Hi, I had a workgroup network and create a domain on server 2008 r2 then join every computer (XP sp3) to the domain, now no one can write or create anything on local drive they got Read only access. Any idea?

Have you created any GPO's that may restrict access to the drive? In Active Directory Users and computers, move one of the affeted machines from which ever OU they are in to the Computers Folder, this folder doesnt get any GPO's applied by default, except Default Domain, do a gpupdate /force and give it 2 reboots to be safe, login and try accessinging the C: drive. If you can, then it is a gpo that is stopping access to the drive.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. If you find an answer helpful then please "Vote As Helpful"

Just to make it sure can you please log on to the local computer on the same computer and check the behavior and also please collect the information using rsop.mschttp://www.virmansec.com/blogs/skhairuddin

No there is no GPO or anything, users can access if they have administration privilege.

do you mean, they can only create/modify files in their own profile (e.g. My Documents), but not create/modify c:\data or c:\windows or c:\program files ? or, they cannot even create/modify their own My Documents? Don

if you insist there are no group policies then You need to give users the proper NTFS permissions for the drive.http://www.virmansec.com/blogs/skhairuddin

Don, thank for reply Nope, they cannot create/modify anywhere ------------------------------------------------ Hi syed, I knew that, but I wanna know why this happen and it`s silly I have to do the NTFS permissions to the entire network.

Well the default permissions should be users group read and execute, read and list folders if it does not really comes then you should check malwarehttp://www.virmansec.com/blogs/skhairuddin

ok, so on one of these workstations, login with a domain account, and open up computer management MMC, look in the users and groups on the pc, and see if "Domain Users" is a member of the "Users" group of the local machine. (that is the default). if this is found ok, then check the permissions that maybe the local Users group has been changed from the default on the machine. because it's XP, there is also the question of "what permissions did the users have when it was Workgroup?" were the users "Users", or "Power USers" or "Administrators"? and, what do the user permissions/memberships need to be, now the pc's are domain members? you might also benefit from checking a few places in the pc disk/NTFS for non-default DACLs, broken inheritance, etc. is there lots of errors/messages when a user logs on? and none when a domain admin logs on? event viewer is recording lots of warnings/errors? these would help you locate the problem, i think. if these pc's were built/imaged from one source, and that source is very non-typical, this could be why the problem is so widespread. it might be a matter of creating a GPO to apply "Domain Users" into the local "Users" group - but if this is what you find, I would always be wondering "what else is not correct in these pc's?" :) Don

My colleague find these logs : Netlogon: No Domain Controller is available for domain SATRAPJONOUB due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator. and Userenv: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. I don't know if it help

Ok I Am MrSaadati Collegue I Think That i Could Give U More Detail About What I Just Discoverd. I Have Seen All The Above U Said Don But Here Is A Thing. As Mahyar Said I Checked the Log And Those Two poped Up. All The Users Were Part Of The Administrators Group Before. And I Have Also Noticed That Some Files Are Not Inheriting I Just Dont Know Why Cause They Werent Open Either."I Think Its THe Broken Inheritence But Why?" And Some Funny Thing. When I Try To See Security Setting I Saw That Creater Owner Have Exactly NO Permission It Was There But With No Permission. Domain Users Was In Local Users. And We Have This Problem Sometimes PCs CANT See Its Own Domain. BUt It Can Login With The Users That Never Been Loged In In That Pc. Looks Like A Problem With DHCP Cause When I Do The Release And Renew Command It Starts Seeing Other PCs Or Its OWn Domain. "Ofcourse With Administrator User"

ok, "can't find a DC" is normal if the pc is disconnected (e.g. a laptop) - but if these are desktop pc's and the network is always connected between pc and DC then it looks like you have a networking problem. yes that could be dhcp but is more likely to be DNS. are any pc's working correctly? can you please perform ipconfig /all at a workstation and paste the unedited output here?Don

There U Go Completly Uncut C:\Documents and Settings\administrator.SATRAPJONOUB>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : BavarSad-2001 Primary Dns Suffix . . . . . . . : satrapjonoub.local Node Type . . . . . . . . . . . . : Mixed IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : satrapjonoub.local satrapjonoub.local Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : satrapjonoub.local Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet A dapter (rev.C) Physical Address. . . . . . . . . : 00-1C-F0-A1-AA-D4 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.0.237 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.2 DHCP Server . . . . . . . . . . . : 192.168.0.10 DNS Servers . . . . . . . . . . . : 192.168.0.10 4.2.2.4 8.8.8.8 Lease Obtained. . . . . . . . . . : Sunday, August 21, 2011 4:03:05 PM Lease Expires . . . . . . . . . . : Monday, August 29, 2011 4:03:05 PM C:\Documents and Settings\administrator.SATRAPJONOUB>Nothing Is True , Everything Is Permited

I have just noticed that you have 4.2.2.4 and 8.8.8.8 set in the DNS of the server. Would it be best to make these as the DNS forwarders of your dns server rather than as a dns entry.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. If you find an answer helpful then please "Vote As Helpful"

Hi, According to your description, it seems that this permission issue occurs only on one client. Based on the current situation, you may manually correct the permissions and use the “Replace all child object permissions with inheritable permissions from this object” option to correct the permissions for sub folders and sub files. If it does not work, you may also try Cacls or SubInAcl to reset the permissions. For more information, please refer to the following Microsoft articles: Security Descriptors and Access Control Lists Tools and Settings http://technet.microsoft.com/en-us/library/cc784419(WS.10).aspx How do I restore security settings to a known working state? http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510 Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Its Happening On Every Clients. Every Each one Of Them. And We Have A NEW Big Problem :D Hey Everybody Policy Are Not Applying :D What The Hell IS Wrong Here ?! Clients Can See DC But Cant Get Their Policy. Where DID I Go Wrong ?Nothing Is True , Everything Is Permited

Hi, I would like to suggest you perform the following steps to check if the “access denied” error is caused by Group Policy. Please disconnect one Windows XP client to domain and perform the following steps to test the issue. Delete All Group Policy Registry keys ======================== 1. Click “Start”, type “regedit.exe” (without quotation marks) into “Run” box and press Enter. 2. Locate the following key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft] Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup. Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key. 3. Highlight Microsoft and click "Delete". 4. Please repeat the above steps for the following registry keys. [HKEY_CURRENT_USER\Software\Policies\Microsoft] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies Note: if some keys do not exist, please ignore them. 3. Exit the Registry Editor. After that, please restart the computer to check the result. What’s the result? For Group Policy issue, you may refer to the following Microsoft TechNet article for more troubleshooting information: Troubleshooting Group Policy Problems http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.