Failure to start Telnet sessions using NTLM authentication by members of the TelnetClients group (326638)

SYMPTOMS

Non-administrator users listed in the TelnetClients group are unable to start Telnet sessions using NTLM authentication after doing one or more of the following tasks:

Converting the file system of a hard disk from the FAT file system to the NTFS file system
Applying default security templates
Executing the DCPromo process

This problem occurs only with non-admin users who try to start Telnet sessions using NTLM authentication.

RESOLUTION

The administrator must explicitly give read permissions on Cmd.exe to the TelnetClients group. This is because during setup of the operating system, Telnet Server gives read permissions on Cmd.exe to the TelnetClients group. The read permission on Cmd.exe is required because Telnet Server launches Cmd.exe as the user who is trying to start the Telnet session.

When performing any of the three tasks mentioned in the "Symptoms" section, the read permission on Cmd.exe that is given to users who are listed in the TelnetClients group is lost. This loss prevents these users from starting Telnet sessions using NTLM authentication.

Note You cannot use the Telnet sessions to execute the DCPromo process because of the security precaution in Microsoft Windows Server 2003. If you assign read permissions to the TelnetClients group, there may be a potential security risk to the domain controller.

MORE INFORMATION

For additional information about how to create permissions for the NTFS file system, see the Microsoft Windows 2000 Help documentation or, click the following article number to view the article in the Microsoft Knowledge Base:

300691 HOW TO: Set Up a File System for Secure Access in Windows 2000