XP Security Question

M

Mike

Situation: I updated my win2k pro machine to XP pro
tested all of my apps and network...all was well. Then I
authorized 4 other machines to be upgraded from win2k pro
to XP pro, all of the machines work without problems;
EXCEPT that I can no longer do any kind of remote
management of them from my machine. (For example
using "Manage" in my computer and selecting another
machine) I get "Access Denied". I can still manage win2k
machines from my XP machine, and another user on a win2k
pro machine can manage the XP machines. I also notice
some things in local security policy that appear grayed
out when I'm logged on locally, even though I'm an
administrator. Netdiag says DNS is fine, RSoP shows no
Group Policies that could cause the problem; all machines
are in the same win2k Active Directory Domain. I get
grayed out options even when I logon as the local
administrator on the machines. Have looked all over, and
tried tricks suggested for problems that seem remotely
similar with no change.

Thanks for any help you can provide!
 
S

Steven L Umbach

Double check that you are indeed logged on as an administrator - can you view the
members of the local administrators group? Maybe you are logging on as a domain
administrator and the domain admins group has been removed. Can the user who is able
to remotely manage them from his W2K box do the same from your XP box. That would
help narrow problem down to user or machine. -- Steve
 
R

Roger Abell

When, logged in with a domain account that is an
administrator on both/all of the XPs, and you try
the remote management, does anything show in the
security log of the remote machine (assuming that
you have security logging for login attempts success
and failure enabled).
 
M

Mike

-----Original Message-----
Double check that you are indeed logged on as an
Click to expand...
administrator - can you view the
members of the local administrators group? Maybe you are logging on as a domain
administrator and the domain admins group has been
Click to expand...
removed. Can the user who is able
to remotely manage them from his W2K box do the same from your XP box. That would
help narrow problem down to user or machine. -- Steve




.
When logged in as either the local admin account, or a
Click to expand...
domain account that is a member of the local admins
group, I can see all users and can add users, add users
to groups (including the local admin group). The other
user can't access the XP machines from an XP machine and
the same local security policy objects that are grayed
out for me are grayed out for her.

Thanks!
 
M

Mike

The security log shows a successful logon by my account,
but still get access denied when trying to access the
machine remotely.
 
M

Mike

Newest wrinkle on this is that I just got in a new PC,
brought it up, applied some critical patches, connected
it to my network, downloaded all remaining critical
updates. This machine I can manage remotely and no
options are grayed out in local security policy. I hate
to have to completely re-install to move from win2k to XP
Pro and other offices in my organization have not
reported problems.

-----Original Message-----
Double check that you are indeed logged on as an
Click to expand...
administrator - can you view the
members of the local administrators group? Maybe you are logging on as a domain
administrator and the domain admins group has been
Click to expand...
removed. Can the user who is able
 
R

Roger Abell [MVP]

Compare what OU this new machine object is in compared
to the OU of your (non-functioning) XP workstation.
You could use GPMC to get a better view of what policies
are being enforced on you workstation, and compare these
to what is in effect on the new machine.
 
S

Steven L Umbach

I agree with Roger's assessment. It would seem that the XP machines you have trouble
accessing are in a different container/OU than the machine you just installed since
it does not show any grayed out settings that indicate inherited policy. I would
first move one of the trouble machine to that same container as the newly installed
machine. Run secedit /refreshpolicy machine_policy on the domain controller and then
reboot the newly moved machine. After that it should not show the grayed out items it
did before. Now try to access it remotely. If you can then there is a setting in the
GPO security policy at the container/OU level that is causing the problem. If moving
did not help, then someone manually configured the Local Security Policy of that
machine and probably the others, possibly importing a template. You may need to use
the Security Configuration and Analysis tool to compare security settings in the two
machines doing the analysis against the setup security.inf template to determine
which security settings are different and troubleshoot from there by changing
security settings to match the new machine. My guess is that it is either the access
this computer from the network user right or a security option. --- Steve

http://www.lokbox.net/SecureXP/secAnalysis.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

XP remote management 2
Adding Security Group to Windows XP administrators 2
access permisions keep getting changed 1
1058 and 1030 event codes 1
Group Policy 2
Access Event Viewer remotely 3
Managing A Remote Computer 2
Upgrading from Win2K to XP ... security problems 1

Top