OS/2 LAN Manager: Domain ADMIN Account Password Problem (65410)



The information in this article applies to:

  • Microsoft LAN Manager 2.0
  • Microsoft LAN Manager 2.1
  • Microsoft LAN Manager 2.1a
  • Microsoft LAN Manager 2.2

This article was previously published under Q65410

SUMMARY

Question:

When one of our users logs on to the network, the user uses the logon name of ADMIN with the ADMIN password that we have established on the domain controller. However, when the user runs NET ADMIN, the user is told that only USER privileges are allowed on the machine that the user logged in on. If the user logs on as ADMIN with the password of "PASSWORD", the user receives an "access denied" error message. Since the use of the ADMIN logon name in this manner does not allow the user to administer their own [standalone] server, how can this be done?

Response:

When you log onto the network with a domain controller active, you receive the privileges assigned to the account name with which you logged on, as defined in the domain controller's user database.

When you run NET ADMIN, your privilege level for administration of your local computer is the privilege level assigned to the account name with which you are logged on, as defined in your local computer's user database.

In this particular case, it appears that someone has changed the ADMIN account password from "PASSWORD" to "XXX&". In other words, in the domain controller's user database, the ADMIN account now has the password of "XXX&". Since your local computer is not acting as a member or backup domain controller, the domain controller's user database is not replicated to your local computer. Thus, unless you explicitly change the ADMIN account password in your local user database, it is still recorded with the default password of "PASSWORD".

This presents a "catch 22" situation. Since you don't have ADMIN privileges on your local computer, you cannot change your local computer's ADMIN account password (to "XXX&"). When you attempt to log on as ADMIN with the default password of "PASSWORD", the domain controller, which verifies the logon against the ADMIN account recorded in its database (with the "XXX&" password), returns an error message of "access denied."

This problem can be resolved by using the following procedure:

  1. Log on to your local computer, referencing a nonexistent domain. For example:
          NET LOGON ADMIN PASSWORD /DOMAIN:NONE
    						
    * You will be logged on as STANDALONE because there is no (NONE) domain. You now have ADMIN privileges on your local machine.
  2. Run NET ADMIN and change the ADMIN account password to "XXX&" (the same as the ADMIN account password as defined in the ADMIN account on the domain controller).
  3. Log off and log back on with the "XXX&" password (without the domain specification). For example:
          NET LOGOFF
          NET LOGON ADMIN XXX&
    						
You now have ADMIN privileges on the domain as well as on your local computer.

Modification Type:MajorLast Reviewed:9/30/2003
Keywords:KB65410