"Access This Computer from the Network" User Right Causes Tools Not to Work

Article translations Article translations
Article ID: 257346 - View products that this article applies to.
This article was previously published under Q257346
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

SYMPTOMS

On a domain controller, removing Everyone from the Access this computer from the network user right and not replacing it with the appropriate user or group accounts may cause tools not to work. Because the tools do not work, it may be difficult to diagnose and resolve the problem.

When you try to use Active Directory Users and Computers or Active Directory Sites and Services, this error message is displayed:
Naming information cannot be located because:
Logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.
When you try to use Active Directory Domains and Trusts, this error message is displayed:
The configuration information describing this enterprise is not available. The logon attempt failed.
When you add the Group Policy Object snap-in and click another computer, this error message is displayed:
Cannot display objects from this location because of the following error:
Logon failure: unknown user name or bad password.
When you click DNS Manager, this error message is displayed:
Cannot contact the DNS Server.
When you start License Manager, this error message is displayed:
To open Licensing, you must be an administrator of the domain on which license information is stored for your network. If you are the server's administrator, use the Licensing option in Control Panel to manage Licensing on this server.
When you try to run Dcdiag, this error message is displayed:
Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:domain\user and /p:password
When you use Netdiag, this error message is displayed:
DNS Test: Failed DC list test: Failed
When you try to use Replmon, the domain controllers are not displayed and the following error message is displayed when you click Synchronize Each Directory Partition With All Servers:
The synchronization of the directory partition (CN=Schema,CN=Configuration,DC=domain,DC=com) failed. This may be because you have insufficient credentials.
When you try to use the Ldp tool to connect and bind to the server, this error message is displayed:
Failed to bind: Invalid credentials.
When you try to use Repadmin, this error message is displayed:
LDAP error 49 (Invalid Credentials)
When you run Dsacls, this error message is displayed:
The command failed to complete successfully

CAUSE

The administrator who is logged on locally does not have the Access this computer from the network user right. All of the tools listed in the "Symptoms" section of this article use network API calls to operate; they do not work because they try to access the computer from the network.

RESOLUTION

To resolve this issue, edit the Gpttmpl.inf file to grant the Access this computer from the network user right for the appropriate users on the domain controller:
  1. Find and open the Gpttmpl.inf file in the policy that implemented the problematic user right. It is located in the following folder:
    F:\Winnt\Sysvol\Sysvol\Domainname\Policies\{GUID}\MACHINE\Microsoft\Windows NT\Secedit
  2. Copy everything after SeInteractiveLogonRight=.
  3. Paste the text you copied to the following location: SeNetworkLogonRight=.

    Note Check the SeDenyNetworkLogonRight= entry. You may have to remove any entries after the SeDenyNetworkLogonRight= entry.
  4. Save the changes and close the file.
  5. Find and open the Gpt.ini file located in the following folder:
    F:\Winnt\Sysvol\Sysvol\Domainname\Policies\{GUID}
  6. Increase the version number to a greater value.
  7. Save and close the file.
  8. See the following Microsoft Knowledge Base article for information about how to force Group Policy to be applied:
    227448 Using Secedit.exe to Force Group Policy to Be Applied Again
  9. After Group Policy has been reapplied, use Group Policy Editor to set the user rights appropriately. The default groups for the Access this computer from the network user right include Administrators, Enterprise Domain Controllers, and Everyone.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Replication does not work if the computer account does not have the Access this computer from the network user right.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
249261 Replication Does Not Work After Upgrading to Windows 2000
Also, users cannot log on to the domain if Everyone is missing the "Access this computer through the network" right. If you want to remove the Everyone group, you should replace it with Authenticated Users, Enterprise Domain Controllers, System, and Administrators.

Properties

Article ID: 257346 - Last Review: February 21, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbenv kberrmsg kbprb KB257346

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com