"Access This Computer from the Network" User Right Causes Tools Not to Work (257346)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q257346

SYMPTOMS

On a domain controller, removing Everyone from the Access this computer from the network user right and not replacing it with the appropriate user or group accounts may cause tools not to work. Because the tools do not work, it may be difficult to diagnose and resolve the problem.

When you try to use Active Directory Users and Computers or Active Directory Sites and Services, this error message is displayed:
Naming information cannot be located because:
Logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.
When you try to use Active Directory Domains and Trusts, this error message is displayed:
The configuration information describing this enterprise is not available. The logon attempt failed.
When you add the Group Policy Object snap-in and click another computer, this error message is displayed:
Cannot display objects from this location because of the following error:
Logon failure: unknown user name or bad password.
When you click DNS Manager, this error message is displayed:
Cannot contact the DNS Server.
When you start License Manager, this error message is displayed:
To open Licensing, you must be an administrator of the domain on which license information is stored for your network. If you are the server's administrator, use the Licensing option in Control Panel to manage Licensing on this server.
When you try to run Dcdiag, this error message is displayed:
Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:domain\user and /p:password
When you use Netdiag, this error message is displayed:
DNS Test: Failed DC list test: Failed
When you try to use Replmon, the domain controllers are not displayed and the following error message is displayed when you click Synchronize Each Directory Partition With All Servers:
The synchronization of the directory partition (CN=Schema,CN=Configuration,DC=domain,DC=com) failed. This may be because you have insufficient credentials.
When you try to use the Ldp tool to connect and bind to the server, this error message is displayed:
Failed to bind: Invalid credentials.
When you try to use Repadmin, this error message is displayed:
LDAP error 49 (Invalid Credentials)
When you run Dsacls, this error message is displayed:
The command failed to complete successfully

CAUSE

The administrator who is logged on locally does not have the Access this computer from the network user right. All of the tools listed in the "Symptoms" section of this article use network API calls to operate; they do not work because they try to access the computer from the network.

RESOLUTION

To resolve this issue, edit the Gpttmpl.inf file to grant the Access this computer from the network user right for the appropriate users on the domain controller:
  1. Find and open the Gpttmpl.inf file in the policy that implemented the problematic user right. It is located in the following folder:

    F:\Winnt\Sysvol\Sysvol\Domainname\Policies\{GUID}\MACHINE\Microsoft\Windows NT\Secedit

  2. Copy everything after SeInteractiveLogonRight=.
  3. Paste the text you copied to the following location: SeNetworkLogonRight=.

    Note Check the SeDenyNetworkLogonRight= entry. You may have to remove any entries after the SeDenyNetworkLogonRight= entry.
  4. Save the changes and close the file.
  5. Find and open the Gpt.ini file located in the following folder:

    F:\Winnt\Sysvol\Sysvol\Domainname\Policies\{GUID}

  6. Increase the version number to a greater value.
  7. Save and close the file.
  8. See the following Microsoft Knowledge Base article for information about how to force Group Policy to be applied:

    227448 Using Secedit.exe to Force Group Policy to Be Applied Again

  9. After Group Policy has been reapplied, use Group Policy Editor to set the user rights appropriately. The default groups for the Access this computer from the network user right include Administrators, Enterprise Domain Controllers, and Everyone.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Replication does not work if the computer account does not have the Access this computer from the network user right.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

249261 Replication Does Not Work After Upgrading to Windows 2000

Also, users cannot log on to the domain if Everyone is missing the "Access this computer through the network" right. If you want to remove the Everyone group, you should replace it with Authenticated Users, Enterprise Domain Controllers, System, and Administrators.
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbenv kberrmsg kbprb KB257346
©2003 Microsoft Corporation. All rights reserved.