Greetings, all. Allow me to offer my thanks in advance for your help. I really struggled with where to post this, because an argument could be made that it belongs in the security forum, but the problem arises as a result of network-related issues, so I broke out the lucky nickel and this group won. My apologies in advance if the consensus is this post belongs elsewhere. I'm befuddled by a Vista Ultimate wireless laptop that is a member of a small domain. When this box is used within the network, everything works normally. However, when the laptop is taken out (away from the network), and cached logons are used, the privileges/group memberships normally assigned to those users are no longer honored. Users from the domain can logon, but have almost *no* privileges to even run simple apps like Notepad or Solitaire, getting an error to the effect of "You do not have privileges to run this application." The machine borders on the unusable. The built-in Administrator account runs just fine and is fully/normally privileged. When disconnected from network, I have viewed account memberships via Local Users and Groups while logged on as the local Administrator. As would be expected, the <Machine>\Users and <Machine>\Administrators groups shows the SIDS for the Domain Users and Domain Admins groups, so it hasn't "forgotten" about those groups even if it doesn't display their "friendly" name. Yet whatever connects the user to those groups in cached logon mode is, apparently, broken. This box was also failing cached logons *entirely* with the message "The System Event Notification Service has failed the logon." I disabled this service and was at least able to log on to the laptop with the described behavior.I have noted the CachedLogonsCount on this box and it is set to the default of 10.This bizarre behavior is *not* seen on two other wireless domain members - one is another Vista Ultimate box, the other a Windows 7 Professional box. Users on those boxes are able to operate under cached credentials just as you would expect.Something is not happy with this laptop, and I'm just not sure what. Any suggestions on where to start looking next would be greatly appreciated.Blessings,David

Although I am not yet 100% ready to declare victory over this problem, I believe I am very nearly ready to do precisely that. My further investigation on this laptop revealed that the problem was not, specifically, tied to a permissions issue. It had to do with a networking issue. I had disabled the System Event Notification Service temporarily, as it was being tagged as having "failed" prior off-domain logon attempts. I was then getting a report that the trust relationship between the laptop and the domain failed, which made no sense, as it couldn't possibly talk to the domain in the first place. After logging into the laptop via the local administrator account, I could see that the laptop was not on the network at all, despite the fact Vista informed me it was connected - albeit without Internet access. I ran ipconfig /all and discovered that the laptop had only an APIPA address - one of those bogus 169.x.x.x addresses that are assigned when a request from a DHCP server fails. I then investigated the DHCP server, and from its logs I could verify that the adapter was issuing a DHCPREQUEST, and the DHCP server (off a Linux box) was writing a lease into its temporary database; but was ignoring the subsequent DHCPOFFER. I then realized the real problem here was the failure of the laptop to gain an address, which then led me to the famous DHCPConnForceBroadcastFlag issue (http://support.microsoft.com/default.aspx/kb/928233). The same router was handling another Vista laptop in my domain; yet, when I finally got my arms around the DHCP Broadcast flag setting issue in Vista, I checked the corresponding registry entry in the "working" Vista laptop - and it was set to 0, which is the "fix" value. So it worked, because it was already fixed. The same registry entry in the evil, failing Vista laptop was set to "1". I changed the entry in the failing Vista laptop to "1", and across four reboots and two "awakenings" from sleep mode, I have a) regained network connectivity and b) had no further permissions issues after logging in. I was able to run the server's DHCP daemon in foreground mode to check messages from clients, and where the DHCPACK messages were never emitted previously, they are now appearing immediately after the DHCPOFFER the laptop issues. Now, this does not explain why the evil laptop *ever* worked, which does imply the possibility that this is not a true fix, but I'm crossing my fingers at this point as I have yet to encounter any further difficulty with this laptop since applying the change. I have yet to take the laptop off site (where there is no network) or to a different WiFi "hotspot" to conclude once and for all the issue is resolved, but I have a strong suspicion things are going to work properly. I realize there have been several views, but no replies to this issue, so perhaps it has caught the curiosity of some. As a result, pending those remaining tests, I will advise and close this thread upon confirmation. Blessings, David