JSI Tip 3132. Very few of your management tools work, and you receive various error messages?

When you try to use Active Directory Users and Computers or Active Directory Sites and Services, you receive:

Naming information can not be located because:
Logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.

Active Directory Domains and Trusts yields:

The configuration information describing this enterprise is not available. The logon attempt failed.

When you add the Group Policy Object snap-in and select another computer:

Cannot display objects from this location because of the following error:
Logon failure: unknown user name or bad password.

DNS Manger causes:

Cannot contact the DNS Server.

License Manager issues:

To open Licensing, you must be an administrator of the domain on which license information is stored for your network. If you are the server's administrator, use the Licensing option in Control Panel to manage Licensing on this server.

When you run Dcdiag:

Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:domain\user and /p:password.

Running Netdiag causes:

DNS Test: Failed DC list test: Failed.

Replmon doesn't display the domain controllers. When you Synchronize Each Directory Partition With All Servers you receive:

The synchronization of the directory partition (CN=Schema,CN=Configuration,DC=domain,DC=com) failed. This may be because you have insufficient credentials.

The Ldp tool won't bind, and issues:

Failed to bind: Invalid credentials.

Repadmin generates:

LDAP error 49 (Invalid Credentials).

Dsacls reports:

The command failed to complete successfully.

All these tools use network functions to operate. Even if you log on locally, the tools require network access.

It is likely that you removed the Access This Computer from the Network User Right from the Everyone group and did NOT replace it with the appropriate user or group accounts.

Since the appropriate tools don't work, use the following procedure to fix the problem:

01. Use Explorer to navigate to:

    %SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\.

02. Search for Gpttmpl.inf in Search for files or folders named: with Containing text: set to SELOGONINTERACTIVELOGONRIGHT=. Gpttmpl.inf will probably be found below Policies at \{GUID\}\<Object>\Microsoft\Window NT\Secedit. The Gpttmpl.inf file we are looking for is the one that implemented the problematic User Right removal.

03. Edit the Gpttmpl.inf file and locate the SELOGONINTERACTIVELOGONRIGHT= string. Copy everything after the equal sign to the clipboard.

04. Paste the text after SENETWORKLOGONRIGHT=.

05. Save the changes and close the Gpttmpl.inf file.

06. Locate the Gpt.inf file at %SystemRoot%\Sysvol\Sysvol\<Domainname>\Policies\\{GUID\}.

07. Open the file and increase the version number.

08. Save and close the Gpt.inf file.

09. Force the group policy to be applied by using Secedit.exe at the bottom of tip 2184.

10. After the Group Policy has been applied, use the Group Policy Editor to set appropriate user rights. The default groups for the Access This Computer from the Network User Right are:

Administrators
Enterprise Domain Controllers
Everyone

See tip 3133.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish