Windows 7 : access denied to ONE server from ONE computer

Question

We have a domain served by some Windows 2003 servers.
We have several Windows 7 Pro clients.

ONE client computer can't acces ONE member Windows 2003 server.
The other computers can acces every servers. And the same computer can access other servers.

With explorer, the message says the account is no activated.
With the command line, the message says the account is locked.
With commande line :

net use X: \\server\share
--> several seconds delay, then error (says the account is locked)

net use X: \\server\share /USER:current_username
--> okay

net use X: \\server\share /USER:domain_name\current_username
--> okay

From the same computer, the user can access other servers. From another computer, the same user can access any server, including the one denied from the original computer.

Aleady done :
unjoin then join the cilent from the domain.
check the logs on the server : nothing about the failed attempts (?!)

Is their any user mapping I'm not aware of ?

Since you capitalized one, I'm assuming that this client is able to access other 2003 server shares without issue and also that other clients are able to access this share. Is that correct? — Paul Ackerman, Nov 16 '12 at 15:39
@Paul Ackerman : this is correct. I edited the question to add details. — Gregory MOUSSAT, Nov 16 '12 at 16:44

score 7 · Answer 1 · edited Nov 09 '12 at 19:03

7

Sounds like tokens aren't being issued at logon. Are you sure that there isn't a connectivity or AD issue with that machine? I suspect you're logging in with cached credentials and aren't actually authenticating against a DC from that one machine.

klist.exe will show you if you have any Kerberos tickets. You should disconnect any manually mapped drives, reboot the machine, log in, and run klist and see if there is anything there. At a minimum, there should be ldap ticket from the DC that authenticated you. If that's missing, it was probably a cached logon. You can try unjoining and rejoining the computer to the domain and seeing if that helps. Also, verify that the clock skew is no greater than 5 minutes from the rest of the domain.

edited Nov 09 '12 at 19:03

EEAA

109,363
18
175
245

answered Nov 09 '12 at 18:59

MDMarra

100,734
32
197
329

Unjoin/join already done. I'll check the clock skew and klist. Have to wait monday. – Gregory MOUSSAT Nov 09 '12 at 19:03
1

If you were able to unjoin/rejoin without a problem, then clock skew probably isn't an issue. – MDMarra Nov 09 '12 at 19:05
So, I ran klist and found nothing strange. I cleared the cache (klist purge), but nothing better. I edited the question about the error messages. – Gregory MOUSSAT Nov 14 '12 at 14:39
Is said server a domain controller, or is there a local user on the server with an identical username? – SpacemanSpiff Nov 17 '12 at 03:49

score 4 · Accepted Answer · answered Nov 19 '12 at 16:34

4

I just had a similar problem.
It was related to an entry into Credential Manager into the Control Panel.
The Credential Manager allow to define which user access to which server. So it may help you.

answered Nov 19 '12 at 16:34

Bertrand SCHITS

2,922
1
13
15

1

I had nothing into Credential Manager. So I created a new item for the desired server, and it was ok. I then removed it, and it was ok too. Seems the problem was a ghost item into Credential Manager. – Gregory MOUSSAT Nov 20 '12 at 09:57
Had a similar issue that started occurring after one of my user changed their password. Deleted the entry in Credential Manager for the problem server and they were fine. – Charles Sep 22 '15 at 14:33

Windows 7 : access denied to ONE server from ONE computer

2 Answers2