NT4 domain users logging onto AD Servers

mark

Distinguished
Mar 30, 2004
2,613
0
20,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I have a scenario whereby users that have accounts residing in an NT4 domain require access to logon to Windows 2003 Termninal servers that are located in a Windows 2000 Native AD domain. We also have user accounts defined in the Windows 2000 AD domain.

The terminal servers are configured to use loopback group policy processing.
Basically I get the error
Windows cannot do loopback processing for downlevel or local users. Loopback processing will be disabled.

Is there a way to resolve this? Is it possible to turn on loopback policies for downlevel domain users

Thanks in advance
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Group policy only applies to Win 2k and newer clients. NT 4.0 clients can
use group policy you have to use poledit.

hth
DDS W 2k MVP MCSE

"Mark" <anonymous@discussions.microsoft.com> wrote in message
news:A52110F2-B654-427B-BA74-9198390A146F@microsoft.com...
> Hi,
>
> I have a scenario whereby users that have accounts residing in an NT4
domain require access to logon to Windows 2003 Termninal servers that are
located in a Windows 2000 Native AD domain. We also have user accounts
defined in the Windows 2000 AD domain.
>
> The terminal servers are configured to use loopback group policy
processing.
> Basically I get the error
> Windows cannot do loopback processing for downlevel or local users.
Loopback processing will be disabled.
>
> Is there a way to resolve this? Is it possible to turn on loopback
policies for downlevel domain users
>
> Thanks in advance
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Win 2k and newer clients. NT 4.0 clients can
> use group policy you have to use poledit.

That should be NT 4.0 clients CAN'T use Group Policy.

DDS
"Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote in message
news:ehdlTxLSEHA.1448@TK2MSFTNGP11.phx.gbl...
> Group policy only applies to Win 2k and newer clients. NT 4.0 clients can
> use group policy you have to use poledit.
>
> hth
> DDS W 2k MVP MCSE
>
> "Mark" <anonymous@discussions.microsoft.com> wrote in message
> news:A52110F2-B654-427B-BA74-9198390A146F@microsoft.com...
> > Hi,
> >
> > I have a scenario whereby users that have accounts residing in an NT4
> domain require access to logon to Windows 2003 Termninal servers that are
> located in a Windows 2000 Native AD domain. We also have user accounts
> defined in the Windows 2000 AD domain.
> >
> > The terminal servers are configured to use loopback group policy
> processing.
> > Basically I get the error
> > Windows cannot do loopback processing for downlevel or local users.
> Loopback processing will be disabled.
> >
> > Is there a way to resolve this? Is it possible to turn on loopback
> policies for downlevel domain users
> >
> > Thanks in advance
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> said

> "Mark" <anonymous@discussions.microsoft.com> wrote in message
> news:A52110F2-B654-427B-BA74-9198390A146F@microsoft.com...
>> Hi,
>>
>> I have a scenario whereby users that have accounts residing in an NT4
> domain require access to logon to Windows 2003 Termninal servers that are
> located in a Windows 2000 Native AD domain. We also have user accounts
> defined in the Windows 2000 AD domain.
>>
>> The terminal servers are configured to use loopback group policy
> processing.
>> Basically I get the error
>> Windows cannot do loopback processing for downlevel or local users.
> Loopback processing will be disabled.
>>
>> Is there a way to resolve this? Is it possible to turn on loopback
> policies for downlevel domain users
>>
>> Thanks in advance

> Group policy only applies to Win 2k and newer clients. NT 4.0 clients can't
> use group policy you have to use poledit.
>

That doesn't quite ring true in this scenario. In the case of a terminal
services or citrix environment the terminal server *is* the client. The
Windows NT machine is only providing a viewer for what is actually occuring
on the terminal server.
I'm not sure exactly what the problem is but it's definitely not related to
the NT machines. I have NT machines accessing a metaframe server farm and all
group policies are being applied fine.

What happens if you log on at the physical terminal for the server?

--
Andy.
 

mark

Distinguished
Mar 30, 2004
2,613
0
20,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Don't think I explained myself.

I'm not interested in NT4 workstations, all workstations are either Windows XP or (Windows 2003 as in Citrix).

The issue comes in where the user accounts are located in an NT4 domain and the Windows 2003 server are in an AD domain. This prevents me from running system policies (server in AD), I'm unable to apply Group Policies to user accounts in a downlevel domain.

Hope this is better

Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"=?Utf-8?B?TWFyaw==?=" <anonymous@discussions.microsoft.com> said

> Don't think I explained myself.
>
> I'm not interested in NT4 workstations, all workstations are either
> Windows XP or (Windows 2003 as in Citrix).
>
> The issue comes in where the user accounts are located in an NT4 domain
> and the Windows 2003 server are in an AD domain. This prevents me from
> running system policies (server in AD), I'm unable to apply Group
> Policies to user accounts in a downlevel domain.
>
> Hope this is better
>

It shouldn't matter. Although the clients initially login to the NT domain,
when the users are logging into the terminal services machine it is as if
they are physically at the server, logging in at the console. The initial
client authentication has no bearing on it at all and the group policy should
be applied to the TS session.

What happens if you physically login at the server console? Are your group
policies being applied?

--
Andy.
 

mark

Distinguished
Mar 30, 2004
2,613
0
20,780
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I fully understand that when logging onto a terminal server the 'client' is as such the software that is running on the Terminal Server, in this case Windows 2003.

But the user account, irrespective of what a user logs onto is stored in the same domain sam, in this instance being an NT4 domain SAM.

Logging onto the console offers no difference, as you are still using a user account that is in the NT4 domain, and as such the Windows 2003 server will not process loopback policies because it is a downlevel user, what I'm asking is whether anyone has a way around this, I can't use System policies because the Windows 2003 server is located in AD and it doesn't look for these.

Any other ideas?