| bobba |
| (Fresh Scripter) |
| 2009-05-19 03:25 PM |
Windows 7 RC & Kix & Globabl Groups
|
I'm trying out Windows 7 RC in our work environment and I've hit a problem with group enumeration straight away. It seems to be unable to enumerate my global group membership. It seems to work with domain locals fine.
Any ideas?
(I've tried /f)
(we have a windows 2000 AD)
Thanks
Rob
NTDOC
|
| (KiX Master) |
| 2009-05-19 06:46 PM |
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
What version of KiXtart are you using and did you run your script with elevated permissions?
Please post and example of your code and let us know what version of KiX you're using.
| bobba |
| (Fresh Scripter) |
| 2009-05-20 11:01 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
I've tried 4.60.and 4.61
My client OS is windows 7 RC 7100, our AD is Windows 2000 SP4 with all current updates.
Same results when run normally or run as administrator.
The OS itself must be recognising my global group memberships as I can access shares etc.
I've tried several variations of script but basically doing a query for global group membership returns no and enumerating all group membership returns only domain local groups.
Script example:
if ingroup ("GG-ITS-Users")
? "Yes"
Else
? "No"
EndIf
Script example:
$Index = 0
DO
$Group = ENUMGROUP($Index)
$Index=$Index+1
? $Group
UNTIL Len($Group) = 0
get $anykey
|
NTDOC
|
| (KiX Master) |
| 2009-05-20 11:17 AM |
|
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Please try version 4.53 and see if you still have the same issue or not.
| bobba |
| (Fresh Scripter) |
| 2009-05-20 11:22 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Thanks for the suggestion, I've just tried 4.53 and I get the same results either as a standard user or elevated as an admin.
|
NTDOC
|
| (KiX Master) |
| 2009-05-20 11:24 AM |
|
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Okay, I'll try it tomorrow at work on my Windows 7 RC 64 Bit system and let you know what I get.
My network is AD 2003 in Native mode.
| bobba |
| (Fresh Scripter) |
| 2009-05-20 11:50 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Thankyou for your help
| bobba |
| (Fresh Scripter) |
| 2009-05-20 11:56 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
A colleague uses Vista and when he runs the same script he gets both the globals and domain locals listed as "domain\group"
When I get the listing of domain locals it is without "domain\"
|
NTDOC
|
| (KiX Master) |
| 2009-05-20 11:59 PM |
|
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Well I seem to have the same issue on my Windows 7 RC 64 Bit as well on my AD 2003 network. InGroup not finding proper group membership.
Not sure why, didn't try to do any network traces on it.
| bobba |
| (Fresh Scripter) |
| 2009-05-21 11:47 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Thanks for trying it, any suggestions as to where to go from here?
|
NTDOC
|
| (KiX Master) |
| 2009-05-22 12:34 AM |
|
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Well unless Ruud comes out with an update not much else you can do with KiXtart. Not as easy but PowerShell is coming on strong with Microsoft.
I mean natively, but like PowerShell you can use calls to ADSI or WinNT provider to maybe make those calls instead of internally to KiX.
| KIXKicks |
| (Starting to like KiXtart) |
| 2009-07-15 08:37 PM |
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
We use FNINGROUPAD UDF for Vista 64-Bit Computers...haven't tried it with Windows 7 yet.
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-08-22 01:21 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Hi there,
thanks for this report. I tested this on my x64 Win7 RC1 and haven't been able to repro the issue yet. If one of the group enumeration API's fails, for whatever reason, KiXtart should log an entry in the event log.
Can you check your eventlogs to see if any errors were logged?
Ruud
| bobba |
| (Fresh Scripter) |
| 2009-08-25 02:57 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Hi Ruud,
Just noticed your reply. The error in the vent log is:
Failed to resolve SID(s) Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789)
I'm running W7 RTM x86 and our AD is Windows 2000 based. The PC works fine with exchange, file shares and all other domain functions so I'm not aware of how it could be a PC issue.
Any help greatly appreciated.
Note:
I've checked the Default Domain Controller Policy and the default groups have access this computer from the network rights:
Administrators
Authenticated Users
Everyone
As per KB262958
|
Allen
|
| (KiX Supporter) |
| 2009-08-25 03:20 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
It's funny, I googled the error and the first link pointed right back to the korg forums. Check out these links and see if they help.
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=121076&site_id=1#import
http://support.microsoft.com/default.aspx?scid=kb;en-us;262958
|
Allen
|
| (KiX Supporter) |
| 2009-08-25 03:22 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Okay... I don't remember seeing the bottom of your post regarding the groups... nevermind.
| Mart |
| (KiX Supporter) |
| 2009-08-25 03:24 PM |
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Don’t think that this is a kix issue.
I've seen some people removing the computer from the domain, renaming it and joining it to the original domain they were in. In some cases this fixed the issue.
| bobba |
| (Fresh Scripter) |
| 2009-08-26 11:00 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
I've tried removing and re-adding. renaming and re-adding with the same result. I think you're right that it's not a kix issue as I get this in the winlogon.log:
----Configure Group Membership...
Configure Administrators.
Error 1789: The trust relationship between this workstation and the primary domain failed.
Error occurred during lookup of all accounts.
Group Membership configuration was completed with one or more errors.
Given that the Default Domain Controller Policy contains Authenticated Users and Everyone I can't understand what the problem is.
| bobba |
| (Fresh Scripter) |
| 2009-08-26 11:08 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Running nltest returns:
C:\Windows\system32>nltest /sc_verify:mydomain /server:mypc
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\mydc.mydomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-08-26 02:35 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
This is almost surely "something" to do with the configuration of the permissions in AD. Have you checked http://support.microsoft.com/default.aspx?scid=kb;en-us;262958 to see if that helps?
Ruud
| Patrick20 |
| (Fresh Scripter) |
| 2009-08-27 02:15 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Hi,
We have the same infrastructure W2K AD SP4 and I have the same Error 1789: The trust relationship between this workstation and the primary domain failed.
I've created a new W2K8 AD and did the test with same W7 station,I have the same issue again.
| bobba |
| (Fresh Scripter) |
| 2009-08-28 11:26 AM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Yes I've checked that. I've also setup another w7 rtm pc with the same problem. I'm probably going to log a call with MS for it. It's odd that it doesn't happen with XP or Vista machines though, I'd be interested to hear of anyone using W7 with a Windows 2000 AD and whether it's ok for them.
Thanks for the replies.
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-08-28 06:17 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
One thing you can do is use the SysInternals utility PsGetSID (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx). This won't solve the issue, but it takes KiXtart out of the equation.
The error happens when KiXtart tries to resolve SIDs, so I expect if you try to resolve the SID of a group on your logonserver with PsGetSID, the same error will occur.
Ruud
| bobba |
| (Fresh Scripter) |
| 2009-09-02 02:01 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Yes, same error:
Error querying account:
The trust relationship between this workstation and the primary domain failed.
| kaffee |
| (Fresh Scripter) |
| 2009-10-29 03:33 PM |
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Hi,
I had same problem and tried your solutions without success
I conclued that Windows 7 32 or 64 bits has problem to view Global groups in at least W2000 AD - but can view Domain Local Groups.
check the following post.
http://www.kixtart.org/forums/ubbthreads...true#Post196516
If someone has a clue or direction it will be great.
Rgds,
Kaffee
| Arend_ |
| (MM club member) |
| 2009-11-01 12:57 PM |
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
I think it has more to do with the authentication of the AD. I had similar problems deploying Windows 7 from WDS. Long story short, try to set this policy on the local Windows 7 computers using gpedit.msc
'Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager Authentication Level' change to 'Send LM & NTLM - use NTLMv2 session security if negotiated'
Then reboot, and try the ingroup again.
[edit]
I've tried this myself today at work using a Windows 7 x86 client in our Windows 2000 Domain.
Global groups fail.
Universal groups fail.
Domain Local groups succeed.
[/edit]
| Arend_ |
| (MM club member) |
| 2009-11-02 12:23 PM |
|
|
|
Re: Windows 7 RC & Kix & Globabl Groups
|
Originally Posted By: Ruud van Velsen
One thing you can do is use the SysInternals utility PsGetSID (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx). This won't solve the issue, but it takes KiXtart out of the equation.
The error happens when KiXtart tries to resolve SIDs, so I expect if you try to resolve the SID of a group on your logonserver with PsGetSID, the same error will occur.
Ruud
The error happens when KiXtart tries to resolve SIDs, so I expect if you try to resolve the SID of a group on your logonserver with PsGetSID, the same error will occur.
Ruud
PsGetSID gets the same errors as KiXtart.
Domain Users are resolved.
Domain Local groups are resolved.
Global groups fail.
Universal groups fail.