OS and Software > Microsoft Help > [Vista] Vista and SBS 2K3 will not play nice

reply to jlhugh

Re: [Vista] Vista and SBS 2K3 will not play nice

reply to jlhugh
Check to be sure the local console username and passord, exactly match the username and password used on the servers. It sounds like you have the exact match for Win2k3, but the SBS has a different username and/or password pair. It is likely the password, given the error message. Remember these are CaSe sensitive.

Finally, be default, Vista will not do LM hashes, nor pass them for authentication. It also uses NTLM v.2 If SBS is set up for NTLMN, be sure to it accepts NTLM V2. Then for LM hashes you need to either enable this in Vista or disable this in SBS.

To enable in Vista, use Regedit (as your version of Vista does not have SECPOL.MSC):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"LmCompatibilityLevel" Type DWORD
Change this to 00000001
Restart your computer.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

reply to bcastner
You say Vista Home Premium is intended for Active Directory, Windows 2003 Server networks and SBS but I have yet to see any actual information that proves you are correct even from the software giant themselves, Microsoft.

Leathal

I never mentioned anything that used the word "intended". And I have no idea why the primary product focus of any Vista SKU would matter. Nor does the "software giant" publish a comprehensive listing of permitted uses. What you cannot do is listed in the EULA. What you can do is, as the "software giant" says, "think of the possibilities."

The issue is whether Vista Home Premium can access Win2k3 and SBS Domains. The correct answer is that yes they can.

Just like most MCE Editions and XP Home, they cannot be used to create machine accounts. They can only be used for user level authentication access to Domain resources.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

I upgraded the computer to the Ultimate and I have the same problem. Let me tell you what I am doing. I am not logging in to a domain on either server. I just got one server in a work group and the other server in another work group. Then I click on networks and find the server I want and click on it. When I do this for the 2k3 server it asks for credentials and I go on. When I click on that sbs server it does not ask for the credentials. It just gives me access denied error. We don't use these server to do anything but run one program off each one of them. Is there a simpler way just to make this thing act like a normal computer without asking for the credentials? I do only want a few people to access this server, but this is getting stupid. This stuff is kinda new to me and I am learning as I go.

reply to Leathal

Not knowing the version of SBS, let me suggest that for any Vista client you modify its default of NTLMv2, and no LM Hash. Usually this is done through Group Policy, or by forcing at the server side to accept NTLMv2.

The issue is that by default, Windows Vista uses NTLMV2 for authentication when attempting to map network drives. To allow NTLMv1 or LM challenge-response operations do the following:

For Business SKUs or Higher, with SECPOL.MSC or GPEDIT.MSC:
1. Control Panel -> System Maintenance -> Administrative Tools (run as administrator) -> Local Security Policies -> Local Policies -> Security Options

2. Find the Policy Key named Network Security : LAN Manager Authentication Level

3. Set the value to "Send LM and NTLM responses" or - and it seems to make the most sense -"Send LM & NTLM - use NTLMv2 session security if negotiated"

Alternative: For Any Vista Version:
This same policy object can be done by making a change in the Windows Vista registry

1. Run the registry editor and open this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

2. If it doesn't already exist, create a DWORD value named LmCompatibilityLevel

3. Set the value to 1

----------------------
Reboot

=================================
If you have a LAN or Domain that is accepting only LM Hashes (can happen with SAMBA, some NAS servers, even with XP), the LM Hash is created and stored when the account is created.

In that rare case, remove the User Account that matches the Domain credentials. Add it back (after the changes above).

I mention this only in the interests of thoroughness; it is rarely necessary. Most systems are configured to accept NTLMv1, but balk only when Vista is doing only NTLMv2.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

reply to jlhugh

You have password protected file and printer sharing enabled?

You are using a User Account with password, that exactly matches the User Account and password of the server?

Do not try to use Administrative Shares. (The "$" symbol sharenames.) Vista has deprecated these.

The NET USE command has to be run with elevated priviliges; e.g. Right click the Command Prompt icon in All Programs, "Run as Administrator". This ensures that the command is run with a split token.

I have printer sharing enabled and password protected file enabled

There is no password on the user account on the Vista machine.. It does not log into the domain.

But you have to enable a password on the user account.

The very first rule: You create a User Account in Vista, that has the identical Username and the identical Password as your account on the Domain.

Your SBS Server and your Win2k3 serves are not going to allow (usually) an anonymous logon. (And if set that way, fire the security guy.)

You can, in the alternative, use longer NET USE statements, passing the credentials as part of the string. (OR insert a "*" a the end of the statement to force prompting. But the better way is to matchup the credentials between your Domain account and the Vista User Account.