Accessing Windows 2000 Server Remote Registry

Archived from groups: microsoft.public.win2000.security (More info?)

Not sure if this is related to GPO but I am unable to access the registry,
browse via network neighborhood, etc. to a Windows 2000 member server from
another Windows NT 4 member server. I cannot do this from any of my NT 4
member servers. Both are logged in as the domain admin. Any thoughts are
appreciated.

--
netwerktek
13 answers Last reply
More about accessing windows 2000 server remote registry
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    It might be a name resolution problem. Try connecting via the computers IP
    address instead of name to see if that helps and verify that you can ping
    the computer from the source computer. Since you are still using wins, make
    sure that W2K server is also a wins client. Do you get any error messages
    when you try to connect?? The link below explains problems that can arise
    from incompatible security settings [security options in security policy
    such as Local Security Policy] on a W2K computer. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look at
    Examples of Compatibility Problems particularly for anonymous access and
    digitally sign communications.

    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > Not sure if this is related to GPO but I am unable to access the registry,
    > browse via network neighborhood, etc. to a Windows 2000 member server from
    > another Windows NT 4 member server. I cannot do this from any of my NT 4
    > member servers. Both are logged in as the domain admin. Any thoughts are
    > appreciated.
    >
    > --
    > netwerktek
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    I can resolve the name fine. It is accessing it when I run into issues.
    Access Denied is the message I get. I have looked at the article you
    suggested but so far none of the settings are relevant or have made a
    differnce if I changed them. I can get to the same NT server from the W2K
    server but not the other way around. Strange and frustrating.

    "Steven L Umbach" wrote:

    > It might be a name resolution problem. Try connecting via the computers IP
    > address instead of name to see if that helps and verify that you can ping
    > the computer from the source computer. Since you are still using wins, make
    > sure that W2K server is also a wins client. Do you get any error messages
    > when you try to connect?? The link below explains problems that can arise
    > from incompatible security settings [security options in security policy
    > such as Local Security Policy] on a W2K computer. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look at
    > Examples of Compatibility Problems particularly for anonymous access and
    > digitally sign communications.
    >
    > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > Not sure if this is related to GPO but I am unable to access the registry,
    > > browse via network neighborhood, etc. to a Windows 2000 member server from
    > > another Windows NT 4 member server. I cannot do this from any of my NT 4
    > > member servers. Both are logged in as the domain admin. Any thoughts are
    > > appreciated.
    > >
    > > --
    > > netwerktek
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. Can you access the W2K servers in question from another W2K computer??
    Do you have at least service pack 4 installed on the NT and W2K servers? Try
    enabling audting of logon events in the local security policy of one of the
    W2K servers you are trying to access to see if any logon failures are
    recorded in the security log that may be helpful. --- Steve


    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > I can resolve the name fine. It is accessing it when I run into issues.
    > Access Denied is the message I get. I have looked at the article you
    > suggested but so far none of the settings are relevant or have made a
    > differnce if I changed them. I can get to the same NT server from the W2K
    > server but not the other way around. Strange and frustrating.
    >
    > "Steven L Umbach" wrote:
    >
    > > It might be a name resolution problem. Try connecting via the computers
    IP
    > > address instead of name to see if that helps and verify that you can
    ping
    > > the computer from the source computer. Since you are still using wins,
    make
    > > sure that W2K server is also a wins client. Do you get any error
    messages
    > > when you try to connect?? The link below explains problems that can
    arise
    > > from incompatible security settings [security options in security policy
    > > such as Local Security Policy] on a W2K computer. --- Steve
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
    at
    > > Examples of Compatibility Problems particularly for anonymous access and
    > > digitally sign communications.
    > >
    > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > > Not sure if this is related to GPO but I am unable to access the
    registry,
    > > > browse via network neighborhood, etc. to a Windows 2000 member server
    from
    > > > another Windows NT 4 member server. I cannot do this from any of my NT
    4
    > > > member servers. Both are logged in as the domain admin. Any thoughts
    are
    > > > appreciated.
    > > >
    > > > --
    > > > netwerktek
    > >
    > >
    > >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes from W2K to W2K no problem. All W2K have SP4 and all NT4 have SP6a. Will
    take a look at auditing and let you know.

    "Steven L Umbach" wrote:

    > Hmm. Can you access the W2K servers in question from another W2K computer??
    > Do you have at least service pack 4 installed on the NT and W2K servers? Try
    > enabling audting of logon events in the local security policy of one of the
    > W2K servers you are trying to access to see if any logon failures are
    > recorded in the security log that may be helpful. --- Steve
    >
    >
    > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > > I can resolve the name fine. It is accessing it when I run into issues.
    > > Access Denied is the message I get. I have looked at the article you
    > > suggested but so far none of the settings are relevant or have made a
    > > differnce if I changed them. I can get to the same NT server from the W2K
    > > server but not the other way around. Strange and frustrating.
    > >
    > > "Steven L Umbach" wrote:
    > >
    > > > It might be a name resolution problem. Try connecting via the computers
    > IP
    > > > address instead of name to see if that helps and verify that you can
    > ping
    > > > the computer from the source computer. Since you are still using wins,
    > make
    > > > sure that W2K server is also a wins client. Do you get any error
    > messages
    > > > when you try to connect?? The link below explains problems that can
    > arise
    > > > from incompatible security settings [security options in security policy
    > > > such as Local Security Policy] on a W2K computer. --- Steve
    > > >
    > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
    > at
    > > > Examples of Compatibility Problems particularly for anonymous access and
    > > > digitally sign communications.
    > > >
    > > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > > > Not sure if this is related to GPO but I am unable to access the
    > registry,
    > > > > browse via network neighborhood, etc. to a Windows 2000 member server
    > from
    > > > > another Windows NT 4 member server. I cannot do this from any of my NT
    > 4
    > > > > member servers. Both are logged in as the domain admin. Any thoughts
    > are
    > > > > appreciated.
    > > > >
    > > > > --
    > > > > netwerktek
    > > >
    > > >
    > > >
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    No events in the security log. Arrgh!

    "Steven L Umbach" wrote:

    > Hmm. Can you access the W2K servers in question from another W2K computer??
    > Do you have at least service pack 4 installed on the NT and W2K servers? Try
    > enabling audting of logon events in the local security policy of one of the
    > W2K servers you are trying to access to see if any logon failures are
    > recorded in the security log that may be helpful. --- Steve
    >
    >
    > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > > I can resolve the name fine. It is accessing it when I run into issues.
    > > Access Denied is the message I get. I have looked at the article you
    > > suggested but so far none of the settings are relevant or have made a
    > > differnce if I changed them. I can get to the same NT server from the W2K
    > > server but not the other way around. Strange and frustrating.
    > >
    > > "Steven L Umbach" wrote:
    > >
    > > > It might be a name resolution problem. Try connecting via the computers
    > IP
    > > > address instead of name to see if that helps and verify that you can
    > ping
    > > > the computer from the source computer. Since you are still using wins,
    > make
    > > > sure that W2K server is also a wins client. Do you get any error
    > messages
    > > > when you try to connect?? The link below explains problems that can
    > arise
    > > > from incompatible security settings [security options in security policy
    > > > such as Local Security Policy] on a W2K computer. --- Steve
    > > >
    > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
    > at
    > > > Examples of Compatibility Problems particularly for anonymous access and
    > > > digitally sign communications.
    > > >
    > > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > > > Not sure if this is related to GPO but I am unable to access the
    > registry,
    > > > > browse via network neighborhood, etc. to a Windows 2000 member server
    > from
    > > > > another Windows NT 4 member server. I cannot do this from any of my NT
    > 4
    > > > > member servers. Both are logged in as the domain admin. Any thoughts
    > are
    > > > > appreciated.
    > > > >
    > > > > --
    > > > > netwerktek
    > > >
    > > >
    > > >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    This sounds like it could be a failure in negotiating the security
    protocol to use, in the signing requirements for schannel, or such.
    Is this a problem access all uplevel machines from NT4 or only
    accessing some of them? I am guessing only some of them,
    and this is a setting in the local security policy of the member,
    rather than some setting(s) being applied domain-wide from GPO.
    Take a look at a couple settings first on the inaccessible W2k:
    do not have set: require strong Windows 2000 session key
    change to when possible if set to always: the digitally sign and
    the digitally encrypt communications settings (2 sets of policies)
    for the W2k's server behaviors

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    >I can resolve the name fine. It is accessing it when I run into issues.
    > Access Denied is the message I get. I have looked at the article you
    > suggested but so far none of the settings are relevant or have made a
    > differnce if I changed them. I can get to the same NT server from the W2K
    > server but not the other way around. Strange and frustrating.
    >
    > "Steven L Umbach" wrote:
    >
    >> It might be a name resolution problem. Try connecting via the computers
    >> IP
    >> address instead of name to see if that helps and verify that you can ping
    >> the computer from the source computer. Since you are still using wins,
    >> make
    >> sure that W2K server is also a wins client. Do you get any error messages
    >> when you try to connect?? The link below explains problems that can arise
    >> from incompatible security settings [security options in security policy
    >> such as Local Security Policy] on a W2K computer. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
    >> at
    >> Examples of Compatibility Problems particularly for anonymous access and
    >> digitally sign communications.
    >>
    >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    >> > Not sure if this is related to GPO but I am unable to access the
    >> > registry,
    >> > browse via network neighborhood, etc. to a Windows 2000 member server
    >> > from
    >> > another Windows NT 4 member server. I cannot do this from any of my NT
    >> > 4
    >> > member servers. Both are logged in as the domain admin. Any thoughts
    >> > are
    >> > appreciated.
    >> >
    >> > --
    >> > netwerktek
    >>
    >>
    >>
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    On the inaccessible W2K Member Server, Locally all digitally signed policies
    are disabled with "Digitally sign server comm (when possible)" being enabled
    via GPO. Also all of the Secure Channel policies are disabled both locally
    and via GPO. Still no go.

    "Roger Abell [MVP]" wrote:

    > This sounds like it could be a failure in negotiating the security
    > protocol to use, in the signing requirements for schannel, or such.
    > Is this a problem access all uplevel machines from NT4 or only
    > accessing some of them? I am guessing only some of them,
    > and this is a setting in the local security policy of the member,
    > rather than some setting(s) being applied domain-wide from GPO.
    > Take a look at a couple settings first on the inaccessible W2k:
    > do not have set: require strong Windows 2000 session key
    > change to when possible if set to always: the digitally sign and
    > the digitally encrypt communications settings (2 sets of policies)
    > for the W2k's server behaviors
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > >I can resolve the name fine. It is accessing it when I run into issues.
    > > Access Denied is the message I get. I have looked at the article you
    > > suggested but so far none of the settings are relevant or have made a
    > > differnce if I changed them. I can get to the same NT server from the W2K
    > > server but not the other way around. Strange and frustrating.
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> It might be a name resolution problem. Try connecting via the computers
    > >> IP
    > >> address instead of name to see if that helps and verify that you can ping
    > >> the computer from the source computer. Since you are still using wins,
    > >> make
    > >> sure that W2K server is also a wins client. Do you get any error messages
    > >> when you try to connect?? The link below explains problems that can arise
    > >> from incompatible security settings [security options in security policy
    > >> such as Local Security Policy] on a W2K computer. --- Steve
    > >>
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
    > >> at
    > >> Examples of Compatibility Problems particularly for anonymous access and
    > >> digitally sign communications.
    > >>
    > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > >> > Not sure if this is related to GPO but I am unable to access the
    > >> > registry,
    > >> > browse via network neighborhood, etc. to a Windows 2000 member server
    > >> > from
    > >> > another Windows NT 4 member server. I cannot do this from any of my NT
    > >> > 4
    > >> > member servers. Both are logged in as the domain admin. Any thoughts
    > >> > are
    > >> > appreciated.
    > >> >
    > >> > --
    > >> > netwerktek
    > >>
    > >>
    > >>
    >
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Keep in mind that when you change Local Security Policy on a Windows 2000
    computer that you need to see the desired settings as the "effective"
    settings after a refresh via secedit /refreshpolicy machine_policy /enforce
    or a reboot. Unlike Windows 2003 it is not apparent that there is an
    overriding domain/OU policy when you change local policy.

    If you have name resolution and connectivity [ping, etc] to the server in
    question and domain controller most likely your problem is security policy
    security options or an ipsec policy [ such as require policy ] enabled on
    the W2K server that does not allow access from non ipsec aware computers
    such as NT4.0. If you run the support tool netdiag as in " netdiag
    /test:ipsec /debug " on the W2K server it will display any ipsec policy
    assigned and details of it.

    As far as security policy make sure that the effective setting for the
    security option on the W2K server in question for additional restrictions
    for anonymous access is NOT set to " no access without explicit anonymous
    permissions". I would also try setting the lan manager authentication level
    to "send ntlmv2 responses only" assuming it does not need to access shares
    on W9X computers. I believe you said you already disable the two "always"
    settings for digitally sign communications and have left the "when possible"
    settings enabled. Beyond that if you do not have luck I would monitor both
    sides of the packet exchange sequence with netmon, which is available to
    server operating systems via add and remove programs - Windows components,
    or use Ethereal to see what is going on at the packet level. --- Steve

    http://support.microsoft.com/?kbid=243270 -- netmon, how to install and
    link on how to use.

    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
    > No events in the security log. Arrgh!
    >
    > "Steven L Umbach" wrote:
    >
    >> Hmm. Can you access the W2K servers in question from another W2K
    >> computer??
    >> Do you have at least service pack 4 installed on the NT and W2K servers?
    >> Try
    >> enabling audting of logon events in the local security policy of one of
    >> the
    >> W2K servers you are trying to access to see if any logon failures are
    >> recorded in the security log that may be helpful. --- Steve
    >>
    >>
    >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    >> > I can resolve the name fine. It is accessing it when I run into issues.
    >> > Access Denied is the message I get. I have looked at the article you
    >> > suggested but so far none of the settings are relevant or have made a
    >> > differnce if I changed them. I can get to the same NT server from the
    >> > W2K
    >> > server but not the other way around. Strange and frustrating.
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> > > It might be a name resolution problem. Try connecting via the
    >> > > computers
    >> IP
    >> > > address instead of name to see if that helps and verify that you can
    >> ping
    >> > > the computer from the source computer. Since you are still using
    >> > > wins,
    >> make
    >> > > sure that W2K server is also a wins client. Do you get any error
    >> messages
    >> > > when you try to connect?? The link below explains problems that can
    >> arise
    >> > > from incompatible security settings [security options in security
    >> > > policy
    >> > > such as Local Security Policy] on a W2K computer. --- Steve
    >> > >
    >> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    >> > > look
    >> at
    >> > > Examples of Compatibility Problems particularly for anonymous access
    >> > > and
    >> > > digitally sign communications.
    >> > >
    >> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    >> > > > Not sure if this is related to GPO but I am unable to access the
    >> registry,
    >> > > > browse via network neighborhood, etc. to a Windows 2000 member
    >> > > > server
    >> from
    >> > > > another Windows NT 4 member server. I cannot do this from any of my
    >> > > > NT
    >> 4
    >> > > > member servers. Both are logged in as the domain admin. Any
    >> > > > thoughts
    >> are
    >> > > > appreciated.
    >> > > >
    >> > > > --
    >> > > > netwerktek
    >> > >
    >> > >
    >> > >
    >>
    >>
    >>
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    I also want to add to run netstat -an on the Windows 2000 server to make
    sure that port 139 TCP is listening and use portqry from another Windows
    2000 box to verify that it is available to the remote computer. Portqry is a
    Windows command line port to process mapper and port scanner. You can use it
    to scan for a single port availability. --- Steve

    http://support.microsoft.com/kb/310099 -- portqry and how to use.

    portqry -n xxx.xxx.xxx.xxx -p tcp -e 139 --- use to resolve name of IP
    address xxx.xxx.xxx.xxx and check availability of port 139 TCP.

    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
    > No events in the security log. Arrgh!
    >
    > "Steven L Umbach" wrote:
    >
    >> Hmm. Can you access the W2K servers in question from another W2K
    >> computer??
    >> Do you have at least service pack 4 installed on the NT and W2K servers?
    >> Try
    >> enabling audting of logon events in the local security policy of one of
    >> the
    >> W2K servers you are trying to access to see if any logon failures are
    >> recorded in the security log that may be helpful. --- Steve
    >>
    >>
    >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    >> > I can resolve the name fine. It is accessing it when I run into issues.
    >> > Access Denied is the message I get. I have looked at the article you
    >> > suggested but so far none of the settings are relevant or have made a
    >> > differnce if I changed them. I can get to the same NT server from the
    >> > W2K
    >> > server but not the other way around. Strange and frustrating.
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> > > It might be a name resolution problem. Try connecting via the
    >> > > computers
    >> IP
    >> > > address instead of name to see if that helps and verify that you can
    >> ping
    >> > > the computer from the source computer. Since you are still using
    >> > > wins,
    >> make
    >> > > sure that W2K server is also a wins client. Do you get any error
    >> messages
    >> > > when you try to connect?? The link below explains problems that can
    >> arise
    >> > > from incompatible security settings [security options in security
    >> > > policy
    >> > > such as Local Security Policy] on a W2K computer. --- Steve
    >> > >
    >> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    >> > > look
    >> at
    >> > > Examples of Compatibility Problems particularly for anonymous access
    >> > > and
    >> > > digitally sign communications.
    >> > >
    >> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    >> > > > Not sure if this is related to GPO but I am unable to access the
    >> registry,
    >> > > > browse via network neighborhood, etc. to a Windows 2000 member
    >> > > > server
    >> from
    >> > > > another Windows NT 4 member server. I cannot do this from any of my
    >> > > > NT
    >> 4
    >> > > > member servers. Both are logged in as the domain admin. Any
    >> > > > thoughts
    >> are
    >> > > > appreciated.
    >> > > >
    >> > > > --
    >> > > > netwerktek
    >> > >
    >> > >
    >> > >
    >>
    >>
    >>
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    I also want to add to run netstat -an on the Windows 2000 server to make
    sure that port 139 TCP is listening and use portqry from another Windows
    2000 box to verify that it is available to the remote computer. Portqry is a
    Windows command line port to process mapper and port scanner. You can use it
    to scan for a single port availability. --- Steve

    http://support.microsoft.com/kb/310099 -- portqry and how to use.

    portqry -n xxx.xxx.xxx.xxx -p tcp -e 139 --- use to resolve name of IP
    address xxx.xxx.xxx.xxx and check availability of port 139 TCP.

    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
    > No events in the security log. Arrgh!
    >
    > "Steven L Umbach" wrote:
    >
    >> Hmm. Can you access the W2K servers in question from another W2K
    >> computer??
    >> Do you have at least service pack 4 installed on the NT and W2K servers?
    >> Try
    >> enabling audting of logon events in the local security policy of one of
    >> the
    >> W2K servers you are trying to access to see if any logon failures are
    >> recorded in the security log that may be helpful. --- Steve
    >>
    >>
    >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    >> > I can resolve the name fine. It is accessing it when I run into issues.
    >> > Access Denied is the message I get. I have looked at the article you
    >> > suggested but so far none of the settings are relevant or have made a
    >> > differnce if I changed them. I can get to the same NT server from the
    >> > W2K
    >> > server but not the other way around. Strange and frustrating.
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> > > It might be a name resolution problem. Try connecting via the
    >> > > computers
    >> IP
    >> > > address instead of name to see if that helps and verify that you can
    >> ping
    >> > > the computer from the source computer. Since you are still using
    >> > > wins,
    >> make
    >> > > sure that W2K server is also a wins client. Do you get any error
    >> messages
    >> > > when you try to connect?? The link below explains problems that can
    >> arise
    >> > > from incompatible security settings [security options in security
    >> > > policy
    >> > > such as Local Security Policy] on a W2K computer. --- Steve
    >> > >
    >> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    >> > > look
    >> at
    >> > > Examples of Compatibility Problems particularly for anonymous access
    >> > > and
    >> > > digitally sign communications.
    >> > >
    >> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    >> > > > Not sure if this is related to GPO but I am unable to access the
    >> registry,
    >> > > > browse via network neighborhood, etc. to a Windows 2000 member
    >> > > > server
    >> from
    >> > > > another Windows NT 4 member server. I cannot do this from any of my
    >> > > > NT
    >> 4
    >> > > > member servers. Both are logged in as the domain admin. Any
    >> > > > thoughts
    >> are
    >> > > > appreciated.
    >> > > >
    >> > > > --
    >> > > > netwerktek
    >> > >
    >> > >
    >> > >
    >>
    >>
    >>
  11. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmmm . . . I think we need more info.
    Anything of use in sec event logs of the W2k target or the NT4 ?
    When you said browsing does not work, I assumed you meant
    that you could navigate to the listing but not successfully access
    the share? In other words, direct mapping fails as well?
    Is there any category of access that does work to the W2k from NT4?

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
    > On the inaccessible W2K Member Server, Locally all digitally signed
    policies
    > are disabled with "Digitally sign server comm (when possible)" being
    enabled
    > via GPO. Also all of the Secure Channel policies are disabled both locally
    > and via GPO. Still no go.
    >
    > "Roger Abell [MVP]" wrote:
    >
    > > This sounds like it could be a failure in negotiating the security
    > > protocol to use, in the signing requirements for schannel, or such.
    > > Is this a problem access all uplevel machines from NT4 or only
    > > accessing some of them? I am guessing only some of them,
    > > and this is a setting in the local security policy of the member,
    > > rather than some setting(s) being applied domain-wide from GPO.
    > > Take a look at a couple settings first on the inaccessible W2k:
    > > do not have set: require strong Windows 2000 session key
    > > change to when possible if set to always: the digitally sign and
    > > the digitally encrypt communications settings (2 sets of policies)
    > > for the W2k's server behaviors
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Server System: Security)
    > > MCDBA, MCSE W2k3+W2k+Nt4
    > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > > >I can resolve the name fine. It is accessing it when I run into issues.
    > > > Access Denied is the message I get. I have looked at the article you
    > > > suggested but so far none of the settings are relevant or have made a
    > > > differnce if I changed them. I can get to the same NT server from the
    W2K
    > > > server but not the other way around. Strange and frustrating.
    > > >
    > > > "Steven L Umbach" wrote:
    > > >
    > > >> It might be a name resolution problem. Try connecting via the
    computers
    > > >> IP
    > > >> address instead of name to see if that helps and verify that you can
    ping
    > > >> the computer from the source computer. Since you are still using
    wins,
    > > >> make
    > > >> sure that W2K server is also a wins client. Do you get any error
    messages
    > > >> when you try to connect?? The link below explains problems that can
    arise
    > > >> from incompatible security settings [security options in security
    policy
    > > >> such as Local Security Policy] on a W2K computer. --- Steve
    > > >>
    > > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    look
    > > >> at
    > > >> Examples of Compatibility Problems particularly for anonymous access
    and
    > > >> digitally sign communications.
    > > >>
    > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > >> > Not sure if this is related to GPO but I am unable to access the
    > > >> > registry,
    > > >> > browse via network neighborhood, etc. to a Windows 2000 member
    server
    > > >> > from
    > > >> > another Windows NT 4 member server. I cannot do this from any of my
    NT
    > > >> > 4
    > > >> > member servers. Both are logged in as the domain admin. Any
    thoughts
    > > >> > are
    > > >> > appreciated.
    > > >> >
    > > >> > --
    > > >> > netwerktek
    > > >>
    > > >>
    > > >>
    > >
    > >
    > >
  12. Archived from groups: microsoft.public.win2000.security (More info?)

    Disabling the IPSEC Agent service on the W2K server fixed the issue!

    "Roger Abell" wrote:

    > Hmmm . . . I think we need more info.
    > Anything of use in sec event logs of the W2k target or the NT4 ?
    > When you said browsing does not work, I assumed you meant
    > that you could navigate to the listing but not successfully access
    > the share? In other words, direct mapping fails as well?
    > Is there any category of access that does work to the W2k from NT4?
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
    > > On the inaccessible W2K Member Server, Locally all digitally signed
    > policies
    > > are disabled with "Digitally sign server comm (when possible)" being
    > enabled
    > > via GPO. Also all of the Secure Channel policies are disabled both locally
    > > and via GPO. Still no go.
    > >
    > > "Roger Abell [MVP]" wrote:
    > >
    > > > This sounds like it could be a failure in negotiating the security
    > > > protocol to use, in the signing requirements for schannel, or such.
    > > > Is this a problem access all uplevel machines from NT4 or only
    > > > accessing some of them? I am guessing only some of them,
    > > > and this is a setting in the local security policy of the member,
    > > > rather than some setting(s) being applied domain-wide from GPO.
    > > > Take a look at a couple settings first on the inaccessible W2k:
    > > > do not have set: require strong Windows 2000 session key
    > > > change to when possible if set to always: the digitally sign and
    > > > the digitally encrypt communications settings (2 sets of policies)
    > > > for the W2k's server behaviors
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Server System: Security)
    > > > MCDBA, MCSE W2k3+W2k+Nt4
    > > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    > > > >I can resolve the name fine. It is accessing it when I run into issues.
    > > > > Access Denied is the message I get. I have looked at the article you
    > > > > suggested but so far none of the settings are relevant or have made a
    > > > > differnce if I changed them. I can get to the same NT server from the
    > W2K
    > > > > server but not the other way around. Strange and frustrating.
    > > > >
    > > > > "Steven L Umbach" wrote:
    > > > >
    > > > >> It might be a name resolution problem. Try connecting via the
    > computers
    > > > >> IP
    > > > >> address instead of name to see if that helps and verify that you can
    > ping
    > > > >> the computer from the source computer. Since you are still using
    > wins,
    > > > >> make
    > > > >> sure that W2K server is also a wins client. Do you get any error
    > messages
    > > > >> when you try to connect?? The link below explains problems that can
    > arise
    > > > >> from incompatible security settings [security options in security
    > policy
    > > > >> such as Local Security Policy] on a W2K computer. --- Steve
    > > > >>
    > > > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    > look
    > > > >> at
    > > > >> Examples of Compatibility Problems particularly for anonymous access
    > and
    > > > >> digitally sign communications.
    > > > >>
    > > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    > > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    > > > >> > Not sure if this is related to GPO but I am unable to access the
    > > > >> > registry,
    > > > >> > browse via network neighborhood, etc. to a Windows 2000 member
    > server
    > > > >> > from
    > > > >> > another Windows NT 4 member server. I cannot do this from any of my
    > NT
    > > > >> > 4
    > > > >> > member servers. Both are logged in as the domain admin. Any
    > thoughts
    > > > >> > are
    > > > >> > appreciated.
    > > > >> >
    > > > >> > --
    > > > >> > netwerktek
    > > > >>
    > > > >>
    > > > >>
    > > >
    > > >
    > > >
    >
    >
    >
  13. Archived from groups: microsoft.public.win2000.security (More info?)

    You might want to look at unassigning the ipsec policy on that computer as a
    more permanent solution. Open Local Security Policy/security settings -
    ipsec policy and if any are assigned, change it to unassigned or assign the
    request policy. Ipsec policy could also be set at the domain/OU level.
    Running the command " netdiag/test:ipsec " will show what ipsec policy is
    assigned to a computer. You may first need to install the netdiag support
    tool. Thanks for reporting back also. --- Steve


    "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    news:C88BC04F-EC15-4C7A-9388-1BB7198AA56D@microsoft.com...
    > Disabling the IPSEC Agent service on the W2K server fixed the issue!
    >
    > "Roger Abell" wrote:
    >
    >> Hmmm . . . I think we need more info.
    >> Anything of use in sec event logs of the W2k target or the NT4 ?
    >> When you said browsing does not work, I assumed you meant
    >> that you could navigate to the listing but not successfully access
    >> the share? In other words, direct mapping fails as well?
    >> Is there any category of access that does work to the W2k from NT4?
    >>
    >> --
    >> Roger Abell
    >> Microsoft MVP (Windows Server System: Security)
    >> MCSE (W2k3,W2k,Nt4) MCDBA
    >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
    >> > On the inaccessible W2K Member Server, Locally all digitally signed
    >> policies
    >> > are disabled with "Digitally sign server comm (when possible)" being
    >> enabled
    >> > via GPO. Also all of the Secure Channel policies are disabled both
    >> > locally
    >> > and via GPO. Still no go.
    >> >
    >> > "Roger Abell [MVP]" wrote:
    >> >
    >> > > This sounds like it could be a failure in negotiating the security
    >> > > protocol to use, in the signing requirements for schannel, or such.
    >> > > Is this a problem access all uplevel machines from NT4 or only
    >> > > accessing some of them? I am guessing only some of them,
    >> > > and this is a setting in the local security policy of the member,
    >> > > rather than some setting(s) being applied domain-wide from GPO.
    >> > > Take a look at a couple settings first on the inaccessible W2k:
    >> > > do not have set: require strong Windows 2000 session key
    >> > > change to when possible if set to always: the digitally sign and
    >> > > the digitally encrypt communications settings (2 sets of policies)
    >> > > for the W2k's server behaviors
    >> > >
    >> > > --
    >> > > Roger Abell
    >> > > Microsoft MVP (Windows Server System: Security)
    >> > > MCDBA, MCSE W2k3+W2k+Nt4
    >> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
    >> > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
    >> > > >I can resolve the name fine. It is accessing it when I run into
    >> > > >issues.
    >> > > > Access Denied is the message I get. I have looked at the article
    >> > > > you
    >> > > > suggested but so far none of the settings are relevant or have made
    >> > > > a
    >> > > > differnce if I changed them. I can get to the same NT server from
    >> > > > the
    >> W2K
    >> > > > server but not the other way around. Strange and frustrating.
    >> > > >
    >> > > > "Steven L Umbach" wrote:
    >> > > >
    >> > > >> It might be a name resolution problem. Try connecting via the
    >> computers
    >> > > >> IP
    >> > > >> address instead of name to see if that helps and verify that you
    >> > > >> can
    >> ping
    >> > > >> the computer from the source computer. Since you are still using
    >> wins,
    >> > > >> make
    >> > > >> sure that W2K server is also a wins client. Do you get any error
    >> messages
    >> > > >> when you try to connect?? The link below explains problems that
    >> > > >> can
    >> arise
    >> > > >> from incompatible security settings [security options in security
    >> policy
    >> > > >> such as Local Security Policy] on a W2K computer. --- Steve
    >> > > >>
    >> > > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
    >> look
    >> > > >> at
    >> > > >> Examples of Compatibility Problems particularly for anonymous
    >> > > >> access
    >> and
    >> > > >> digitally sign communications.
    >> > > >>
    >> > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in
    >> > > >> message
    >> > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
    >> > > >> > Not sure if this is related to GPO but I am unable to access the
    >> > > >> > registry,
    >> > > >> > browse via network neighborhood, etc. to a Windows 2000 member
    >> server
    >> > > >> > from
    >> > > >> > another Windows NT 4 member server. I cannot do this from any of
    >> > > >> > my
    >> NT
    >> > > >> > 4
    >> > > >> > member servers. Both are logged in as the domain admin. Any
    >> thoughts
    >> > > >> > are
    >> > > >> > appreciated.
    >> > > >> >
    >> > > >> > --
    >> > > >> > netwerktek
    >> > > >>
    >> > > >>
    >> > > >>
    >> > >
    >> > >
    >> > >
    >>
    >>
    >>
Ask a new question

Read More

Windows 2000 Registry Servers Windows