You cannot connect to a remote Windows Server 2003 domain controller by using the Active Directory Users and Computers snap-in (832222)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you use the Active Directory Users and Computers snap-in to connect to a remote Microsoft Windows Server 2003 domain controller, the operation may not be successful. Specifically, this issue may occur when you follow these steps:
  1. You right-click Active Directory Users and Computers (DomainName).
  2. You click Connect to Domain Controller.

CAUSE

This issue may occur if incorrect permissions are set on the Winreg subkey that is located in the following registry key on the domain controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\SecurePipeServers

For example, this issue may occur if the Local Service account does not have at least Read permissions to the Winreg subkey.

RESOLUTION

To resolve this issue, make sure that the Winreg subkey in the following registry key on the domain controller is configured with the correct permissions:

HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\SecurePipeServers

The following table lists the minimum permissions that must be set on the Winreg subkey on the domain controller if you want to connect to that domain controller from another computer by using the Active Directory Users and Computers snap-in: 

Group or User Account         Permissions
------------------------------------------------
Administrators group          Full Control, Read
Backup Operators group        Read
Enterprise Admins group       Read
Local Service account         Read

To assign or to verify permissions that are set on the Winreg subkey on the domain controller, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Right-click the following registry subkey, and then click Permissions:

    HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\SecurePipeServers\Winreg

  4. Click each account that is displayed in the Group or user names list, and then verify that the appropriate permissions are configured for that account in the Permissions for AccountName list.

    If you have to add a group or a user account and assign permissions to that account, follow these steps:
    1. Click Add.
    2. In the Enter the object names to select box, type the group or the user account that you want to add, click Check Names, and then click OK.
    3. In the Permissions for AccountName list, click to select the Allow check box that is next to the permission setting that you want to assign.
  5. Click OK.
Modification Type:MajorLast Reviewed:1/8/2004
Keywords:kbprb KB832222 kbAudITPRO
©2003 Microsoft Corporation. All rights reserved.