|
|
|||||||
I'm trying out Windows 7 RC in our work environment and I've hit a problem with group enumeration straight away. It seems to be unable to enumerate my global group membership. It seems to work with domain locals fine. Any ideas? (I've tried /f) (we have a windows 2000 AD) Thanks Rob |
||||||||
|
|
|||||||
What version of KiXtart are you using and did you run your script with elevated permissions? Please post and example of your code and let us know what version of KiX you're using. |
||||||||
|
|
|||||||
I've tried 4.60.and 4.61 My client OS is windows 7 RC 7100, our AD is Windows 2000 SP4 with all current updates. Same results when run normally or run as administrator. The OS itself must be recognising my global group memberships as I can access shares etc. I've tried several variations of script but basically doing a query for global group membership returns no and enumerating all group membership returns only domain local groups. Script example: if ingroup ("GG-ITS-Users") ? "Yes" Else ? "No" EndIf Script example: $Index = 0 DO $Group = ENUMGROUP($Index) $Index=$Index+1 ? $Group UNTIL Len($Group) = 0 get $anykey |
||||||||
|
|
|||||||
Please try version 4.53 and see if you still have the same issue or not. |
||||||||
|
|
|||||||
Thanks for the suggestion, I've just tried 4.53 and I get the same results either as a standard user or elevated as an admin. |
||||||||
|
|
|||||||
Okay, I'll try it tomorrow at work on my Windows 7 RC 64 Bit system and let you know what I get. My network is AD 2003 in Native mode. |
||||||||
|
|
|||||||
Thankyou for your help |
||||||||
|
|
|||||||
A colleague uses Vista and when he runs the same script he gets both the globals and domain locals listed as "domain\group" When I get the listing of domain locals it is without "domain\" |
||||||||
|
|
|||||||
Well I seem to have the same issue on my Windows 7 RC 64 Bit as well on my AD 2003 network. InGroup not finding proper group membership. Not sure why, didn't try to do any network traces on it. |
||||||||
|
|
|||||||
Thanks for trying it, any suggestions as to where to go from here? |
||||||||
|
|
|||||||
Well unless Ruud comes out with an update not much else you can do with KiXtart. Not as easy but PowerShell is coming on strong with Microsoft. I mean natively, but like PowerShell you can use calls to ADSI or WinNT provider to maybe make those calls instead of internally to KiX. |
||||||||
|
|
|||||||
We use FNINGROUPAD UDF for Vista 64-Bit Computers...haven't tried it with Windows 7 yet. |
||||||||
|
|
|||||||
Hi there, thanks for this report. I tested this on my x64 Win7 RC1 and haven't been able to repro the issue yet. If one of the group enumeration API's fails, for whatever reason, KiXtart should log an entry in the event log. Can you check your eventlogs to see if any errors were logged? Ruud |
||||||||
|
|
|||||||
Hi Ruud, Just noticed your reply. The error in the vent log is: Failed to resolve SID(s) Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789) I'm running W7 RTM x86 and our AD is Windows 2000 based. The PC works fine with exchange, file shares and all other domain functions so I'm not aware of how it could be a PC issue. Any help greatly appreciated. Note: I've checked the Default Domain Controller Policy and the default groups have access this computer from the network rights: Administrators Authenticated Users Everyone As per KB262958 |
||||||||
|
|
|||||||
It's funny, I googled the error and the first link pointed right back to the korg forums. Check out these links and see if they help. http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=121076&site_id=1#import http://support.microsoft.com/default.aspx?scid=kb;en-us;262958 |
||||||||
|
|
|||||||
Okay... I don't remember seeing the bottom of your post regarding the groups... nevermind. |
||||||||
|
|
|||||||
Don’t think that this is a kix issue. I've seen some people removing the computer from the domain, renaming it and joining it to the original domain they were in. In some cases this fixed the issue. |
||||||||
|
|
|||||||
I've tried removing and re-adding. renaming and re-adding with the same result. I think you're right that it's not a kix issue as I get this in the winlogon.log: ----Configure Group Membership... Configure Administrators. Error 1789: The trust relationship between this workstation and the primary domain failed. Error occurred during lookup of all accounts. Group Membership configuration was completed with one or more errors. Given that the Default Domain Controller Policy contains Authenticated Users and Everyone I can't understand what the problem is. |
||||||||
|
|
|||||||
Running nltest returns: C:\Windows\system32>nltest /sc_verify:mydomain /server:mypc Flags: b0 HAS_IP HAS_TIMESERV Trusted DC Name \\mydc.mydomain.local Trusted DC Connection Status Status = 0 0x0 NERR_Success Trust Verification Status = 0 0x0 NERR_Success The command completed successfully |
||||||||
|
|
|||||||
This is almost surely "something" to do with the configuration of the permissions in AD. Have you checked http://support.microsoft.com/default.aspx?scid=kb;en-us;262958 to see if that helps? Ruud |
||||||||
|
|
|||||||
Hi, We have the same infrastructure W2K AD SP4 and I have the same Error 1789: The trust relationship between this workstation and the primary domain failed. I've created a new W2K8 AD and did the test with same W7 station,I have the same issue again. |
||||||||
|
|
|||||||
Yes I've checked that. I've also setup another w7 rtm pc with the same problem. I'm probably going to log a call with MS for it. It's odd that it doesn't happen with XP or Vista machines though, I'd be interested to hear of anyone using W7 with a Windows 2000 AD and whether it's ok for them. Thanks for the replies. |
||||||||
|
|
|||||||
One thing you can do is use the SysInternals utility PsGetSID (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx). This won't solve the issue, but it takes KiXtart out of the equation. The error happens when KiXtart tries to resolve SIDs, so I expect if you try to resolve the SID of a group on your logonserver with PsGetSID, the same error will occur. Ruud |
||||||||
|
|
|||||||
Yes, same error: Error querying account: The trust relationship between this workstation and the primary domain failed. |
||||||||
|
|
|||||||
Hi, I had same problem and tried your solutions without success I conclued that Windows 7 32 or 64 bits has problem to view Global groups in at least W2000 AD - but can view Domain Local Groups. check the following post. http://www.kixtart.org/forums/ubbthreads...true#Post196516 If someone has a clue or direction it will be great. Rgds, Kaffee |
||||||||
|
|
|||||||
I think it has more to do with the authentication of the AD. I had similar problems deploying Windows 7 from WDS. Long story short, try to set this policy on the local Windows 7 computers using gpedit.msc 'Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager Authentication Level' change to 'Send LM & NTLM - use NTLMv2 session security if negotiated' Then reboot, and try the ingroup again. [edit] I've tried this myself today at work using a Windows 7 x86 client in our Windows 2000 Domain. Global groups fail. Universal groups fail. Domain Local groups succeed. [/edit] |
||||||||
|
|
|||||||
Originally Posted By: Ruud van Velsen One thing you can do is use the SysInternals utility PsGetSID (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx). This won't solve the issue, but it takes KiXtart out of the equation. The error happens when KiXtart tries to resolve SIDs, so I expect if you try to resolve the SID of a group on your logonserver with PsGetSID, the same error will occur. Ruud PsGetSID gets the same errors as KiXtart. Domain Users are resolved. Domain Local groups are resolved. Global groups fail. Universal groups fail. |