DOS user log on to AD

[NFI]

Hiya,

How do I allow DOS users to log on to my Active Directory Domain under Server 2003?

They just get "Error 5: Access Denied" at the moment.

I know this is possible, as I had it working before, but I've had to reinstall the server and whatever I did before has gone...

I can't remember if it was a GPO I set or something more command-line like...


Any help will be much appreciated,

Paul

 

[Loki1973]

DOS cannot log on to the Active Directory. What you can do is using cached account information using a PWL file.

NET LOGON <username> /SAVEPW:YES

Make sure you set SYSTEM.INI to the the domain name as a WORKGROUP.

 

[porkchopexpress]

I think this may have to be dissabled as well on 2k3 server, it's a while since i had any DOS clients.

http://www.microsoft.com/technet/pr...elp/063639fa-c2b3-4127-a7bb-24e5bbb42c02.mspx

 

[NFI]

Hi chaps,

thanks for your input, but I know you can actually do this, as "I had it working before, but I've had to reinstall the server and whatever I did before has gone...".

I'm fairly certain that this is a GPO setting to do with the encryption and signing of client/server communications, but I've tried everything I can find...

Micro$oft themselves give info on a [COLOR= #0000ff]workaroundhttp://support.microsoft.com/default.aspx?scid=kb;en-us;811497, saying; " Although Microsoft does not recommend it, you can prevent SMB signing from being required on all domain controllers that run Windows Server 2003 in a domain."

Has anybody else tried thise before? I swear I had this working until last week, when I had to reinstall my server I really wish I'd written down what I did...


Thanks,

Paul[/color]

 

[porkchopexpress]

Yes thats what i posted the link for.

 

[Loki1973]

Did some research.

We use DOS to deploy Windows XP machines using Altiris.
You are looking for these settings:

In Default Domain Controllers GPO under Computer Configuration -> Windows Settings -> Security Settings -> Security Options are three objects under Domain Member:

1. Digitally encrypt or sign secure data channel (always)
2. Digitally encrypt secure data channel (when possible)
3. Distally sign secure data channel (when possible)

Do need to adjust those settings. If you need more info I need to dive into our production machines tomorrow and see what they are set to.

I think this is what you meant.

 

[NFI]

Hi Chaps,

again, thanks for all your efforts - PorkChopExpress: I missed your link, sorry about that...

So far, I've set the following in my default domain GP:

Domain Member: Digitally encrypt or sign secure channel data (always): Disabled
Domain Member: Digitally encrypt secure channel data (when possible): Disabled
Domain Member: Digitally sign secure channel (when possible): Disabled
Microsoft network client: Digitally sign communications (always): Disabled
Microsoft network client: Digitally sign communications (if server agress): Disabled
Microsoft network server: Digitally sign communications (always): disabled
Microsoft network server: Digitally sign communications (if client agrees): Disabled

Microsoft network client: Send unencrypted password to third-party SMB servers: Enabled
Network access: Allow anonymous SID/Name translation: Enabled
Network access: Let Everyone permissions apply to anonymous users: Enabled

Network security: Minimum session security for NTLM based (incluing secure RPC) clients: No minimum
Network security: Minimum session security for NTLM based (incluing secure RPC) servers: No minimum

Domain controller: LDAP server signning requirements: None
Network security: LDAP client signing requirements: None

Network security: LAN Manager authentication level: Send LM & NTLM responses

I'd be very interested to know what you have set in your Group Policy Loki1973, as I think I may be attempting a similar operation to you; I have an automated build system that starts from a DOS boot disk, logs onto the domain and then installs XP on each client machine from the server.

All the best,

Paul

 

[porkchopexpress]

We use a similar system for deploying our workstations but i still collect my images from a Win2k box, i'll keep an eye on this thread as i'll be moving them to a Win2k3 server at some point.

What DOS boot disk do you use?

 

[NFI]

Hiya,

I use a win98 image on a USB memory stick. This runs a couple of batch files that partition and format the client machine's drive then logs onto the domain, maps a drive and copies all the install files from a central server to a ram disk, which is where XP then installs itself from - this minimises traffic across the network. Once XP has installed, another batch file is called and all the applications are installed across the network, straight from the server - it's really flexible this way...

Paul

 

[porkchopexpress]

Yep thats similar to how we do it only we use floppy disks at the mo. I might have to look into using pen drives myself.

 

[monsterjta]

Your probably executing msnet in your dos build script. Curious, have you tried

runas /netonly /user:<username> "<program>

 

[NFI]

Hiya,

I try to log onto my domain from DOS with the following command:

Net Logon <domain user> <password> /Domain:<domain name> /SavePW:No /yes <pwd.txt

where pwd.txt is a file containing a password supplied by the user through a previous challenge/response.

I'm not sure how RunAs would be used in this situation?

I'll have a bit of think, though

All the best,

Paul