that address, then u are at great risk!

thnx

[Statica]

CRC:
Please edit out your IP addresses, its not needed and is an unnecessary risk!!

[vitalstatistix]

a) can you print output of
nbtstat -A your-IP-Address

b) what os is the above machine TMORET(?) runnig?

c) ADR-Pittsburgh is it workgroup or NT Domain?

d) ur Win 2000, is it part of any Directory service (LDAP) or M$' Active Directory

rgds

gtfx

PS: mask ur IP in the post though

[This message has been edited by vitalstatistix (edited 07-15-2000).]

[crcmapper]

Vitalstatistix and ex-static-cling - oops!, so caught up in trying to fix this I didn't think about it (although we are heavily firewalled (3 layers of firewall to get to my PC) My apologies

Vitalstatistix - here is my nbtstat :

code:

---

c:\>nbtstat -A a.b.c.d



Local Area Connection:

Node IpAddress: [a.b.c.d] Scope Id: []

		NetBios Remote Machine Name Table

	   Name               Type         Status

	----------------------------------------------

	CCRAWFORD        <00> UNIQUE       Registered

	ADR-PENNSAUKEN   <00> GROUP        Registered

	CCRAWFORD        <03> UNIQUE       Registered

	ADR-PENNSAUKEN   <1E> GROUP        Registered



	MAC Address = x-x-x-x-x-x

[/code]



Thanks  




		

[vitalstatistix]

i meant 'ccrawford' as the domain user not the desktop. few more

a) try making the win98 (tmoret) deskop domain member and see if u can access it from ur desktop
b) did u turn on security audit for login and access failure in ur win2k/nt/pdc machines, if not then turn them on and try connecting and please post any errors recorded on the event viewer
c) though you mentioned no profiles exist on your domain controller, can you also check the profile settings for user 'ccrawford' on user-manager-for-domains, user properties, "profile" if there is a profile against your user Name.

gtfx

[This message has been edited by vitalstatistix (edited 07-15-2000).]

[crcmapper]

Thanks vital - just got back to the office after yesterday, so I'm going to give this a try now. I would've responded last night but my DSL is (still) down.. grumble..grumble..
I'll let you know.

[bob]

quote:

---

Originally posted by crcmapper:
once again, at the risk of sounding ignorant:
Do you mean ccrawford the PC or ccrawford the user? (my laptop is named ccrawford, which is also my user name)

)

---

Username and PC name should NOT be the same.

Are there any servers setup to only login to a workgroup? If so you have a lot of work to do.

[crcmapper]

Yeah Bob, I thought that was a bit screwy as well (the previous admins policy at work). Most of the PC's here share a name with the primary user.
Our NT servers log on to the Domain, but we do have one Solaris server which logs onto a workgroup (hmmmmmm.. the plot thickens).
Also, the NTserver here is set up as a backup to our main in another state, so I don't even have access to the main server. Even though my account has full admin permissions, I can't access the main NT server. I'm hoping to get out to the other office in the next few weeks to try and address this problem.

I haven't had a chance to mess with this domain/workgroup problem since this weekend as I had a W98 machine go south on me today (gotta love that W98). So I'll try and get back on it tomorrow. Wish me luck! I'll keep you all posted on the progress.

P.S. Thanks again to all who are trying to help me with this problem

[crcmapper]

Just a quick update...
I seem to have found the problem (I hope, time will tell). If I'm right, it was a combination of needing to do a reg-edit on my W2k machine to send passwords in plain text (so samba could read them properly). And configuring the SAMBA service on my Solaris server. The Solaris server is controlling the workgroup, and when I added my PC's profile to SAMBA, I was granted access to the workgroup.

Thanks again to all who tried to help me with this problem, you helped me narrow it down. I really appreciate it

[vitalstatistix]

good to hear that ur problem is finally all solved, and realise the age old problem with NTLM Challange /Response authentication still lives high!

cheeers


gtfx