Results 1 to 3 of 3
  1. #1
    New Lounger
    Join Date
    Aug 2002
    Location
    Cambridge, Massachusetts, USA
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts

    WinNT to W2K Profiles not Working

    This is driving us nuts!

    First off, let me say that I am not a PC pro so I'm a bit lost. Nor are we the MIS dept - we do not control the servers.

    We are migrating end users from WinNT to W2K. Our MIS dept has set this up so that the same profile directory is used in both our WinNT domain and Win2K domain. To "convert" a user, we go into Active Directory Users and Computers and activate an account that has been set up. All users are "power users".

    Here's the problem: After activating the Win2K account and logging in through the W2K domain, some users are unable to do much of anything unless they are granted Administrator privileges. They cannot use any Office 2000 programs, use Outlook/Exchange, print, or retain desktop and other setting from one login to the next. When the same person is logged into our WinNT domain, using the exact same profile directory mind you on the same PC, there is no problem at all, (except that there is no access to the exchange server, but I'm told to expect that). If the person's privilege level is raised to Admin from Power User, then login to the Win2K domain goes fine and the person can function as normal.

    When logging into the W2K domain with anything other than an Administrator privileges, the user gets these error messages:

    In application log:

    Event Type: Error
    Event Source: Winlogon
    Event Category: None
    Event ID: 1012
    Description:
    The automatic certificate enrollment subsystem could not access local resources needed for enrollment. Enrollment will not be performed. (0x80070005) Access is denied.


    In system log:

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10001
    Description:
    Unable to start a DCOM Server: {834128A2-51F4-11D0-8F20-00805F2CD064} as /. The error:
    "The system could not find the environment option that was entered. " Happened while starting this command:
    C:WINNTSystem32MDM.EXE -Embedding

    Any help would be appreciated. I'm desperate!

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: WinNT to W2K Profiles not Working

    I searched for "certificate enrollment" at MS, and it appears possible that some certificate was downloaded from the server into a portion of the registry available only to administrators. It's a guess.

    On the second error, remove MDM from the startup, unless these computers are to be used for software development.

  3. #3
    New Lounger
    Join Date
    Aug 2002
    Location
    Cambridge, Massachusetts, USA
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: WinNT to W2K Profiles not Working

    We managed to resolve the problem, though I'm not sure how elegant the solutions are:

    1. We figured out the problem has something to do with permissions associated with our roaming profiles.

    2. Sledge hammer approach: Delete ntuser.dat and ntuser.dat.log from user's profile directory that resides on server and replace them with new versions that we know work. Be sure to delete user's roaming profile from ALL local PCs. If you don't delete the local profiles the new and old ntuser.dat files are merged at login and the problem remains.

    3. Some what more elegant. Have a person with domain administrator rights log into a PC - any PC in network. Open regedt32 and navigate to the top key in the HKEY_USERS hive. Select Registry > Load Hive and navigate to the users NTuser.dat on the server. Load it and select Security>permissions. At this point we found out that the affected users did not have permission to modify they're registry files under their new account name, so we gave Everyone "full control". Next we went to Advanced options and reset permissions through the subsidiary registry tree. Then we unloaded the ntuser.dat files from the registry and logged the user back in without deleting the local version of the roaming profile. It worked!
    Cliff

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •