Hi list, I recently ran into a strange issue at a customer site and this one's got me pretty well stumped. Here's the scenario:
Two forests: * ForestA.local (empty root) has child domain Stuff.local; FFL 2003, both DFLs 2008R2 * ForestB.net is a single-domain forest; FFL and DFL are 2008R2 There is a two-way external trust between Stuff.local and ForestB.net. Stuff.local "selectively" trusts ForestB\Domain Users and ForestB\Domain Computers on all involved domain member computers and DCs. ForestB trusts Stuff.local domain-wide. Machines in ForestB.net have a GPO startup script (e.g., \\forestb\netlogon\somescript.cmd) which references installation files in Stuff.local using the FQDN of a Windows 2008 fileserver (\\server.stuff.local\someshare$\somefile.exe). The GPO + script work correctly and predictably on Windows 7; however, Windows XP SYSTEM accounts cannot access \\server.stuff.local at all, providing only an "access denied" / err 5 message, whether attempted via GPO processing or running a shell as the System account with psexec -s. I've turned on all available access auditing and SACLs on server.stuff.local to try to identify the security context of the call, but have come up empty so far. Regular user accounts logged in to ForestB have no problem accessing the share cross-forest, and there are no apparent issues with regard to NTLM restrictions, health of the trust, Kerberos, SPNs, etc. Unfortunately I don't have the resources right now to take a network capture. One thing I've noticed is that psexec -s shows an effective account name of MACHINENAME$ on Windows 7, but LocalSystem on XP. So far my best guess is that XP's effective system network identity is falling back to the NULL SID. Thoughts, anyone? Thanks, Steve (Cross-posted to the ActiveDir list also... any answers or clues will be shared joyfully between lists) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
