RAS and mapped drives - no access

Archived from groups: microsoft.public.win2000.active_directory (More info?)

After switching from an NT4 domain to Win2K active directory, my RAS users
(home PCs, not domain members) have a terrible time connecting to various
network resources. I'm the domain admin and my home access hasn't been a
problem so I suspect that it's a permissions thing.
Anyway, their Outlook2K says that they don't have permission to open their
folders and some "net use" scripts that mapped some network drives give
various permission errors.

Where can I look for help on dealing with this?

Many thanks,
Mark
5 answers Last reply
More about mapped drives access
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Mark" <mark@ihatespam.com> wrote in message
    news:OgdHQ1uCFHA.628@TK2MSFTNGP15.phx.gbl...
    > After switching from an NT4 domain to Win2K active directory, my RAS users
    > (home PCs, not domain members) have a terrible time connecting to various
    > network resources. I'm the domain admin and my home access hasn't been a
    > problem so I suspect that it's a permissions thing.
    > Anyway, their Outlook2K says that they don't have permission to open their
    > folders and some "net use" scripts that mapped some network drives give
    > various permission errors.

    Most authentication problems (this appears to be) are
    really name resolution problems.

    Most NT4/9x and many non-Domain machine name
    resolution problems are NetBIOS related.

    (Yes, you NEED NetBIOS with even Win2003 domains
    in almost all real world cases.)

    > Where can I look for help on dealing with this?

    Can we assume you can Ping, tracert, NSlookup, etc,
    from all machines?

    Do you (did you) have WINS server(s)?

    Did you turn off NetBIOS on the NICs of any servers
    especially, or other machines?

    If so, are all machines, including ALL "servers", themselves
    WINS clients.

    Did you make sure the RRAS server is giving out the correct
    WINS server address (not it will generally give it's OWN
    and not one provided by DHCP.)
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Most authentication problems (this appears to be) are
    > really name resolution problems.
    >
    > Most NT4/9x and many non-Domain machine name
    > resolution problems are NetBIOS related.
    >
    > (Yes, you NEED NetBIOS with even Win2003 domains
    > in almost all real world cases.)
    >
    >> Where can I look for help on dealing with this?
    >
    > Can we assume you can Ping, tracert, NSlookup, etc,
    > from all machines?
    >
    > Do you (did you) have WINS server(s)?
    >
    > Did you turn off NetBIOS on the NICs of any servers
    > especially, or other machines?
    >
    > If so, are all machines, including ALL "servers", themselves
    > WINS clients.
    >
    > Did you make sure the RRAS server is giving out the correct
    > WINS server address (not it will generally give it's OWN
    > and not one provided by DHCP.)


    Hi,
    Yes, I can ping okay and WINS is running in my domain. RAS is giving out
    the correct info too. A strange thing however are these two items:

    1) On a Win2K Pro machine, I can dial in as myself and map a network drive,
    but nobody else can - Account restriction errors.

    2) On a WinXP Pro machine, the same users who have restrictions on the
    Win2K Pro machines can map drives without any trouble.

    I took one user as a test subject and made him part of the domain admins
    group and that didn't change anything. This is VERY weird. I can't go out
    and upgrade everybody's home PCs to XP Pro, but that seems to be what works
    without a hitch in this situation.

    Does that help at all? I'm stumped...

    Mark
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Hi,
    > Yes, I can ping okay and WINS is running in my domain.
    > the correct info too. A strange thing however are these two items:

    Running is the first step but it has to be setup correctly.

    > Does that help at all? I'm stumped...

    Then you should likely verify EACH of the
    items I suggested in the last post:

    > > Did you turn off NetBIOS on the NICs of any servers
    > > especially, or other machines?

    ???

    > > If so, are all machines, including ALL "servers", themselves
    > > WINS clients.

    ???

    > > Did you make sure the RRAS server is giving out the correct
    > > WINS server address (not it will generally give it's OWN
    > > and not one provided by DHCP.)

    ??? On the client do IPConfig /all when the client is connected.
    It must show the WINS server.

    You can also do this ON the RRAS server to see the value
    the RAS Server uses for the WINS server.

    > 1) On a Win2K Pro machine, I can dial in as myself and map a network
    drive,
    > but nobody else can - Account restriction errors.

    Is there only one domain involved and you aren't switching
    to "computer account authentication", right?

    Are you doing this explicitly from the command line?
    (You should.)
    This way you can try all of the following...

    net use * \\ServerName\ShareName
    net use * \\Ip.Address.Of.Server\ShareName
    net use * \\ServerName\ShareName * /user:Domainname\Username
    net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username

    Whenever "mapping a drive" fails and you don't know the
    cause you should explicitly try each of these and record
    the EXACT error (it's in text on the screen and you can
    just copy and paste it to a notepad or message.)

    You can also use "NBTStat -n" to see resolved names
    and if your NetBIOS resolution works the ServerName
    will appear in there -- if it doesn't after trying to map
    then perhaps it is never being resolved.


    > 2) On a WinXP Pro machine, the same users who have restrictions on the
    > Win2K Pro machines can map drives without any trouble.

    Likely the Pro machines are never authenticating the
    user.

    > I took one user as a test subject and made him part of the domain admins
    > group and that didn't change anything. This is VERY weird. I can't go
    out
    > and upgrade everybody's home PCs to XP Pro, but that seems to be what
    works
    > without a hitch in this situation.

    You need to figure out the REASON for the failure and
    not just say "cannot map".

    Chances are you don't need to upgrade but have a very
    simple yet common configuration error on the Pro
    machines.

    > Does that help at all? I'm stumped...

    If you run through the above you will learn more.

    --
    Herb Martin


    "Mark" <mark@ihatespam.com> wrote in message
    news:O2zK35eDFHA.2600@TK2MSFTNGP09.phx.gbl...
    > > Most authentication problems (this appears to be) are
    > > really name resolution problems.
    > >
    > > Most NT4/9x and many non-Domain machine name
    > > resolution problems are NetBIOS related.
    > >
    > > (Yes, you NEED NetBIOS with even Win2003 domains
    > > in almost all real world cases.)
    > >
    > >> Where can I look for help on dealing with this?
    > >
    > > Can we assume you can Ping, tracert, NSlookup, etc,
    > > from all machines?
    > >
    > > Do you (did you) have WINS server(s)?
    > >
    > > Did you turn off NetBIOS on the NICs of any servers
    > > especially, or other machines?
    > >
    > > If so, are all machines, including ALL "servers", themselves
    > > WINS clients.
    > >
    > > Did you make sure the RRAS server is giving out the correct
    > > WINS server address (not it will generally give it's OWN
    > > and not one provided by DHCP.)
    >
    >
    > Hi,
    > Yes, I can ping okay and WINS is running in my domain. RAS is giving out
    > the correct info too. A strange thing however are these two items:
    >
    > 1) On a Win2K Pro machine, I can dial in as myself and map a network
    drive,
    > but nobody else can - Account restriction errors.
    >
    > 2) On a WinXP Pro machine, the same users who have restrictions on the
    > Win2K Pro machines can map drives without any trouble.
    >
    > I took one user as a test subject and made him part of the domain admins
    > group and that didn't change anything. This is VERY weird. I can't go
    out
    > and upgrade everybody's home PCs to XP Pro, but that seems to be what
    works
    > without a hitch in this situation.
    >
    > Does that help at all? I'm stumped...
    >
    > Mark
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Then you should likely verify EACH of the
    > items I suggested in the last post:

    Sorry - I didn't address each, but assumed that you knew that I was doing
    this before replying.


    >> > Did you turn off NetBIOS on the NICs of any servers
    >> > especially, or other machines?
    >
    > ???

    No. That's on by default and I've left it alone.


    >> > If so, are all machines, including ALL "servers", themselves
    >> > WINS clients.
    >
    > ???

    Yes, I have static IP configurations on my servers and include the primary
    and secondary WINS server for all.


    >> > Did you make sure the RRAS server is giving out the correct
    >> > WINS server address (not it will generally give it's OWN
    >> > and not one provided by DHCP.)
    >
    > ???

    Yes. I'm getting both primary and secondary as viewed via ipconfig /all.


    > On the client do IPConfig /all when the client is connected.
    > It must show the WINS server.

    I did this - it does show both WINS servers.


    > You can also do this ON the RRAS server to see the value
    > the RAS Server uses for the WINS server.
    >
    >> 1) On a Win2K Pro machine, I can dial in as myself and map a network
    > drive,
    >> but nobody else can - Account restriction errors.
    >
    > Is there only one domain involved and you aren't switching
    > to "computer account authentication", right?


    Just the child domain and a root/parent, but we log into the child domain
    and the parent is just a placekeeper for future upgrades. I don't know
    about "computer account authentication."


    > Are you doing this explicitly from the command line?
    > (You should.)
    > This way you can try all of the following...
    >
    > net use * \\ServerName\ShareName
    > net use * \\Ip.Address.Of.Server\ShareName
    > net use * \\ServerName\ShareName * /user:Domainname\Username
    > net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username

    Actually, this is the key for the 2000 Pro machines - the second-to-last
    entry is what finally worked... Thanks...


    Mark
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > > net use * \\ServerName\ShareName
    > > net use * \\Ip.Address.Of.Server\ShareName
    > > net use * \\ServerName\ShareName * /user:Domainname\Username
    > > net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username
    >
    > Actually, this is the key for the 2000 Pro machines - the second-to-last
    > entry is what finally worked... Thanks...
    >

    Then you have virtually proven a NAME RESOLUTION
    problem on those machines.

    Something is screwy in the name resolution.

    Check the DNS and WINS resolution caches:

    nbtstat -c

    ipconfig /displayDNS

    (after trying each of the relevent commands above)

    You can also clear those caches before showing them
    so that after the command only the differences will
    appear and be easier to spot.


    --
    Herb Martin


    "Mark" <mark@ihatespam.com> wrote in message
    news:OqvuVKtDFHA.1524@TK2MSFTNGP09.phx.gbl...
    > > Then you should likely verify EACH of the
    > > items I suggested in the last post:
    >
    > Sorry - I didn't address each, but assumed that you knew that I was doing
    > this before replying.
    >
    >
    >
    > >> > Did you turn off NetBIOS on the NICs of any servers
    > >> > especially, or other machines?
    > >
    > > ???
    >
    > No. That's on by default and I've left it alone.
    >
    >
    >
    > >> > If so, are all machines, including ALL "servers", themselves
    > >> > WINS clients.
    > >
    > > ???
    >
    > Yes, I have static IP configurations on my servers and include the primary
    > and secondary WINS server for all.
    >
    >
    >
    > >> > Did you make sure the RRAS server is giving out the correct
    > >> > WINS server address (not it will generally give it's OWN
    > >> > and not one provided by DHCP.)
    > >
    > > ???
    >
    > Yes. I'm getting both primary and secondary as viewed via ipconfig /all.
    >
    >
    > > On the client do IPConfig /all when the client is connected.
    > > It must show the WINS server.
    >
    > I did this - it does show both WINS servers.
    >
    >
    >
    > > You can also do this ON the RRAS server to see the value
    > > the RAS Server uses for the WINS server.
    > >
    > >> 1) On a Win2K Pro machine, I can dial in as myself and map a network
    > > drive,
    > >> but nobody else can - Account restriction errors.
    > >
    > > Is there only one domain involved and you aren't switching
    > > to "computer account authentication", right?
    >
    >
    > Just the child domain and a root/parent, but we log into the child domain
    > and the parent is just a placekeeper for future upgrades. I don't know
    > about "computer account authentication."
    >
    >
    >
    > > Are you doing this explicitly from the command line?
    > > (You should.)
    > > This way you can try all of the following...
    > >
    > > net use * \\ServerName\ShareName
    > > net use * \\Ip.Address.Of.Server\ShareName
    > > net use * \\ServerName\ShareName * /user:Domainname\Username
    > > net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username
    >
    > Actually, this is the key for the 2000 Pro machines - the second-to-last
    > entry is what finally worked... Thanks...
    >
    >
    > Mark
    >
    >
Ask a new question

Read More

Domain Active Directory Windows