\[Editor's Note: Do you have a security-related question about Windows NT 4.0? Send it to [email protected], and you might see the answer in this column!\]
I'm encountering a problem with a Windows NT 4.0 domain controller (DC). All but one of my administrators can log on to the DC and access and administer its resources. For that one administrator, the mouse pointer is visible, and pressing Ctrl+Alt+Del brings up the logon dialog box. However, after logging on to the DC's domain, that administrator gets nothing but an empty blue desktop. What's causing this problem?
Access-control changes on some NT system files on that particular DC might well be causing your administrator's problems. After a successful logon, NT usually launches the user shell. To launch the user shell, NT must access a set of system files in the \%systemroot%\system32 directory. If NT can't access the files, it behaves as you describe.
I recommend that you check the access-control settings on the \system32 directory and make sure all users have Read and Execute access permissions to it. If users lack those permissions, add the appropriate access-control settings. Also, make sure all files and folders beneath the \system32 directory inherit these permissions. To ensure inheritance, select the Replace Permissions on Subdirectories and Replace Permissions on Existing Files check boxes in the \system32 directory's ACL editor.