Active directory reporting users with only guest privileges

[Ann]

Seems to be a problem with my active directory. All users except
Administrators are reporting logging on to my domain controllers with
guest privileges this is causing problems with an application. We are
in a mixed w2k,nt novell environment. PDC is w2k. Any help will be
appreciated. The application will not run on BDC because of these
privileges. How can I change this. I have tried the DSACLS restore
with no success.

 

[Herb Martin]

Seems to be a problem with my active directory. All users except
Administrators are reporting logging on to my domain controllers with
guest privileges this is causing problems with an application. We are
in a mixed w2k,nt novell environment. PDC is w2k. Any help will be
appreciated. The application will not run on BDC because of these
privileges. How can I change this. I have tried the DSACLS restore
with no success.

You might wish to clarify your problem; the report above is very unclear.

"report logging in with guest credentials" So what's the problem?
Tell them not to do that. Tell them to use their OWN credentials.
Disable guest account. (Should be disabled anyway.)

What does this have to do with "application will not run on a BDC" --
are they using terminal services? Have them run the app on their own
box or own the correct server.

Why are you using DSAcls? This is about securing Active Directory
objects not about granting privileges to use (ordinary) resources. It
won't affect BDCs much since they don't see the actual AD, just the
SAM reflection of it.

Tell us precisely what you want to have work and what problems you
experience or what steps you took to accomplish this.

 

[Ann]

Ok, so to clarify the problem. I upgraded to version 5.12 of Script
logic. When I upgraded scriptlogic would not work. It works when
users authenticate to the PDC, but not the PDC. When you do a
registry hack on Win98 it tells you what privileges are being set and
they are set a guest privileges. The guys at script logic seem to
think I have some sort of Active directory problem. So that is why I
am posting here. The Guest account is disabled.
How do I tell them to use thier own credentials? I do beleive that
this is the problem. Could it be a Group Policy thing.

Thanks,

 

[Richard McCall [MSFT]]

Check the Guests and Domain Guests group in AD Users and Computers to make
sure that a group that the users belong to has not been looped in.

 

[Ace Fekay [MVP]]

In

Ok, so to clarify the problem. I upgraded to version 5.12 of Script
logic. When I upgraded scriptlogic would not work.

Hmm, and it was working before?

It works when
users authenticate to the PDC, but not the PDC.

This statement above is very confusing for a couple reasons:

1. You have "PDC" stated twice.
2. There is no such thing as a "PDC" or "BDC" in AD. All domain controllers
(DCs) are replicas in an AD environment. There are specific Roles that each
DC holds, and one of them is a PDC Emulator Role, but it's not called a PDC
anymore, just a DC.

When you do a
registry hack on Win98 it tells you what privileges are being set and
they are set a guest privileges. The guys at script logic seem to
think I have some sort of Active directory problem. So that is why I
am posting here.

See if Richard's suggestions help out.
Also, is there anyway to tell ScriptLogic what credentials or alternate
credentials to use?

The Guest account is disabled.
How do I tell them to use thier own credentials? I do beleive that
this is the problem. Could it be a Group Policy thing.

Not sure how a GP could affect this unless something is mis-set in
Restricted Groups setting.

Are you receiving any Event ID errors in your Event viewer on your DC(s)?




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Ok, so to clarify the problem. I upgraded to version 5.12 of Script
logic. When I upgraded scriptlogic would not work. It works when
users authenticate to the PDC, but not the PDC.

The above sentence makes no sense.

When you do a
registry hack on Win98 it tells you what privileges are being set and
they are set a guest privileges.

What "registry hack"? Win98 really doesn't have privileges; the major
difference between Win98 and the NT class machines is that Win98 doesn't
have the security features.

The guys at script logic seem to
think I have some sort of Active directory problem.

Either you aren't explaining it clearly enough or he is full of hooey.

So that is why I
am posting here. The Guest account is disabled.

They they aren't authenticating against this -- which you initially stated.

How do I tell them to use thier own credentials? I do beleive that
this is the problem. Could it be a Group Policy thing.

When they logon they should use their DomainName\Username and
password. The Guest account is never used for a properly authenticated
user EVEN IF it is enabled.

The main thing is for you to clearly state EXACTLY what your problem
is and what you are doing. We're not helping much because we don't
understand you problem, and truthfully this might be the reason you aren't
solving it yourself or with the help of scriptlogic.

 

[Ann]

Actually the problem was fixed by adding the Domain Users to the users group.

Thanks for all of your help.

Check the Guests and Domain Guests group in AD Users and Computers to make
sure that a group that the users belong to has not been looped in.

--
Richard McCall [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

Seems to be a problem with my active directory. All users except
Administrators are reporting logging on to my domain controllers with
guest privileges this is causing problems with an application. We are
in a mixed w2k,nt novell environment. PDC is w2k. Any help will be
appreciated. The application will not run on BDC because of these
privileges. How can I change this. I have tried the DSACLS restore
with no success.