ID Number: Q65410
2.00
OS/2
Question:
When one of our users logs on to the network, the user uses the logon
name of ADMIN with the ADMIN password that we have established on the
domain controller. However, when the user runs NET ADMIN, the user is
told that only USER privileges are allowed on the machine that the
user logged in on. If the user logs on as ADMIN with the password of
"PASSWORD", the user receives an "access denied" error message. Since
the use of the ADMIN logon name in this manner does not allow the user
to administer their own [standalone] server, how can this be done?
Response:
When you log onto the network with a domain controller active, you
receive the privileges assigned to the account name with which you
logged on, as defined in the domain controller's user database.
When you run NET ADMIN, your privilege level for administration of
your local computer is the privilege level assigned to the account
name with which you are logged on, as defined in your local computer's
user database.
In this particular case, it appears that someone has changed the ADMIN
account password from "PASSWORD" to "XXX&". In other words, in the
domain controller's user database, the ADMIN account now has the
password of "XXX&". Since your local computer is not acting as a
member or backup domain controller, the domain controller's user
database is not replicated to your local computer. Thus, unless you
explicitly change the ADMIN account password in your local user
database, it is still recorded with the default password of
"PASSWORD".
This presents a "catch 22" situation. Since you don't have ADMIN
privileges on your local computer, you cannot change your local
computer's ADMIN account password (to "XXX&"). When you attempt to log
on as ADMIN with the default password of "PASSWORD", the domain
controller, which verifies the logon against the ADMIN account
recorded in its database (with the "XXX&" password), returns an error
message of "access denied."
This problem can be resolved by using the following procedure:
1. Log on to your local computer, referencing a nonexistent domain.
For example:
NET LOGON ADMIN PASSWORD /DOMAIN:NONE
* You will be logged on as STANDALONE because there is no (NONE)
domain. You now have ADMIN privileges on your local machine.
2. Run NET ADMIN and change the ADMIN account password to "XXX&"
(the same as the ADMIN account password as defined in the ADMIN
account on the domain controller).
3. Log off and log back on with the "XXX&" password (without the
domain specification). For example:
NET LOGOFF
NET LOGON ADMIN XXX&
You now have ADMIN privileges on the domain as well as on your local
computer.