unable to access non-trusted resource by default - why?

Steve,
Thanks for your good feedback. The environment is small, so the current DC
is also the application server. I mapped to \\domain\app as \\domain\user
logon successfully but got this error when clicking the application ""vision
startup wrapper - V utilities Build 7 - could not create registry tree:
computer :192.x.x.x \software\varian\os\systems\varis\71" But this error will
go away once I mapped to \\192.x.x.x\c$. Checked the share permission is
"Everyone full control" & NTFS permission is "user with read, write & delete
permission". Hope you know why. thanks.

"Steven L Umbach" wrote:

> Sharing the C or any drive drive of a domain controller is a very bad idea,
> particularly when giving a user domain administrator access. It is best if a
> domain controller not do any function other than being a domain controller.
> If that is not possible for some reason then share only the folder that a
> user needs access to and then give the user needed access to the shared
> folder as a regular domain user and not a domain administrator. If the user
> is trying to access from a non trusted domain the user possibly still can
> access if the user uses credentials [user account/password] of a user
> account in the domain that access is needed in though the user may need to
> specify user name as domain\user.
>
> Steve
>
>
> "seeker01" <seeker01.TakeThisOut@discussions.microsoft.com> wrote in message
> news:499B84F8-110F-4A79-A19E-85D7DAAFECBA@microsoft.com...
> > hi there,
> > How I enable a Windows XP Professional user to access a network
> > application
> > from a non-trusted Windows 2000 domain controller is bad, so need to fix
> > it
> > ASAP. XP user (from VLAN 1) is a member of a NT4 domain (from VLAN2). For
> > it
> > to work today, first I added W2K application server name (from VLAN3) to
> > host
> > and lmhost.sam files. Then I do map network drive to the Windows 2000
> > domain
> > controller C:\ root drive using the server IP address and domain
> > administrator password. The network access of both VLAN 1 & VLAN 3 are
> > fully
> > opened; VLAN1 & VLAN2 are fully opened; no access between VLAN2 & VLAN3.
> > Is
> > there a seamless solution without exposing the root administrator
> > password?
>
>
>
 >> Stay informed about: unable to access non-trusted resource by default - why? 

You can only use the C$ as an administrator. If the user is trying to access
the other path as a regular user he probably does not have enough rights for
the application which is bad news if it is on a domain controller. I suggest
you try regmon from Microsoft to see if you can determine what registry keys
the user is being denied access to and then tweak registry permissions to
give that user or users needed access. Logon as a regular user and then
start regmon using runas with admin credentials and the log should show what
registry key is causing the problem when you look for deny or failed entries
in the log. You might also try contacting the publisher of the application
about the error you are getting to see if they can advise you OTHER than
making the user an administrator.

Steve

http://www.microsoft.com/technet/sysinternals/utilities/Regmon.mspx ---
regmons filter option can help you track pertinent events

"seeker01" <seeker01.RemoveThis@discussions.microsoft.com> wrote in message
news:4AD73C73-8BF7-499D-9996-8197EABF6953@microsoft.com...
> Steve,
> Thanks for your good feedback. The environment is small, so the current DC
> is also the application server. I mapped to \\domain\app as \\domain\user
> logon successfully but got this error when clicking the application
> ""vision
> startup wrapper - V utilities Build 7 - could not create registry tree:
> computer :192.x.x.x \software\varian\os\systems\varis\71" But this error
> will
> go away once I mapped to \\192.x.x.x\c$. Checked the share permission is
> "Everyone full control" & NTFS permission is "user with read, write &
> delete
> permission". Hope you know why. thanks.
>
> "Steven L Umbach" wrote:
>
>> Sharing the C or any drive drive of a domain controller is a very bad
>> idea,
>> particularly when giving a user domain administrator access. It is best
>> if a
>> domain controller not do any function other than being a domain
>> controller.
>> If that is not possible for some reason then share only the folder that a
>> user needs access to and then give the user needed access to the shared
>> folder as a regular domain user and not a domain administrator. If the
>> user
>> is trying to access from a non trusted domain the user possibly still can
>> access if the user uses credentials [user account/password] of a user
>> account in the domain that access is needed in though the user may need
>> to
>> specify user name as domain\user.
>>
>> Steve
>>
>>
>> "seeker01" <seeker01.RemoveThis@discussions.microsoft.com> wrote in message
>> news:499B84F8-110F-4A79-A19E-85D7DAAFECBA@microsoft.com...
>> > hi there,
>> > How I enable a Windows XP Professional user to access a network
>> > application
>> > from a non-trusted Windows 2000 domain controller is bad, so need to
>> > fix
>> > it
>> > ASAP. XP user (from VLAN 1) is a member of a NT4 domain (from VLAN2).
>> > For
>> > it
>> > to work today, first I added W2K application server name (from VLAN3)
>> > to
>> > host
>> > and lmhost.sam files. Then I do map network drive to the Windows 2000
>> > domain
>> > controller C:\ root drive using the server IP address and domain
>> > administrator password. The network access of both VLAN 1 & VLAN 3 are
>> > fully
>> > opened; VLAN1 & VLAN2 are fully opened; no access between VLAN2 &
>> > VLAN3.
>> > Is
>> > there a seamless solution without exposing the root administrator
>> > password?
>>
>>
>>
 >> Stay informed about: unable to access non-trusted resource by default - why?