Rights - 2003 Server in Windows NT4 Domain

[fubarsnafu2004]

I have a Windows NT 4 domain with one PDC - I just installed a Windows
2003 Server into the domain. The Domain name is called CARTOONS,
before the domain came their was a workgroup called CARTOONS and the
workgroup is still here. All most all computers are members of the
workgroup CARTOONS, which I think is my problem. This server will be
running an accounting applciations where user attach with a drive
mapping, the server and all w/s run a Pervasive.SQL 2000i SP4
database.

I login to the 2003 server and gave my self admin rights as a local
user, I am also a member of the domain administrator group as well.
But when I login on a W/S and attach a drive to the 2003 server from
this W/S that is a member of the Workgroup I don't have any rights. I
attach fine, can attach to a shared folder but can't create any new
folders. I have gave myself full rights to the root of the drive on
2003 server, both as my user name on 2003 server and through the
domain admin group. But still can't create folders.I also gave all
rights but full control to domain\users and authenticated\users at
same location.

I have had this problem on another Network where I had a 2000 server
in a windows NT4 domain, I ended up have to create each user on the
2000 server and give them rights their instead of a the domain level,
for a sql database applciations to work correctly. In this network all
computers where members of the domain.

I think my choices are
1) Make the 2003 server a member of workgroup and add all users as
local users, create a group and give rights to the group.

2) Make all computers that need access to the Windows 2003 server
members of the domain and manage rights for their, which may require
me to create all users lcoal and give them rights local through a
group anyway.

Seting up Active Directory is not an option at this time.

 

[Johan Arwidmark]

You should check the share permissions (the permissions button on the
share tab). Windows Server 2003 (and Windows XP SP1) defaults to
Everyone = Read for the share permissions. This means that be default,
even if you have NTFS permissions, you cant still write to that share
over the network.

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Herb Martin]

I have a Windows NT 4 domain with one PDC - I just installed a Windows
2003 Server into the domain. The Domain name is called CARTOONS,
before the domain came their was a workgroup called CARTOONS and the
workgroup is still here. All most all computers are members of the
workgroup CARTOONS, which I think is my problem.

NT-class machines should prefer being Domain machines but none
of that should interfere with the 2003 Server as a domain member.

If you logon to a workgroup machine that is NT-based you are NOT
going to be logging on to your DOMAIN account however so you will
need to authenticate separately to access "domain resources" (e.g., the
2003 server.)

I login to the 2003 server and gave my self admin rights as a local
user, I am also a member of the domain administrator group as well.

You can't be a Local user and a Domain user (for logon) at the same
time -- even if the account names look the same.

You might have given your domain account local privileges though.

But when I login on a W/S and attach a drive to the 2003 server from
this W/S that is a member of the Workgroup I don't have any rights.

How do you "attach the drive"? Do you authenticate explicitly?
If not, you may be getting authenticated not be the "user" you think you
are -- perhaps even "guest."

Remember, an NT-class machine that is not a DOMAIN member does
not allow you to logon to a domain account -- you will be using a
machine account that is irrelevant to the domain and to that member
2003 server.

I
attach fine, can attach to a shared folder but can't create any new
folders. I have gave myself full rights to the root of the drive on
2003 server, both as my user name on 2003 server and through the
domain admin group. But still can't create folders.I also gave all
rights but full control to domain\users and authenticated\users at
same location.

Try an explicitly logon -- the GUI allows this but it is easier to test
and troubleshoot from the command line:

net use * \\ServerName\ShareName * /useromainName\Username

(If it is a "server" machine account you use ServerName in place of
DomainName)
net use * \\ServerName\ShareName * /user:ServerName\Username

I have had this problem on another Network where I had a 2000 server
in a windows NT4 domain, I ended up have to create each user on the
2000 server and give them rights their instead of a the domain level,
for a sql database applciations to work correctly. In this network all
computers where members of the domain.

I think my choices are
1) Make the 2003 server a member of workgroup and add all users as
local users, create a group and give rights to the group.

Terrible idea. It CAN work for only a few users, but since you already
have a DOMAIN, there is zero advantage to this method and several
disadvantages.

2) Make all computers that need access to the Windows 2003 server
members of the domain and manage rights for their, which may require
me to create all users lcoal and give them rights local through a
group anyway.

Do it this way -- it's the right thing to do.

Seting up Active Directory is not an option at this time.

Not really an issue, since your problem is that ever user is logging on to
MACHINE specific account which does not allow transparent access
to the DOMAIN resources. Even putting the "server" out of the domain
would still not make the access to "server" resources transparent without
extra work.

 

[fubarsnafu2004]

Herb

I tried the 2 different net use commands from a w/s that is not a
member of the domain, I authenticated to the server but still could
not create folders on the share APPS. But I can add/remove/modify the
secuirty of different groups/user to this share.
Weird

 

[Herb Martin]

I tried the 2 different net use commands from a w/s that is not a

member of the domain, I authenticated to the server but still could
not create folders on the share APPS. But I can add/remove/modify the
secuirty of different groups/user to this share.
Weird

Well that would suggest that you had FC of the share, and only READ
(or similar) on the directories on the share.

You do realize that you must have at least CHANGE on both (share and
NTFS) to add files etc., right?

You obviously have FC of the share itself, because changing security items
(permission, auditing, ownership) requires that and you succeeded in
changing the share permissions.