Microsoft KB Archive/326638

= Failure to start Telnet sessions using NTLM authentication by members of the TelnetClients group =

Article ID: 326638

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q326638



SYMPTOMS
Non-administrator users listed in the TelnetClients group are unable to start Telnet sessions using NTLM authentication after doing one or more of the following tasks:
 * Converting the file system of a hard disk from the FAT file system to the NTFS file system
 * Applying default security templates
 * Executing the DCPromo process

This problem occurs only with non-admin users who try to start Telnet sessions using NTLM authentication.



RESOLUTION
The administrator must explicitly give read permissions on Cmd.exe to the TelnetClients group. This is because during setup of the operating system, Telnet Server gives read permissions on Cmd.exe to the TelnetClients group. The read permission on Cmd.exe is required because Telnet Server launches Cmd.exe as the user who is trying to start the Telnet session.

When performing any of the three tasks mentioned in the &quot;Symptoms&quot; section, the read permission on Cmd.exe that is given to users who are listed in the TelnetClients group is lost. This loss prevents these users from starting Telnet sessions using NTLM authentication.

Note You cannot use the Telnet sessions to execute the DCPromo process because of the security precaution in Microsoft Windows Server 2003. If you assign read permissions to the TelnetClients group, there may be a potential security risk to the domain controller.



MORE INFORMATION
For additional information about how to create permissions for the NTFS file system, see the Microsoft Windows 2000 Help documentation or, click the following article number to view the article in the Microsoft Knowledge Base:

300691 HOW TO: Set Up a File System for Secure Access in Windows 2000

Keywords: kbdswsfu2003swept kbprb KB326638

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.