Windows 7, 2003 Server Domain, Local Permission

I have just set up a computer with Windows 7, and I'm apparently missing something simple, but I just can't find it.

I installed Windows 7 on the machine and everything works great. I then joined the computer to a 2003 Server domain. Everything still appeared to work fine. However, when I log into the domain on the Windows 7 computer, I don't have the correct permissions on the local machine.

I can access the domain. The login works fine. There are no errors. However, when I try and access anything on the local drive, like explorer.exe, it tells me that I don't have the permissions to access it. I can run some programs, in some directories (like Program Files), but if I try and run anything in the Windows directory, I don't have permission. I can access things on the domain, and I can even use Firefox to view the contents of domain machines, mapped network drives, and even the local C drive. I just cannot run anything that's in the local Windows directory.

I can access the local drive using either the domain administrator account, or the local machine administrator account. However, using either of those accounts, I'm not allowed to change permissions on that folder! I can see that the folder is set as read only, but when I attempt to remove the read-only flag (using either account), it tells me that I don't have permission to do that.

I've also tried to give the domain user administrator permission on the local machine, but that has no effect either. That part really confuses me, because the domain user is clearly an administrator on the local machine, but still does not have permission to access the Windows folder.

Anyone ever connected a Windows 7 computer to a 2003 domain? Oh, the Windows 7 version is Windows 7 professional. What do I need to do to allow a domain user access to the Windows folder on the local machine so I can run things like explorer, control panel, and access printers?

Thanks!

This thread at TechNet seems to relate to your problem. It mentioned something about you need to set the password the same as the Administrator's password of the Windows 2000 system. And also you need to change the NTLM authentication level in Windows 7. Even though you are on server 03 this may still apply.

Read it here> Can't connect Windows 7 Pro to Windows 2000 server Domain.

Thanks for the tip. That article seems to be related to connecting to the domain, and I don't have any problems there. I'm not sure there's any settings on the server that will affect this (although its certainly possible), because the only things I cannot access are local resources, but with a domain account logged in.

I checked my local NTLM settings (on the Windows 7 machine), and they're all set to "Not Defined" and appear to be related to limiting access even more.

In case it helps, I've also noticed something else weird. The task bar indicates that I'm not connected to a network (though clearly I am, as I'm posting from this machine). All network stuff works, its just the local Windows directory/folder that is having access issues.

Can anyone hazard a guess why the local account that was created with the Windows 7 setup that is an Administrator account does not even have permission to change the permissions on that folder?

No ideas?

Can anyone who reads this who has connected Windows 7 to a Server 2003 domain at least post that they were successful, so I can know if its even possible to connect the two? Thanks.

Seems like this link relates to your problem. Of course it's possible but the permissions need to be set correctly. Look down the page where it says Trouble shooting.

How To Share Files and Folders over the Network in a Windows Server 2003 Domain Environment

Have you installed the (windows7/server2008)AD plugin additions for the 2003 domain GPO? Your current 2k3 gpo isn't setup to apply to the 7 machine... This however might not be the problem facing you now, but will be eventually. However, I can see this being affected by the local policy in GPO not really knowing how to handle the new secpol for windows 7. can you start by adding the windows 7 / server 2k8 gpo plugins? here is one of the articles that might be relevant Deploying Group Policy Using Windows Vista Editing for clarity: you need the new GPMC to edit the admx files for windows 7 You'll want to create a separate GPO for windows 7 machines

We have a x64 Win7 Machine connected to a W2k3 domain with account control active. Everything works fine so long as we use x64 w2k3 servers. Yet for the one 32 bit server we have (Which has to be 32 til an update for the service we run on it is available) there are large delays in file sharing. When we attempt to map a drive on the server we get through the authentication process relativly fast but anything after that slows down. Listing the directory contents take an age, regardless of the number or size of files in them.

Hi there
I don't know much about domains -- but "Bog standard" file sharing between W7 and W2K3 (32 bit) isn't a problem provided firewalls set OK and permissions on target drives set OK.

I find also RDP'ing to a WK3 server on a LAN is fine -- simplest way to do it too.

I haven't tried this over a corporate VPN but on a Local LAN its fine and speed is more than adequate.

Check your LAN speed as well - some corporate LANS are really SLOW depending on how the connections are wired - especially if the server has to go through more than one router.

on a standard 100mbs LAN its fine.

Here's the login screen from W7 to W2K3 server and then the shared disks displayed in W7 -- no problems




Cheers
jimbo

Thank you, everyone, for your suggestions. I think I'm not clear in what I'm trying to do, however.

I don't want to share anything. In fact, I already CAN share anything I like without any problems. The problem is I cannot access local resources while logged into the local machine. I know, it makes no sense, but I guess that's my welcome to Windows 7.

Here is what happened:

I installed Windows 7 Professional. I joined the domain. Now, when I click on "Computer," I get errors. If I try and run "Control Panel" I get errors. The local computer tells me that I do not have permission to access explorer.exe on the local machine at all.

I have tried adding domain users as administrators on the local machine. I have tried adding an individual domain user as the owner of explorer.exe on the local machine. I tried Microsoft tech support and they said they can't help me because its "too complex" of a problem (because it involves networking). I even found the App Locker and made a rule that specifically says that all users, everyone, and domain users have access to run all programs in the Windows directory. All of this has had no effect at all. The machine keeps tell me, when I try and access Explorer.exe (or any other file in the Windows directory), that I do not have permission to access them.

Brady, I'm not sure what you're asking me to do. I'm not deploying any group policies through my Windows 2003 Server. The only thing that does it sit there and allow users to log in and it has mapped network drives for everyone who logs in. I can access the network drives on the server from the Windows 7 machine, I just can't run the local explorer.exe to view them on the local machine (if I use Firefox, I can see all the networked files and even execute them).

Thanks again, everyone, for giving this a shot. I'm rather experienced with computers, but this is my first attempt at doing anything with Windows 7 (and very soon, it will be my last as this is just insane without reason).

Here's a "fun" update.

After various resets and attempts at making this work, suddenly all OTHER domain accounts work normally, and now just the one I've been working with still cannot access anything locally. And what makes it so strange and illogical is that this domain account has MORE permissions on the local machine than other domain accounts. What a screwy operating system.

Ogre11 said:

No ideas?

Can anyone who reads this who has connected Windows 7 to a Server 2003 domain at least post that they were successful, so I can know if its even possible to connect the two? Thanks.

Click to expand...

I am connected successfully to a 2003 domain. No problems !

Kevin

Hi Ogre11, I had the same problem. The only way that I found to work around it is to give your network login name local administrator privileges. Don't worry about having too many privileges, because in Win 7 giving a user admin privileges is not like it was in previous versions of windows. You will only really have a small subset of admin privileges. You still won't even be able to modify printer setups. So login to your machine as local administrator, you may need to create a local account with the same name as your network login name and password. If you switch users to your admin account after you have logged in to your domain account, you may be able to see the domain user in the list of users. Then give that local account or the domain account if you can see it, admin privileges. Sorry if this is not very clear, I cant remember the exact process that I used to get access to my C drive, I did this over 3 months ago, but it works fine now.

While logging on the the domain normally I've only run across two local process errors. The first is when I copyied some backup files over to the new computer after the join to the domain I can no longer modify them at all. Not sure if this is a permissions problem. Another is the Performance manager crashes every time i start it now.

Thank you again for the ideas.

After using the AppLocker to manually allow permissions to domain users to run programs in the Windows directory, and then turning on the AppLocker permissions, and then explicitly turning on the service for App Locker, it seems to work. That one domain account still wouldn't work, but others did, so I ended up deleting that domain account and re-creating it. Now all seems to work okay. Strange, but okay.

Heh.

An update, in case anyone else has this problem. The fix didn't keep. It worked for awhile, but after a day and a few log ons and log offs, its back.

Ogre11 said:

Can anyone who reads this who has connected Windows 7 to a Server 2003 domain at least post that they were successful, so I can know if its even possible to connect the two? Thanks.

Click to expand...

Connected Win7 boxes to 2k3 domain fine.

On your domain, which OU did you put your pc into.
And is there only one PC connected to your domain?

It seems a little overkill IMO to have an entire server and domain setup if your only using 1 machine...

Log in as network administrator on the client PC.
Right click on the C: drive, go to security, click on advanced, click on the ownership tab, choose the network admin account, click on the "apply to sub folders" check box
Apply, wait for it to finish then ok.
Your network admin now has ownership of all the files on the C: drive and also has full permissions on it, If you set a deny security entry anywhere else it will take precedence, but as the owner you can manually change that too.
Regards, P.

I had the same problem as Ogre11 and the only way that I could fix it was to give complete ownership AND R/W access to ALL files on the local C drive as SaintAurther describes. It opens up a bit of a security hole, but it was the only thing that worked. And, by the way, I was connecting to a 64bit 2008 R2 server from a 64bit Windows 7 Pro workstation.

Hydrology said:

I had the same problem as Ogre11 and the only way that I could fix it was to give complete ownership AND R/W access to ALL files on the local C drive as SaintAurther describes. It opens up a bit of a security hole, but it was the only thing that worked. And, by the way, I was connecting to a 64bit 2008 R2 server from a 64bit Windows 7 Pro workstation.

Click to expand...

It seems that sharing through a drive also means you need to share the entire drive in some cases. I was just telling someone how to share the entire drive the other day. I'm not sure if taking ownership is required if you allow for sharing permissions using the Security tab. Yes it's a bit of a security risk but sometimes it's the only way. Instructions for sharing an entire drive in the link below.

http://www.sevenforums.com/network-sharing/92521-hdd-sharing.html#post798310