No Admin Access To c$??

[Ben Blackmore]

Hi,

I have a strange problem, I need to copy a file of one of our users hard
disks, as I'm building a new PC for them, so want to just copy it across.
Yesterday I managed to do this fine, I got access to \\userpc\c$ however
today I try to connect to that UNC path, and it pops up and asks me for a
username & password. I enter our administrator name & password, but it
rejects it. I know the username and password work fine, as I have gone
around to the PC, logged the user off, and logged on as administrator, with
the same password.
I have just tried logging off my machine then logging on again as
administrator, but only locally, not to the domain, then tried to connect to
the UNC path, and it works fine. So it only seems to be if I logon as
administrator to the domain, what could be causing this? No security
policies have been set, to my knowledge, no changes to AD, it just seems to
have gone screwy over night!
Any help would be greatly appreciated.

Cheers

Ben

 

[Jimmy Andersson [MVP]]

Is it just on one machine or do this happen on all the clients?

Regards,
/Jimmy

 

[Herb Martin]

Try an explicit authentication:

net use * \\serverName\c$ * /useromain\UserName

It will ask for the password...and if you have an account and
password with access it will authenticate and map the share.

IF it works, the chances you are you machine has lost it's
own authentication in the domain -- you may also have a
DNS (name resolution) problem.

 

[Ben Blackmore]

Seems to be all machines at the moment, no one has changed any group
policies or anything! All clients are running Windows 2000, SP4, with all of
the windows update patches. Domain is a windows 2000 server machine with
SP4.

Ben

 

[Jimmy Andersson [MVP]]

Check that the domain admin group is a member of the local admins.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Ben Blackmore]

Herb,

I tried that net use command, and it worked, said "The command completed
successfully." and then allowed me to browse the drive via unc in windows.
However, if I try to browse to the drive first, and then do that net use I
get the following:

C:\>net use \\userpc\c$ /user:domain\administrator
The password is invalid for \\userpc\c$.

Type the password for \\userpc\c$:
System error 5 has occurred.

Access is denied.

I have tried it both ways around on 5 PCs, if I do net use first I can
browse the PC. If I do it the other way around, it errors.

Ben

 

[Ben Blackmore]

How do I do that? It's already a member of 'Administrators - Domain/Builtin'

I've selected "Domain Admins, Properties > Member Of > Add"

But there is no Local Admins group to add it to. I can only select Entire
Directory, or Our domain from the drop down look in box at the top!

Ben

 

[Ulf B. Simon-Weidner [MVP]]

Ben Blackmore says in microsoft.public.windows.server.active_directory
...

Herb,

I tried that net use command, and it worked, said "The command
completed successfully." and then allowed me to browse the drive
via unc in windows. However, if I try to browse to the drive
first, and then do that net use I get the following:

C:\>net use \\userpc\c$ /user:domain\administrator
The password is invalid for \\userpc\c$.

Type the password for \\userpc\c$:
System error 5 has occurred.

Access is denied.

I have tried it both ways around on 5 PCs, if I do net use first I
can browse the PC. If I do it the other way around, it errors.

Ben

Hi Ben,

just a guess: you are not allowed to connect to a computer from another
computer with two different credentials. Are you browsing with a
different user you are using in the net use command? Then it might be
possible that you authenticate yourself when going with the explorer to
the other computers C- Drive, Share Permissions allow you to
authenticate but NTFS-Permissions won't allow you to read anything. But
you stay on this folder, and then try the net use command with
different credentials, which is not allowed.

Right? Sorry - I can't test it right now, so the behavior I just
described is totally out of my imagination. If I'm right you should be
able to connect when closing the explorer window and then try the net
use command again.

 

[Herb Martin]

Yes, he isn't logging onto the (local) machine with
network or the correct credentials.

He is using a local account, or a different account in the domain.

Once he authenticates (and fails access) he cannot do so
explicitly unless he uses "net use /d" carefully to discount from
the other server first.

 

[Ben Blackmore]

Hi Ben,

just a guess: you are not allowed to connect to a computer from another
computer with two different credentials. Are you browsing with a
different user you are using in the net use command? Then it might be
possible that you authenticate yourself when going with the explorer to
the other computers C- Drive, Share Permissions allow you to
authenticate but NTFS-Permissions won't allow you to read anything. But
you stay on this folder, and then try the net use command with
different credentials, which is not allowed.

Right? Sorry - I can't test it right now, so the behavior I just
described is totally out of my imagination. If I'm right you should be
able to connect when closing the explorer window and then try the net
use command again.

Hi,

No I'm using the same user to browse as I am the net command. logged on to
our domain as administrator, and I logon with net use as administrator. This
is what is weird, if it were a normal user I could understand it rejecting
the connection, but administrator should be able to browse no problem!

Ben

 

[Herb Martin]

I don't think you are getting authenticated at
MACHINE logon.

My guess is you are getting on with cached
credentials (somehow).

Most likely reason is DNS problems.

Run DCDiag on all DCs.

Make sure DNS is dynamic for the AD zone, and
that ALL clients (which includes DCs) use ONLY the
INTERNAL DNS server (set) for their client NIC
properties.

 

[Bjarne Duelund]

Seems to be all machines at the moment, no one has changed any group
policies or anything! All clients are running Windows 2000, SP4, with all of
the windows update patches. Domain is a windows 2000 server machine with
SP4.

Single-label domain name ?