unable to access non-trusted resource by default - why?

[Guest]

hi there,
How I enable a Windows XP Professional user to access a network application
from a non-trusted Windows 2000 domain controller is bad, so need to fix it
ASAP. XP user (from VLAN 1) is a member of a NT4 domain (from VLAN2). For it
to work today, first I added W2K application server name (from VLAN3) to host
and lmhost.sam files. Then I do map network drive to the Windows 2000 domain
controller C:\ root drive using the server IP address and domain
administrator password. The network access of both VLAN 1 & VLAN 3 are fully
opened; VLAN1 & VLAN2 are fully opened; no access between VLAN2 & VLAN3. Is
there a seamless solution without exposing the root administrator password?

 

[Steven L Umbach]

Sharing the C or any drive drive of a domain controller is a very bad idea,
particularly when giving a user domain administrator access. It is best if a
domain controller not do any function other than being a domain controller.
If that is not possible for some reason then share only the folder that a
user needs access to and then give the user needed access to the shared
folder as a regular domain user and not a domain administrator. If the user
is trying to access from a non trusted domain the user possibly still can
access if the user uses credentials [user account/password] of a user
account in the domain that access is needed in though the user may need to
specify user name as domain\user.

Steve

 

[Guest]

Steve,
Thanks for your good feedback. The environment is small, so the current DC
is also the application server. I mapped to \\domain\app as \\domain\user
logon successfully but got this error when clicking the application ""vision
startup wrapper - V utilities Build 7 - could not create registry tree:
computer :192.x.x.x \software\varian\os\systems\varis\71" But this error will
go away once I mapped to \\192.x.x.x\c$. Checked the share permission is
"Everyone full control" & NTFS permission is "user with read, write & delete
permission". Hope you know why. thanks.

Sharing the C or any drive drive of a domain controller is a very bad idea,
particularly when giving a user domain administrator access. It is best if a
domain controller not do any function other than being a domain controller.
If that is not possible for some reason then share only the folder that a
user needs access to and then give the user needed access to the shared
folder as a regular domain user and not a domain administrator. If the user
is trying to access from a non trusted domain the user possibly still can
access if the user uses credentials [user account/password] of a user
account in the domain that access is needed in though the user may need to
specify user name as domain\user.

Steve

hi there,
How I enable a Windows XP Professional user to access a network
application
from a non-trusted Windows 2000 domain controller is bad, so need to fix
it
ASAP. XP user (from VLAN 1) is a member of a NT4 domain (from VLAN2). For
it
to work today, first I added W2K application server name (from VLAN3) to
host
and lmhost.sam files. Then I do map network drive to the Windows 2000
domain
controller C:\ root drive using the server IP address and domain
administrator password. The network access of both VLAN 1 & VLAN 3 are
fully
opened; VLAN1 & VLAN2 are fully opened; no access between VLAN2 & VLAN3.
Is
there a seamless solution without exposing the root administrator
password?

 

[Steven L Umbach]

You can only use the C$ as an administrator. If the user is trying to access
the other path as a regular user he probably does not have enough rights for
the application which is bad news if it is on a domain controller. I suggest
you try regmon from Microsoft to see if you can determine what registry keys
the user is being denied access to and then tweak registry permissions to
give that user or users needed access. Logon as a regular user and then
start regmon using runas with admin credentials and the log should show what
registry key is causing the problem when you look for deny or failed entries
in the log. You might also try contacting the publisher of the application
about the error you are getting to see if they can advise you OTHER than
making the user an administrator.

Steve

http://www.microsoft.com/technet/sysinternals/utilities/Regmon.mspx ---
regmons filter option can help you track pertinent events

Steve,
Thanks for your good feedback. The environment is small, so the current DC
is also the application server. I mapped to \\domain\app as \\domain\user
logon successfully but got this error when clicking the application
""vision
startup wrapper - V utilities Build 7 - could not create registry tree:
computer :192.x.x.x \software\varian\os\systems\varis\71" But this error
will
go away once I mapped to \\192.x.x.x\c$. Checked the share permission is
"Everyone full control" & NTFS permission is "user with read, write &
delete
permission". Hope you know why. thanks.

Sharing the C or any drive drive of a domain controller is a very bad
idea,
particularly when giving a user domain administrator access. It is best
if a
domain controller not do any function other than being a domain
controller.
If that is not possible for some reason then share only the folder that a
user needs access to and then give the user needed access to the shared
folder as a regular domain user and not a domain administrator. If the
user
is trying to access from a non trusted domain the user possibly still can
access if the user uses credentials [user account/password] of a user
account in the domain that access is needed in though the user may need
to
specify user name as domain\user.

Steve

hi there,
How I enable a Windows XP Professional user to access a network
application
from a non-trusted Windows 2000 domain controller is bad, so need to
fix
it
ASAP. XP user (from VLAN 1) is a member of a NT4 domain (from VLAN2).
For
it
to work today, first I added W2K application server name (from VLAN3)
to
host
and lmhost.sam files. Then I do map network drive to the Windows 2000
domain
controller C:\ root drive using the server IP address and domain
administrator password. The network access of both VLAN 1 & VLAN 3 are
fully
opened; VLAN1 & VLAN2 are fully opened; no access between VLAN2 &
VLAN3.
Is
there a seamless solution without exposing the root administrator
password?