Problem with NT4 domain trusting W2003 domain

Discussion in 'Server Migration' started by Franz Schenk, Jul 19, 2005.

  1. Franz Schenk

    Franz Schenk Guest

    Have established a one way external trust from an NT4 ressource domain
    trusting a Windows 2003 domain. Trust built successfully and trust
    validation is ok.

    The problem is that when granting Users of the Windows 2003 domain NTFS
    permissions on files on the NT4 server, it's not possible to browse the
    users/groups of the Windows 2003 domain. When selecting the Windows 2003
    domain in the NT4 ACL Editor and select the Windows 2003 domain, there is an
    "access denied" error message. But grant NTFS permission by exactly
    specifying the Windows 2003 domain\username works fine.

    Have then enabled failure auditing in the Windows 2003 DC and found that the
    NT4 server tries to authenticate with the "NT4Domain\administrator" account
    for getting the list of users/groups of the Windows 2003 domain.

    Have the "Everyone" object in the "pre-windows 2000 compatible" group in the
    Windows 2003 domain.

    When specifying the same password to the "Windows2003-domain\administrator"
    than to the "NT4domain\administrator, the problem does not occur and
    browsing the Windows 2003 domain in the NT4 ACL Editor works fine, but this
    is not a permanent solution for us.

    Any advice?
    Thanks in advance for any help!

    Franz
     
    Franz Schenk, Jul 19, 2005
    #1
    1. Advertisements

  2. Hi Franz,

    Thank you for posting here.

    I have tested your issue on my side. I have performed the steps as you
    said: one way trust and use different password of"NT4Domain\administrator"
    and "W2K3domain\administrator". But I still can select the Windows 2003
    domain in the NT4 ACL Editor. So I'd like to give some suggestions as below:

    1. For your situation, I'd like to suggest you re-create the one way trust
    relationship to see the efforts. Please follow the article as below to
    confirm that the trust relationship is configured successfully.

    325874 How to establish trusts with a Windows NT-based domain in Windows
    Server
    http://support.microsoft.com/?id=325874

    Furthermore, you may try to establish a two way trust to see if this issue
    happens again.

    2. Because Windows 2003 enhanced system security, I suspect there may be a
    group policy denied the NT4 Authenticate to get the list of users/groups.
    So please help me confirm that whether you can access resource on Windows
    2003 server from Windows NT server with the same user. If you also cannot
    access the resources, I'd like to suggest you check Group Policy of Windows
    2003 side. Please run "gpresult -z >gplog.txt" and send me the log. I'll
    try to perform research on it.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
    | From: "Franz Schenk" <[email protected]_SPAM.ch>
    | Subject: Problem with NT4 domain trusting W2003 domain
    | Date: Tue, 19 Jul 2005 17:08:24 +0200
    | Lines: 29
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.windows.server.migration:11305
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Have established a one way external trust from an NT4 ressource domain
    | trusting a Windows 2003 domain. Trust built successfully and trust
    | validation is ok.
    |
    | The problem is that when granting Users of the Windows 2003 domain NTFS
    | permissions on files on the NT4 server, it's not possible to browse the
    | users/groups of the Windows 2003 domain. When selecting the Windows 2003
    | domain in the NT4 ACL Editor and select the Windows 2003 domain, there is
    an
    | "access denied" error message. But grant NTFS permission by exactly
    | specifying the Windows 2003 domain\username works fine.
    |
    | Have then enabled failure auditing in the Windows 2003 DC and found that
    the
    | NT4 server tries to authenticate with the "NT4Domain\administrator"
    account
    | for getting the list of users/groups of the Windows 2003 domain.
    |
    | Have the "Everyone" object in the "pre-windows 2000 compatible" group in
    the
    | Windows 2003 domain.
    |
    | When specifying the same password to the
    "Windows2003-domain\administrator"
    | than to the "NT4domain\administrator, the problem does not occur and
    | browsing the Windows 2003 domain in the NT4 ACL Editor works fine, but
    this
    | is not a permanent solution for us.
    |
    | Any advice?
    | Thanks in advance for any help!
    |
    | Franz
    |
    |
    |
     
    Vincent Xu [MSFT], Jul 20, 2005
    #2
    1. Advertisements

  3. Franz Schenk

    Franz Schenk Guest

    Hi Vincent

    Thank you so far for the support! But it still doesn't work. What I've done
    so far:

    - Recreated the trust according KB 325874: Same result. I can choose the
    Windows 2003 domain in the ACL Editor, but instead of displaying the user
    list of the Windows 2003 domain, I'm still getting the Error "Unable to
    browse the selected domain because the following error occured: Access is
    denied".

    - Accessing ressources on the NT4 Server from the Windows 2003 domain work
    as it should (Even with the error message in the NT4 ACL Editor, it's
    possible to add an ACL Entry by writing the username manually)

    - When adding a two way trust, the problem does not occur! It's possible to
    browse the Windows 2003 domain in the NT4 ACL Editor.

    I've tested this with two VM's on our Virtual Server, but the reason for
    that is because we have the same problem in a customer location with an NT4
    domain trusting a Windows 2003 domain. Granting access to files on the NT4
    servers is possible by manually entering user/group names in the ACL Editor.
    But the problem we have in the cusomer site is that there is Exchange 5.5
    running in the NT4 domain. Despite we granted Admin rights to a Windows 2003
    user to the exchange 5.5 organisation, we are getting access denied errors
    when running Exchange 5.5 Admin with the Windows 2003 user.
    Before digging into Exchange, I want to be sure that the trust is ok, and
    the behaviour we have is wrong in my opinion. It should be possible to
    browse the Windows 2003 Users in the NT4 ACL Editor even with a one way
    trust (NT4 --> Windows 2003).

    Attached gplog.txt at the end of this message
    Thank you in advance for any further advice!
    Franz
    -----------------------


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 20.07.2005 at 13:36:32



    RSOP data for STADTBIEL\Administrator on GHOSTSRVBIEL : Logging Mode
    ---------------------------------------------------------------------

    OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
    Edition
    OS Configuration: Primary Domain Controller
    OS Version: 5.2.3790
    Terminal Server Mode: Remote Administration
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\Administrator
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=GHOSTSRVBIEL,OU=Domain Controllers,DC=stadtbiel,DC=local
    Last time Group Policy was applied: 20.07.2005 at 13:32:39
    Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: STADTBIEL
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Default Domain Controllers Policy
    1stSW
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    BUILTIN\Pre-Windows 2000 Compatible Access
    Windows Authorization Access Group
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    This Organization
    GHOSTSRVBIEL$
    Exchange Domain Servers
    Domain Controllers
    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
    Exchange Enterprise Servers

    Resultant Set Of Policies for Computer
    ---------------------------------------

    Software Installations
    ----------------------
    N/A

    Startup Scripts
    ---------------
    N/A

    Shutdown Scripts
    ----------------
    N/A

    Account Policies
    ----------------
    GPO: Default Domain Policy
    Policy: MaxServiceAge
    Computer Setting: 600

    GPO: Default Domain Policy
    Policy: MaxTicketAge
    Computer Setting: 10

    GPO: Default Domain Policy
    Policy: MinimumPasswordAge
    Computer Setting: 1

    GPO: Default Domain Policy
    Policy: PasswordHistorySize
    Computer Setting: 24

    GPO: Default Domain Policy
    Policy: MaxClockSkew
    Computer Setting: 5

    GPO: Default Domain Policy
    Policy: MinimumPasswordLength
    Computer Setting: 5

    GPO: Default Domain Policy
    Policy: LockoutBadCount
    Computer Setting: N/A

    GPO: Default Domain Policy
    Policy: MaximumPasswordAge
    Computer Setting: 42

    GPO: Default Domain Policy
    Policy: MaxRenewAge
    Computer Setting: 7

    Audit Policy
    ------------
    GPO: Default Domain Controllers Policy
    Policy: AuditPolicyChange
    Computer Setting: Success

    GPO: Default Domain Controllers Policy
    Policy: AuditPrivilegeUse
    Computer Setting: No Auditing

    GPO: Default Domain Controllers Policy
    Policy: AuditDSAccess
    Computer Setting: Success

    GPO: Default Domain Controllers Policy
    Policy: AuditAccountLogon
    Computer Setting: Success, Failure

    GPO: Default Domain Controllers Policy
    Policy: AuditObjectAccess
    Computer Setting: No Auditing

    GPO: Default Domain Controllers Policy
    Policy: AuditAccountManage
    Computer Setting: Success, Failure

    GPO: Default Domain Controllers Policy
    Policy: AuditLogonEvents
    Computer Setting: Success, Failure

    GPO: Default Domain Controllers Policy
    Policy: AuditProcessTracking
    Computer Setting: No Auditing

    GPO: Default Domain Controllers Policy
    Policy: AuditSystemEvents
    Computer Setting: Success

    User Rights
    -----------
    GPO: Default Domain Controllers Policy
    Policy: MachineAccountPrivilege
    Computer Setting: Authenticated Users

    GPO: Default Domain Controllers Policy
    Policy: DenyNetworkLogonRight
    Computer Setting: STADTBIEL\SUPPORT_388945a0

    GPO: Default Domain Controllers Policy
    Policy: RestorePrivilege
    Computer Setting: STADTBIEL\Administrator
    Server Operators
    Backup Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: TcbPrivilege
    Computer Setting: STADTBIEL\Administrator

    GPO: Default Domain Controllers Policy
    Policy: SystemProfilePrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: DenyServiceLogonRight
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: ServiceLogonRight
    Computer Setting: NETWORK SERVICE
    STADTBIEL\Administrator
    BUILTIN

    GPO: Default Domain Controllers Policy
    Policy: UndockPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: CreatePermanentPrivilege
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: AuditPrivilege
    Computer Setting: STADTBIEL\Administrator
    NETWORK SERVICE
    LOCAL SERVICE

    GPO: Default Domain Controllers Policy
    Policy: TakeOwnershipPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: CreatePagefilePrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: EnableDelegationPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: DebugPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: SystemTimePrivilege
    Computer Setting: Server Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: DenyBatchLogonRight
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: BackupPrivilege
    Computer Setting: Server Operators
    Backup Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: CreateTokenPrivilege
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: ChangeNotifyPrivilege
    Computer Setting: Pre-Windows 2000 Compatible Access
    Authenticated Users
    Administrators
    Everyone

    GPO: Default Domain Controllers Policy
    Policy: SyncAgentPrivilege
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: ProfileSingleProcessPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: LoadDriverPrivilege
    Computer Setting: Print Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: InteractiveLogonRight
    Computer Setting: Print Operators
    Server Operators
    Account Operators
    Backup Operators
    Administrators
    STADTBIEL\IUSR_GHOSTSRVBIEL

    GPO: Default Domain Controllers Policy
    Policy: RemoteShutdownPrivilege
    Computer Setting: Server Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: IncreaseBasePriorityPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: NetworkLogonRight
    Computer Setting: Pre-Windows 2000 Compatible Access
    ENTERPRISE DOMAIN CONTROLLERS
    Authenticated Users
    Administrators
    Everyone
    STADTBIEL\IWAM_GHOSTSRVBIEL
    STADTBIEL\IUSR_GHOSTSRVBIEL

    GPO: Default Domain Controllers Policy
    Policy: LockMemoryPrivilege
    Computer Setting: N/A

    GPO: Default Domain Controllers Policy
    Policy: ShutdownPrivilege
    Computer Setting: Print Operators
    Server Operators
    Backup Operators
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: SecurityPrivilege
    Computer Setting: STADTBIEL\Exchange Enterprise Servers
    Administrators

    GPO: Default Domain Controllers Policy
    Policy: AssignPrimaryTokenPrivilege
    Computer Setting: NETWORK SERVICE
    LOCAL SERVICE
    STADTBIEL\IWAM_GHOSTSRVBIEL

    GPO: Default Domain Controllers Policy
    Policy: SystemEnvironmentPrivilege
    Computer Setting: Administrators

    GPO: Default Domain Controllers Policy
    Policy: IncreaseQuotaPrivilege
    Computer Setting: Administrators
    NETWORK SERVICE
    LOCAL SERVICE
    STADTBIEL\IWAM_GHOSTSRVBIEL

    GPO: Default Domain Controllers Policy
    Policy: BatchLogonRight
    Computer Setting: STADTBIEL\SQLDebugger
    STADTBIEL\IIS_WPG
    STADTBIEL\IUSR_GHOSTSRVBIEL
    STADTBIEL\SUPPORT_388945a0
    LOCAL SERVICE
    STADTBIEL\IWAM_GHOSTSRVBIEL
    STADTBIEL\Administrator

    GPO: Default Domain Controllers Policy
    Policy: DenyInteractiveLogonRight
    Computer Setting: STADTBIEL\SQLDebugger
    STADTBIEL\SUPPORT_388945a0

    Security Options
    ----------------
    GPO: Default Domain Policy
    Policy: TicketValidateClient
    Computer Setting: Enabled

    GPO: Default Domain Policy
    Policy: RequireLogonToChangePassword
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: PasswordComplexity
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: ForceLogoffWhenHourExpire
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: ClearTextPassword
    Computer Setting: Not Enabled

    Event Log Settings
    ------------------
    N/A

    Restricted Groups
    -----------------
    N/A

    System Services
    ---------------
    N/A

    Registry Settings
    -----------------
    N/A

    File System Settings
    --------------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    N/A


    USER SETTINGS
    --------------
    CN=Administrator,CN=Users,DC=stadtbiel,DC=local
    Last time Group Policy was applied: 20.07.2005 at 13:12:47
    Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: STADTBIEL
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    1stSW
    Filtering: Not Applied (Empty)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Administrators
    BUILTIN\Users
    BUILTIN\Pre-Windows 2000 Compatible Access
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    Domain Admins
    Group Policy Creator Owners
    Exchange Services
    Exchange Domain Servers
    Schema Admins
    Enterprise Admins
    Exchange Enterprise Servers

    The user has the following security privileges
    ----------------------------------------------

    Bypass traverse checking
    Manage auditing and security log
    Back up files and directories
    Restore files and directories
    Change the system time
    Shut down the system
    Force shutdown from a remote system
    Take ownership of files or other objects
    Debug programs
    Modify firmware environment values
    Profile system performance
    Profile single process
    Increase scheduling priority
    Load and unload device drivers
    Create a pagefile
    Adjust memory quotas for a process
    Remove computer from docking station
    Perform volume maintenance tasks
    Impersonate a client after authentication
    Create global objects
    Enable computer and user accounts to be trusted for delegation
    Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

    Software Installations
    ----------------------
    N/A

    Logon Scripts
    -------------
    N/A

    Logoff Scripts
    --------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    N/A

    Folder Redirection
    ------------------
    N/A

    Internet Explorer Browser User Interface
    ----------------------------------------
    N/A

    Internet Explorer Connection
    ----------------------------
    N/A

    Internet Explorer URLs
     
    Franz Schenk, Jul 20, 2005
    #3
  4. Hi Franz,

    Thank you for your update.

    I have performed further research on your issue. For your situation (in a
    mix domain environment and the issue didn't occur in two way trust), I
    suspect there are some settings in security options caused this problem,
    please check:

    1. Run "gpedit.msc"
    2. Expand to "Computer configuration\Windows Settings\local
    policies\Security options\"
    3. Check following policies:

    "Microsoft Network Server: Digitally sign communications" set to disable.
    "Network access: Allow anonymous SID/Name translation" set to enable.
    "Network access: Do not allow anonymous enumeration of SAM accounts" set to
    disable.
    "Network access: Do not allow anonymous enumeration of SAM accounts and
    shares" set to disable.
    "Network access: Restrict anonymous access to Named Pipes and Shares" set
    to disable

    I hope the suggestions can helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
    | From: "Franz Schenk" <[email protected]_SPAM.ch>
    | References: <>
    <>
    | Subject: Re: Problem with NT4 domain trusting W2003 domain
    | Date: Wed, 20 Jul 2005 14:19:06 +0200
    | Lines: 530
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.windows.server.migration:11324
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hi Vincent
    |
    | Thank you so far for the support! But it still doesn't work. What I've
    done
    | so far:
    |
    | - Recreated the trust according KB 325874: Same result. I can choose the
    | Windows 2003 domain in the ACL Editor, but instead of displaying the user
    | list of the Windows 2003 domain, I'm still getting the Error "Unable to
    | browse the selected domain because the following error occured: Access is
    | denied".
    |
    | - Accessing ressources on the NT4 Server from the Windows 2003 domain
    work
    | as it should (Even with the error message in the NT4 ACL Editor, it's
    | possible to add an ACL Entry by writing the username manually)
    |
    | - When adding a two way trust, the problem does not occur! It's possible
    to
    | browse the Windows 2003 domain in the NT4 ACL Editor.
    |
    | I've tested this with two VM's on our Virtual Server, but the reason for
    | that is because we have the same problem in a customer location with an
    NT4
    | domain trusting a Windows 2003 domain. Granting access to files on the
    NT4
    | servers is possible by manually entering user/group names in the ACL
    Editor.
    | But the problem we have in the cusomer site is that there is Exchange 5.5
    | running in the NT4 domain. Despite we granted Admin rights to a Windows
    2003
    | user to the exchange 5.5 organisation, we are getting access denied
    errors
    | when running Exchange 5.5 Admin with the Windows 2003 user.
    | Before digging into Exchange, I want to be sure that the trust is ok, and
    | the behaviour we have is wrong in my opinion. It should be possible to
    | browse the Windows 2003 Users in the NT4 ACL Editor even with a one way
    | trust (NT4 --> Windows 2003).
    |
    | Attached gplog.txt at the end of this message
    | Thank you in advance for any further advice!
    | Franz
    | -----------------------
    |
    |
    | Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    | Copyright (C) Microsoft Corp. 1981-2001
    |
    | Created On 20.07.2005 at 13:36:32
    |
    |
    |
    | RSOP data for STADTBIEL\Administrator on GHOSTSRVBIEL : Logging Mode
    | ---------------------------------------------------------------------
    |
    | OS Type: Microsoft(R) Windows(R) Server 2003,
    Enterprise
    | Edition
    | OS Configuration: Primary Domain Controller
    | OS Version: 5.2.3790
    | Terminal Server Mode: Remote Administration
    | Site Name: Default-First-Site-Name
    | Roaming Profile:
    | Local Profile: C:\Documents and Settings\Administrator
    | Connected over a slow link?: No
    |
    |
    | COMPUTER SETTINGS
    | ------------------
    | CN=GHOSTSRVBIEL,OU=Domain Controllers,DC=stadtbiel,DC=local
    | Last time Group Policy was applied: 20.07.2005 at 13:32:39
    | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    | Group Policy slow link threshold: 500 kbps
    | Domain Name: STADTBIEL
    | Domain Type: Windows 2000
    |
    | Applied Group Policy Objects
    | -----------------------------
    | Default Domain Controllers Policy
    | 1stSW
    | Default Domain Policy
    |
    | The following GPOs were not applied because they were filtered out
    | -------------------------------------------------------------------
    | Local Group Policy
    | Filtering: Not Applied (Empty)
    |
    | The computer is a part of the following security groups
    | -------------------------------------------------------
    | BUILTIN\Administrators
    | Everyone
    | BUILTIN\Users
    | BUILTIN\Pre-Windows 2000 Compatible Access
    | Windows Authorization Access Group
    | NT AUTHORITY\NETWORK
    | NT AUTHORITY\Authenticated Users
    | This Organization
    | GHOSTSRVBIEL$
    | Exchange Domain Servers
    | Domain Controllers
    | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
    | Exchange Enterprise Servers
    |
    | Resultant Set Of Policies for Computer
    | ---------------------------------------
    |
    | Software Installations
    | ----------------------
    | N/A
    |
    | Startup Scripts
    | ---------------
    | N/A
    |
    | Shutdown Scripts
    | ----------------
    | N/A
    |
    | Account Policies
    | ----------------
    | GPO: Default Domain Policy
    | Policy: MaxServiceAge
    | Computer Setting: 600
    |
    | GPO: Default Domain Policy
    | Policy: MaxTicketAge
    | Computer Setting: 10
    |
    | GPO: Default Domain Policy
    | Policy: MinimumPasswordAge
    | Computer Setting: 1
    |
    | GPO: Default Domain Policy
    | Policy: PasswordHistorySize
    | Computer Setting: 24
    |
    | GPO: Default Domain Policy
    | Policy: MaxClockSkew
    | Computer Setting: 5
    |
    | GPO: Default Domain Policy
    | Policy: MinimumPasswordLength
    | Computer Setting: 5
    |
    | GPO: Default Domain Policy
    | Policy: LockoutBadCount
    | Computer Setting: N/A
    |
    | GPO: Default Domain Policy
    | Policy: MaximumPasswordAge
    | Computer Setting: 42
    |
    | GPO: Default Domain Policy
    | Policy: MaxRenewAge
    | Computer Setting: 7
    |
    | Audit Policy
    | ------------
    | GPO: Default Domain Controllers Policy
    | Policy: AuditPolicyChange
    | Computer Setting: Success
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditPrivilegeUse
    | Computer Setting: No Auditing
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditDSAccess
    | Computer Setting: Success
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditAccountLogon
    | Computer Setting: Success, Failure
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditObjectAccess
    | Computer Setting: No Auditing
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditAccountManage
    | Computer Setting: Success, Failure
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditLogonEvents
    | Computer Setting: Success, Failure
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditProcessTracking
    | Computer Setting: No Auditing
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditSystemEvents
    | Computer Setting: Success
    |
    | User Rights
    | -----------
    | GPO: Default Domain Controllers Policy
    | Policy: MachineAccountPrivilege
    | Computer Setting: Authenticated Users
    |
    | GPO: Default Domain Controllers Policy
    | Policy: DenyNetworkLogonRight
    | Computer Setting: STADTBIEL\SUPPORT_388945a0
    |
    | GPO: Default Domain Controllers Policy
    | Policy: RestorePrivilege
    | Computer Setting: STADTBIEL\Administrator
    | Server Operators
    | Backup Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: TcbPrivilege
    | Computer Setting: STADTBIEL\Administrator
    |
    | GPO: Default Domain Controllers Policy
    | Policy: SystemProfilePrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: DenyServiceLogonRight
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: ServiceLogonRight
    | Computer Setting: NETWORK SERVICE
    | STADTBIEL\Administrator
    | BUILTIN
    |
    | GPO: Default Domain Controllers Policy
    | Policy: UndockPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: CreatePermanentPrivilege
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AuditPrivilege
    | Computer Setting: STADTBIEL\Administrator
    | NETWORK SERVICE
    | LOCAL SERVICE
    |
    | GPO: Default Domain Controllers Policy
    | Policy: TakeOwnershipPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: CreatePagefilePrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: EnableDelegationPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: DebugPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: SystemTimePrivilege
    | Computer Setting: Server Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: DenyBatchLogonRight
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: BackupPrivilege
    | Computer Setting: Server Operators
    | Backup Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: CreateTokenPrivilege
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: ChangeNotifyPrivilege
    | Computer Setting: Pre-Windows 2000 Compatible Access
    | Authenticated Users
    | Administrators
    | Everyone
    |
    | GPO: Default Domain Controllers Policy
    | Policy: SyncAgentPrivilege
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: ProfileSingleProcessPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: LoadDriverPrivilege
    | Computer Setting: Print Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: InteractiveLogonRight
    | Computer Setting: Print Operators
    | Server Operators
    | Account Operators
    | Backup Operators
    | Administrators
    | STADTBIEL\IUSR_GHOSTSRVBIEL
    |
    | GPO: Default Domain Controllers Policy
    | Policy: RemoteShutdownPrivilege
    | Computer Setting: Server Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: IncreaseBasePriorityPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: NetworkLogonRight
    | Computer Setting: Pre-Windows 2000 Compatible Access
    | ENTERPRISE DOMAIN CONTROLLERS
    | Authenticated Users
    | Administrators
    | Everyone
    | STADTBIEL\IWAM_GHOSTSRVBIEL
    | STADTBIEL\IUSR_GHOSTSRVBIEL
    |
    | GPO: Default Domain Controllers Policy
    | Policy: LockMemoryPrivilege
    | Computer Setting: N/A
    |
    | GPO: Default Domain Controllers Policy
    | Policy: ShutdownPrivilege
    | Computer Setting: Print Operators
    | Server Operators
    | Backup Operators
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: SecurityPrivilege
    | Computer Setting: STADTBIEL\Exchange Enterprise Servers
    | Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: AssignPrimaryTokenPrivilege
    | Computer Setting: NETWORK SERVICE
    | LOCAL SERVICE
    | STADTBIEL\IWAM_GHOSTSRVBIEL
    |
    | GPO: Default Domain Controllers Policy
    | Policy: SystemEnvironmentPrivilege
    | Computer Setting: Administrators
    |
    | GPO: Default Domain Controllers Policy
    | Policy: IncreaseQuotaPrivilege
    | Computer Setting: Administrators
    | NETWORK SERVICE
    | LOCAL SERVICE
    | STADTBIEL\IWAM_GHOSTSRVBIEL
    |
    | GPO: Default Domain Controllers Policy
    | Policy: BatchLogonRight
    | Computer Setting: STADTBIEL\SQLDebugger
    | STADTBIEL\IIS_WPG
    | STADTBIEL\IUSR_GHOSTSRVBIEL
    | STADTBIEL\SUPPORT_388945a0
    | LOCAL SERVICE
    | STADTBIEL\IWAM_GHOSTSRVBIEL
    | STADTBIEL\Administrator
    |
    | GPO: Default Domain Controllers Policy
    | Policy: DenyInteractiveLogonRight
    | Computer Setting: STADTBIEL\SQLDebugger
    | STADTBIEL\SUPPORT_388945a0
    |
    | Security Options
    | ----------------
    | GPO: Default Domain Policy
    | Policy: TicketValidateClient
    | Computer Setting: Enabled
    |
    | GPO: Default Domain Policy
    | Policy: RequireLogonToChangePassword
    | Computer Setting: Not Enabled
    |
    | GPO: Default Domain Policy
    | Policy: PasswordComplexity
    | Computer Setting: Not Enabled
    |
    | GPO: Default Domain Policy
    | Policy: ForceLogoffWhenHourExpire
    | Computer Setting: Not Enabled
    |
    | GPO: Default Domain Policy
    | Policy: ClearTextPassword
    | Computer Setting: Not Enabled
    |
    | Event Log Settings
    | ------------------
    | N/A
    |
    | Restricted Groups
    | -----------------
    | N/A
    |
    | System Services
    | ---------------
    | N/A
    |
    | Registry Settings
    | -----------------
    | N/A
    |
    | File System Settings
    | --------------------
    | N/A
    |
    | Public Key Policies
    | -------------------
    | N/A
    |
    | Administrative Templates
    | ------------------------
    | N/A
    |
    |
    | USER SETTINGS
    | --------------
    | CN=Administrator,CN=Users,DC=stadtbiel,DC=local
    | Last time Group Policy was applied: 20.07.2005 at 13:12:47
    | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    | Group Policy slow link threshold: 500 kbps
    | Domain Name: STADTBIEL
    | Domain Type: Windows 2000
    |
    | Applied Group Policy Objects
    | -----------------------------
    | Default Domain Policy
    |
    | The following GPOs were not applied because they were filtered out
    | -------------------------------------------------------------------
    | 1stSW
    | Filtering: Not Applied (Empty)
    |
    | Local Group Policy
    | Filtering: Not Applied (Empty)
    |
    | The user is a part of the following security groups
    | ---------------------------------------------------
    | Domain Users
    | Everyone
    | BUILTIN\Administrators
    | BUILTIN\Users
    | BUILTIN\Pre-Windows 2000 Compatible Access
    | NT AUTHORITY\INTERACTIVE
    | NT AUTHORITY\Authenticated Users
    | This Organization
    | LOCAL
    | Domain Admins
    | Group Policy Creator Owners
    | Exchange Services
    | Exchange Domain Servers
    | Schema Admins
    | Enterprise Admins
    | Exchange Enterprise Servers
    |
    | The user has the following security privileges
    | ----------------------------------------------
    |
    | Bypass traverse checking
    | Manage auditing and security log
    | Back up files and directories
    | Restore files and directories
    | Change the system time
    | Shut down the system
    | Force shutdown from a remote system
    | Take ownership of files or other objects
    | Debug programs
    | Modify firmware environment values
    | Profile system performance
    | Profile single process
    | Increase scheduling priority
    | Load and unload device drivers
    | Create a pagefile
    | Adjust memory quotas for a process
    | Remove computer from docking station
    | Perform volume maintenance tasks
    | Impersonate a client after authentication
    | Create global objects
    | Enable computer and user accounts to be trusted for delegation
    | Add workstations to domain
    |
    | Resultant Set Of Policies for User
    | -----------------------------------
    |
    | Software Installations
    | ----------------------
    | N/A
    |
    | Logon Scripts
    | -------------
    | N/A
    |
    | Logoff Scripts
    | --------------
    | N/A
    |
    | Public Key Policies
    | -------------------
    | N/A
    |
    | Administrative Templates
    | ------------------------
    | N/A
    |
    | Folder Redirection
    | ------------------
    | N/A
    |
    | Internet Explorer Browser User Interface
    | ----------------------------------------
    | N/A
    |
    | Internet Explorer Connection
    | ----------------------------
    | N/A
    |
    | Internet Explorer URLs
    | ----------------------
    | N/A
    |
    | Internet Explorer Security
    | --------------------------
    | N/A
    |
    | Internet Explorer Programs
    | --------------------------
    | N/A
    |
    |
    |
     
    Vincent Xu [MSFT], Jul 21, 2005
    #4
  5. Franz Schenk

    Franz Schenk Guest

    Hi Vincent

    Thank you very much for your help. Unfortunately, still the same problem,
    although it's a good idea to disable SMB signing (we always have problems
    with that since Microsoft enabled this options by default..). I also have
    implemented the settings you suggested in the "default domain controller
    GPO" and not in the local GPO, and verified with GPMC that they are
    successfully applied. A html report of the effective GPO settings is in the
    attached ZIP file.

    Although I don't understand why I have this problem (seems not logical to
    me), we have a workaround in the customer site (installed VNC Remote Control
    Tool on the NT4 machine, and the Exchange 5.5 Admin Tools work fine). And we
    can share NT4 ressources for the W2003 domain users by entering all ACL
    information manually.
    If you have another idea, I'm very glad know about it (according to the
    security eventlog on the Windows 2003 DC, NT4 tries to logon with the
    <NT4-domain>\Administrator account on the Windows 2003 DC for retrieving the
    list of Windows 2003 groups and users, thats the point I don't understand).
    But I think that there is no need that you have too much work for us for
    this issue.

    Thank you again for the excellent support!
    Franz
     
    Franz Schenk, Jul 21, 2005
    #5
  6. Hi Franz,

    I'm sorry to hear that my suggestions didn't help. But I'm glad to hear
    that you have workaround for your customer.

    I have delivery your problem in an internal disscussion group and I will
    let you know if there are any further information.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
    | From: "Franz Schenk" <[email protected]_SPAM.ch>
    | References: <>
    <>
    <>
    <>
    | Subject: Re: Problem with NT4 domain trusting W2003 domain
    | Date: Thu, 21 Jul 2005 10:54:09 +0200
    | Lines: 856
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.windows.server.migration:11340
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hi Vincent
    |
    | Thank you very much for your help. Unfortunately, still the same problem,
    | although it's a good idea to disable SMB signing (we always have problems
    | with that since Microsoft enabled this options by default..). I also have
    | implemented the settings you suggested in the "default domain controller
    | GPO" and not in the local GPO, and verified with GPMC that they are
    | successfully applied. A html report of the effective GPO settings is in
    the
    | attached ZIP file.
    |
    | Although I don't understand why I have this problem (seems not logical to
    | me), we have a workaround in the customer site (installed VNC Remote
    Control
    | Tool on the NT4 machine, and the Exchange 5.5 Admin Tools work fine). And
    we
    | can share NT4 ressources for the W2003 domain users by entering all ACL
    | information manually.
    | If you have another idea, I'm very glad know about it (according to the
    | security eventlog on the Windows 2003 DC, NT4 tries to logon with the
    | <NT4-domain>\Administrator account on the Windows 2003 DC for retrieving
    the
    | list of Windows 2003 groups and users, thats the point I don't
    understand).
    | But I think that there is no need that you have too much work for us for
    | this issue.
    |
    | Thank you again for the excellent support!
    | Franz
    |
    | | > Hi Franz,
    | >
    | > Thank you for your update.
    | >
    | > I have performed further research on your issue. For your situation (in
    a
    | > mix domain environment and the issue didn't occur in two way trust), I
    | > suspect there are some settings in security options caused this problem,
    | > please check:
    | >
    | > 1. Run "gpedit.msc"
    | > 2. Expand to "Computer configuration\Windows Settings\local
    | > policies\Security options\"
    | > 3. Check following policies:
    | >
    | > "Microsoft Network Server: Digitally sign communications" set to
    disable.
    | > "Network access: Allow anonymous SID/Name translation" set to enable.
    | > "Network access: Do not allow anonymous enumeration of SAM accounts"
    set
    | > to
    | > disable.
    | > "Network access: Do not allow anonymous enumeration of SAM accounts and
    | > shares" set to disable.
    | > "Network access: Restrict anonymous access to Named Pipes and Shares"
    set
    | > to disable
    | >
    | > I hope the suggestions can helps.
    | >
    | > Best regards,
    | >
    | > Vincent Xu
    | > Microsoft Online Partner Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | >
    | > --------------------
    | > | From: "Franz Schenk" <[email protected]_SPAM.ch>
    | > | References: <>
    | > <>
    | > | Subject: Re: Problem with NT4 domain trusting W2003 domain
    | > | Date: Wed, 20 Jul 2005 14:19:06 +0200
    | > | Lines: 530
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    | > | X-RFC2646: Format=Flowed; Original
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    | > | Message-ID: <>
    | > | Newsgroups: microsoft.public.windows.server.migration
    | > | NNTP-Posting-Host: mail.fitit.ch 81.6.6.11
    | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl
    | > microsoft.public.windows.server.migration:11324
    | > | X-Tomcat-NG: microsoft.public.windows.server.migration
    | > |
    | > | Hi Vincent
    | > |
    | > | Thank you so far for the support! But it still doesn't work. What I've
    | > done
    | > | so far:
    | > |
    | > | - Recreated the trust according KB 325874: Same result. I can choose
    the
    | > | Windows 2003 domain in the ACL Editor, but instead of displaying the
    | > user
    | > | list of the Windows 2003 domain, I'm still getting the Error "Unable
    to
    | > | browse the selected domain because the following error occured:
    Access
    | > is
    | > | denied".
    | > |
    | > | - Accessing ressources on the NT4 Server from the Windows 2003 domain
    | > work
    | > | as it should (Even with the error message in the NT4 ACL Editor, it's
    | > | possible to add an ACL Entry by writing the username manually)
    | > |
    | > | - When adding a two way trust, the problem does not occur! It's
    possible
    | > to
    | > | browse the Windows 2003 domain in the NT4 ACL Editor.
    | > |
    | > | I've tested this with two VM's on our Virtual Server, but the reason
    for
    | > | that is because we have the same problem in a customer location with
    an
    | > NT4
    | > | domain trusting a Windows 2003 domain. Granting access to files on the
    | > NT4
    | > | servers is possible by manually entering user/group names in the ACL
    | > Editor.
    | > | But the problem we have in the cusomer site is that there is Exchange
    | > 5.5
    | > | running in the NT4 domain. Despite we granted Admin rights to a
    Windows
    | > 2003
    | > | user to the exchange 5.5 organisation, we are getting access denied
    | > errors
    | > | when running Exchange 5.5 Admin with the Windows 2003 user.
    | > | Before digging into Exchange, I want to be sure that the trust is ok,
    | > and
    | > | the behaviour we have is wrong in my opinion. It should be possible to
    | > | browse the Windows 2003 Users in the NT4 ACL Editor even with a one
    way
    | > | trust (NT4 --> Windows 2003).
    | > |
    | > | Attached gplog.txt at the end of this message
    | > | Thank you in advance for any further advice!
    | > | Franz
    | > | -----------------------
    | > |
    | > |
    | > | Microsoft (R) Windows (R) Operating System Group Policy Result tool
    v2.0
    | > | Copyright (C) Microsoft Corp. 1981-2001
    | > |
    | > | Created On 20.07.2005 at 13:36:32
    | > |
    | > |
    | > |
    | > | RSOP data for STADTBIEL\Administrator on GHOSTSRVBIEL : Logging Mode
    | > | ---------------------------------------------------------------------
    | > |
    | > | OS Type: Microsoft(R) Windows(R) Server 2003,
    | > Enterprise
    | > | Edition
    | > | OS Configuration: Primary Domain Controller
    | > | OS Version: 5.2.3790
    | > | Terminal Server Mode: Remote Administration
    | > | Site Name: Default-First-Site-Name
    | > | Roaming Profile:
    | > | Local Profile: C:\Documents and Settings\Administrator
    | > | Connected over a slow link?: No
    | > |
    | > |
    | > | COMPUTER SETTINGS
    | > | ------------------
    | > | CN=GHOSTSRVBIEL,OU=Domain Controllers,DC=stadtbiel,DC=local
    | > | Last time Group Policy was applied: 20.07.2005 at 13:32:39
    | > | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    | > | Group Policy slow link threshold: 500 kbps
    | > | Domain Name: STADTBIEL
    | > | Domain Type: Windows 2000
    | > |
    | > | Applied Group Policy Objects
    | > | -----------------------------
    | > | Default Domain Controllers Policy
    | > | 1stSW
    | > | Default Domain Policy
    | > |
    | > | The following GPOs were not applied because they were filtered out
    | > |
    -------------------------------------------------------------------
    | > | Local Group Policy
    | > | Filtering: Not Applied (Empty)
    | > |
    | > | The computer is a part of the following security groups
    | > | -------------------------------------------------------
    | > | BUILTIN\Administrators
    | > | Everyone
    | > | BUILTIN\Users
    | > | BUILTIN\Pre-Windows 2000 Compatible Access
    | > | Windows Authorization Access Group
    | > | NT AUTHORITY\NETWORK
    | > | NT AUTHORITY\Authenticated Users
    | > | This Organization
    | > | GHOSTSRVBIEL$
    | > | Exchange Domain Servers
    | > | Domain Controllers
    | > | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
    | > | Exchange Enterprise Servers
    | > |
    | > | Resultant Set Of Policies for Computer
    | > | ---------------------------------------
    | > |
    | > | Software Installations
    | > | ----------------------
    | > | N/A
    | > |
    | > | Startup Scripts
    | > | ---------------
    | > | N/A
    | > |
    | > | Shutdown Scripts
    | > | ----------------
    | > | N/A
    | > |
    | > | Account Policies
    | > | ----------------
    | > | GPO: Default Domain Policy
    | > | Policy: MaxServiceAge
    | > | Computer Setting: 600
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MaxTicketAge
    | > | Computer Setting: 10
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MinimumPasswordAge
    | > | Computer Setting: 1
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: PasswordHistorySize
    | > | Computer Setting: 24
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MaxClockSkew
    | > | Computer Setting: 5
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MinimumPasswordLength
    | > | Computer Setting: 5
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: LockoutBadCount
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MaximumPasswordAge
    | > | Computer Setting: 42
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: MaxRenewAge
    | > | Computer Setting: 7
    | > |
    | > | Audit Policy
    | > | ------------
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditPolicyChange
    | > | Computer Setting: Success
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditPrivilegeUse
    | > | Computer Setting: No Auditing
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditDSAccess
    | > | Computer Setting: Success
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditAccountLogon
    | > | Computer Setting: Success, Failure
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditObjectAccess
    | > | Computer Setting: No Auditing
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditAccountManage
    | > | Computer Setting: Success, Failure
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditLogonEvents
    | > | Computer Setting: Success, Failure
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditProcessTracking
    | > | Computer Setting: No Auditing
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditSystemEvents
    | > | Computer Setting: Success
    | > |
    | > | User Rights
    | > | -----------
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: MachineAccountPrivilege
    | > | Computer Setting: Authenticated Users
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: DenyNetworkLogonRight
    | > | Computer Setting: STADTBIEL\SUPPORT_388945a0
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: RestorePrivilege
    | > | Computer Setting: STADTBIEL\Administrator
    | > | Server Operators
    | > | Backup Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: TcbPrivilege
    | > | Computer Setting: STADTBIEL\Administrator
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: SystemProfilePrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: DenyServiceLogonRight
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: ServiceLogonRight
    | > | Computer Setting: NETWORK SERVICE
    | > | STADTBIEL\Administrator
    | > | BUILTIN
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: UndockPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: CreatePermanentPrivilege
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AuditPrivilege
    | > | Computer Setting: STADTBIEL\Administrator
    | > | NETWORK SERVICE
    | > | LOCAL SERVICE
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: TakeOwnershipPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: CreatePagefilePrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: EnableDelegationPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: DebugPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: SystemTimePrivilege
    | > | Computer Setting: Server Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: DenyBatchLogonRight
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: BackupPrivilege
    | > | Computer Setting: Server Operators
    | > | Backup Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: CreateTokenPrivilege
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: ChangeNotifyPrivilege
    | > | Computer Setting: Pre-Windows 2000 Compatible Access
    | > | Authenticated Users
    | > | Administrators
    | > | Everyone
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: SyncAgentPrivilege
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: ProfileSingleProcessPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: LoadDriverPrivilege
    | > | Computer Setting: Print Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: InteractiveLogonRight
    | > | Computer Setting: Print Operators
    | > | Server Operators
    | > | Account Operators
    | > | Backup Operators
    | > | Administrators
    | > | STADTBIEL\IUSR_GHOSTSRVBIEL
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: RemoteShutdownPrivilege
    | > | Computer Setting: Server Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: IncreaseBasePriorityPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: NetworkLogonRight
    | > | Computer Setting: Pre-Windows 2000 Compatible Access
    | > | ENTERPRISE DOMAIN CONTROLLERS
    | > | Authenticated Users
    | > | Administrators
    | > | Everyone
    | > | STADTBIEL\IWAM_GHOSTSRVBIEL
    | > | STADTBIEL\IUSR_GHOSTSRVBIEL
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: LockMemoryPrivilege
    | > | Computer Setting: N/A
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: ShutdownPrivilege
    | > | Computer Setting: Print Operators
    | > | Server Operators
    | > | Backup Operators
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: SecurityPrivilege
    | > | Computer Setting: STADTBIEL\Exchange Enterprise
    Servers
    | > | Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: AssignPrimaryTokenPrivilege
    | > | Computer Setting: NETWORK SERVICE
    | > | LOCAL SERVICE
    | > | STADTBIEL\IWAM_GHOSTSRVBIEL
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: SystemEnvironmentPrivilege
    | > | Computer Setting: Administrators
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: IncreaseQuotaPrivilege
    | > | Computer Setting: Administrators
    | > | NETWORK SERVICE
    | > | LOCAL SERVICE
    | > | STADTBIEL\IWAM_GHOSTSRVBIEL
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: BatchLogonRight
    | > | Computer Setting: STADTBIEL\SQLDebugger
    | > | STADTBIEL\IIS_WPG
    | > | STADTBIEL\IUSR_GHOSTSRVBIEL
    | > | STADTBIEL\SUPPORT_388945a0
    | > | LOCAL SERVICE
    | > | STADTBIEL\IWAM_GHOSTSRVBIEL
    | > | STADTBIEL\Administrator
    | > |
    | > | GPO: Default Domain Controllers Policy
    | > | Policy: DenyInteractiveLogonRight
    | > | Computer Setting: STADTBIEL\SQLDebugger
    | > | STADTBIEL\SUPPORT_388945a0
    | > |
    | > | Security Options
    | > | ----------------
    | > | GPO: Default Domain Policy
    | > | Policy: TicketValidateClient
    | > | Computer Setting: Enabled
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: RequireLogonToChangePassword
    | > | Computer Setting: Not Enabled
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: PasswordComplexity
    | > | Computer Setting: Not Enabled
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: ForceLogoffWhenHourExpire
    | > | Computer Setting: Not Enabled
    | > |
    | > | GPO: Default Domain Policy
    | > | Policy: ClearTextPassword
    | > | Computer Setting: Not Enabled
    | > |
    | > | Event Log Settings
    | > | ------------------
    | > | N/A
    | > |
    | > | Restricted Groups
    | > | -----------------
    | > | N/A
    | > |
    | > | System Services
    | > | ---------------
    | > | N/A
    | > |
    | > | Registry Settings
    | > | -----------------
    | > | N/A
    | > |
    | > | File System Settings
    | > | --------------------
    | > | N/A
    | > |
    | > | Public Key Policies
    | > | -------------------
    | > | N/A
    | > |
    | > | Administrative Templates
    | > | ------------------------
    | > | N/A
    | > |
    | > |
    | > | USER SETTINGS
    | > | --------------
    | > | CN=Administrator,CN=Users,DC=stadtbiel,DC=local
    | > | Last time Group Policy was applied: 20.07.2005 at 13:12:47
    | > | Group Policy was applied from: ghostsrvbiel.stadtbiel.local
    | > | Group Policy slow link threshold: 500 kbps
    | > | Domain Name: STADTBIEL
    | > | Domain Type: Windows 2000
    | > |
    | > | Applied Group Policy Objects
    | > | -----------------------------
    | > | Default Domain Policy
    | > |
    | > | The following GPOs were not applied because they were filtered out
    | > |
    -------------------------------------------------------------------
    | > | 1stSW
    | > | Filtering: Not Applied (Empty)
    | > |
    | > | Local Group Policy
    | > | Filtering: Not Applied (Empty)
    | > |
    | > | The user is a part of the following security groups
    | > | ---------------------------------------------------
    | > | Domain Users
    | > | Everyone
    | > | BUILTIN\Administrators
    | > | BUILTIN\Users
    | > | BUILTIN\Pre-Windows 2000 Compatible Access
    | > | NT AUTHORITY\INTERACTIVE
    | > | NT AUTHORITY\Authenticated Users
    | > | This Organization
    | > | LOCAL
    | > | Domain Admins
    | > | Group Policy Creator Owners
    | > | Exchange Services
    | > | Exchange Domain Servers
    | > | Schema Admins
    | > | Enterprise Admins
    | > | Exchange Enterprise Servers
    | > |
    | > | The user has the following security privileges
    | > | ----------------------------------------------
    | > |
    | > | Bypass traverse checking
    | > | Manage auditing and security log
    | > | Back up files and directories
    | > | Restore files and directories
    | > | Change the system time
    | > | Shut down the system
    | > | Force shutdown from a remote system
    | > | Take ownership of files or other objects
    | > | Debug programs
    | > | Modify firmware environment values
    | > | Profile system performance
    | > | Profile single process
    | > | Increase scheduling priority
    | > | Load and unload device drivers
    | > | Create a pagefile
    | > | Adjust memory quotas for a process
    | > | Remove computer from docking station
    | > | Perform volume maintenance tasks
    | > | Impersonate a client after authentication
    | > | Create global objects
    | > | Enable computer and user accounts to be trusted for delegation
    | > | Add workstations to domain
    | > |
    | > | Resultant Set Of Policies for User
    | > | -----------------------------------
    | > |
    | > | Software Installations
    | > | ----------------------
    | > | N/A
    | > |
    | > | Logon Scripts
    | > | -------------
    | > | N/A
    | > |
    | > | Logoff Scripts
    | > | --------------
    | > | N/A
    | > |
    | > | Public Key Policies
    | > | -------------------
    | > | N/A
    | > |
    | > | Administrative Templates
    | > | ------------------------
    | > | N/A
    | > |
    | > | Folder Redirection
    | > | ------------------
    | > | N/A
    | > |
    | > | Internet Explorer Browser User Interface
    | > | ----------------------------------------
    | > | N/A
    | > |
    | > | Internet Explorer Connection
    | > | ----------------------------
    | > | N/A
    | > |
    | > | Internet Explorer URLs
    | > | ----------------------
    | > | N/A
    | > |
    | > | Internet Explorer Security
    | > | --------------------------
    | > | N/A
    | > |
    | > | Internet Explorer Programs
    | > | --------------------------
    | > | N/A
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Vincent Xu [MSFT], Jul 22, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.