Could someone please tell me what Iím doing wrong as one of the servers is not playing ball for local users.
In a nutshell Iíve got 2 servers, a dc and a member server both have file and print roles and both are running 2003.
A user logs onto the domain and can access file and print services on both servers. User logs off and back on again as a local user using the same username and password. User can still use file and printing services on dc but member server gives this error:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: <member server name>
Reason: Unknown user name or bad password
User Name: <username>
Domain: <local computer name>
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: <local computer name>
How do I fix it so local users can print to member server as well?
Just to make it a little more interesting I have found that the Administrator account can use file/print services of both the DC and member server when logged on using a domain or local account but a local user can only access files on the member server if they use domain\username when mapping a drive.
I've made another admin account that's identical to the Administrator and that is giving the same problems as a standard user.
What you have written above is actually how the system is designed to work, and without knowing it you've exploited a Server 2003 trick / bug which has added to the confusion!
If you have a domain logon and a local logon that are the same username & password, you can still get to a DC server running Server 2003 from the local account on the laptop/PC because it has the same user credentials - this does not work in Server 2008 where it looks for either the [domainname] or the [computername] before your username
In other words, Server 2003 only see's the bits in bold: mydomain\administrator and mylaptop\administrator so if the passwords are the same for both accounts it lets you have DC access as the DC will have a record for that username & password; however it will not let you access other servers in your domain because it will not authenticate beyond itself. Just to note, in Server 2008 the DC sees all of the it mydomain\administrator and mylaptop\administrator and so no local account can access the servers without entering the username & password for a domain account with access rights.
What all that summises to is that you won't be able to get a standard user's local logon account to access the servers without inputting a domain username&password with access rights because the DC will not authenticate a local account to access a domain service.
If you need a workaround, how about creating a domain account specifically for these local users which you can give them the username&password for so they can authenticate themselves when the dialogue box pops up asking them to? Get them to access a server share on the member server first, enter the username & password you have set up, and then for as long as they remain logged in they won't have to enter it again to print and use the servers as they need to.
Last edited by Pete10141748; 19th March 2012 at 03:29 PM.
Thanks for the in depth reply. This all came about because the local users need to access the print server which is on the member server, the file access was just my method of testing as it was quicker than accessing the printers
With your reply in mind I've made a dummy read only share on the print server and put a batch file on the pc desktop which maps the share so creating the authentication. I can now add the printers without problems.