WinXP computer not authenicating properly on Win2k Domain Controller

[plunck]

Hi everybody. OK, this may be a dumb question, but I am baffled. I
have a windows xp client computer that has been upgraded from win2k.
It used to log in to a WinNT4 domain. Recently I moved it to my win2k
active directory domain. Now when I logon to that computer, my
permissions are all messed up. Meaning, I have created a new user on
the win2k domain controller, and added that user to the Administrators
group. When I log on to that computer as that user, and log on to my
new win2k domain, I am not granted Administrator-level rights. I can't
browse to certain system folders, I can't change IP settings, etc. I
have even tried adding that user to Domain and Enterprise Admins
groups to no avail. Further, when I apply a group policy to the OU
that user is in, that policy is not applied to the user. It's almost
as if that user is being authenticated and granted permissions locally
on that machine instead of from the domain controller, even thought
the machine is supposedly logging on to the domain. Has anybody seen
this or have any ideas? Thanks, Ken

 

[Mark [MSFT]]

Just to make sure I understand this right:

Win2K Domain (AD)
- Has a domain user account in the Domain\Admin group
WinXP Client:
- Is joined to the domain

The question being: has the above mentioned domain user been added to the
localmachine\Administrators group? (or the Domain\Admin group added to the
localmachine\Admin group)

 

[Marina Roos [SBS-MVP]]

Did you join the XP to the W2K-domain?

 

[Doug Sherman [MVP]]

After joining a new domain, the default logon option is to log onto the
local machine.
At the logon screen, click Options and make sure you are logging onto the
domain.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Steven L Umbach]

Make sure that the XP Pro computer is pointing ONLY to the W2K domain controller for
it's preferred dns server. I would also run netdiag on it looking for any failed
tests, errors, warnings particularly for dns, dclist, and domain membership/secure
channel. Such errors would indicate there is a problem locating the domain controller
or with the computer account. Keep in mind that with XP and W2K it is possible to
logon via cached credentials [and you may not get warning] when a domain controller
can not be found which will lead to access problems for domain resources. --- Steve

 

[plunck]

Hey everybody-thanks for the ideas. The DNS was indeed part of the
problem, and I have switched that to just point to my DNS server. And
the computer is logging on to the domain. I added the user to those
other groups (temporarily) just to grant them all kinds of access to
test what they could actually see and do. The gpo's are now applying
fine, but the user still can't access other folders, such as the
administrator folder or other people's profile folders, on the
computer's own hard drive. It's saying that the user doesn't have the
right security settings. Is there a way to dump the cached credentials
now that the user is logging on properly?

 

[Marina Roos [SBS-MVP]]

A user should not have the right to access the administrators folder or
other users profile folders.

 

[plunck]

Well, yes, generally they shouldn't. But that's not my question.