Microsoft KB Archive/816818

= &quot;Picker cannot open because it cannot determine whether  is joined to a domain&quot; error message =

Article ID: 816818

Article Last Modified on 10/17/2007

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-





IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
If you are using a Windows 2000-based computer and you try to modify the NTFS file system permissions on a file or folder on a network share, you may receive one of the following error messages:

Object Picker cannot open because it cannot determine whether  is joined to a domain.

In this error message,  is the NetBIOS name (or fully qualified domain name [FQDN]) of the computer you are trying to access. When you click Close, you receive the following error message:

Unable to display the user selection dialog.

Access is denied.

If you are using a Windows NT 4.0-based computer, you may receive the following error message when you try to add entries to the Access Control List (ACL):

Access Denied

You receive this error message if the environment includes a Windows NT 4.0 domain that has a Windows NT 4.0-based server and a Windows 2000 Professional-based client computer. You may receive the error message when you change permissions on a member server only, but you may not receive the error message on a domain controller (primary domain controller [PDC] or backup domain controller [BDC]).

You may also experience the following problems:
 * Users or groups that have Full Control access cannot delegate permissions.
 * Users who have Full Control access cannot make permission changes on a DFS share.
 * If you give the non-privileged user the right to log on locally and you log on locally to the file server where the error message occurs, you can successfully edit the ACL.

If you are using a Windows 2003-based computer and if you try to modify the NTFS file system permissions on a file or on a folder on a network share, you may receive the following error message:

The program cannot open the required dialog box because it cannot determine whether the computer named &quot;Network Name Resource&quot; is joined to a domain. Close this message, and try again.

In this error message,  is the NetBIOS name or the fully qualified domain name (FQDN) of the computer that you are trying to access. When you click Close, you receive the following error message:

Unable to display the user selection dialog. The RPC server is unavailable.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To troubleshoot this problem, perform each of the following troubleshooting steps. After you complete each step, see if you can delegate permissions. If you still cannot delegate permissions, continue to the next step.

Step 1: Confirm the TCP/IP NetBIOS Settings

 * 1) Verify that Netbios over TCP is selected in the Advanced TCP settings on the Windows 2000-based computer.
 * 2) Verify that the TCP/IP NetBIOS Helper (LmHosts) service is enabled and started on the domain controllers and on all member servers.

Step 2: Confirm That There Are No Access Restrictions to the Registry
 Verify that 'System\CurrentControlSet\Control\ProductOptions' is listed in the  value:  Start Registry Editor. Locate and then click the following registry key:

 Confirm the following settings:

Value: Machine

Type: REG_MULTI_SZ - Multi string

Default Data:

System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Print\Printers

System\CurrentControlSet\Control\Server Applications

System\CurrentControlSet\Services\Eventlog

Software\Microsoft\Windows NT\CurrentVersion



The valid range for the  value is a valid path to a location in the registry. The purpose of the  value is to allow computer access to listed locations in the registry, provided that no explicit access restriction exists for that location. Verify that the  registry key has Read permissions for the System account:  Start Registry Editor.</li> Locate and then click the following registry key:

</li> In the Edit menu, click Permissions, and then make sure that the System account has Read permissions for key.</li></ol>

If the  registry key does not have the correct permissions, you can export the registry key from a server that works to the server you are trying to access.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

314837 How to manage remote access to the registry

</li></ul>

Step 3: Confirm that Anonymous Connections Can Perform Enumeration Functions
Confirm the following registry settings on the member servers that you are trying to access:

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Value: 0

The purpose of the registry value is to configure local system policy to determine whether authentication is required to perform common enumeration functions. You can configure the account name list to require authentication. This authentication requirement is an optional feature.

When the  value is set to 1, anonymous connections that are generated from the Graphical User Interface (GUI) tools for security management receive an &quot;access denied&quot; error message when these connections try to obtain the list of account names.

For additional information about the &quot;RestrictAnonymous&quot; registry value, click the following article number to view the article in the Microsoft Knowledge Base:

178640 Could not find domain controller when establishing a trust

Step 4: Confirm SMB Signing Settings
You may receive the error message that is described in the &quot;Symptoms&quot; section of this article if SMB Signing is turned on and if it is required. To confirm that SMB Signing is not turned on and that it is not required:  Start Registry Editor.</li> Locate and then click the following registry key:

This key contains the following values:

Value Name: EnableSecuritySignature

Data Type: REG_DWORD

Data: 0 (disable), 1 (enable)

Value Name: RequireSecuritySignature

Type: REG_DWORD

Value: 0 (disable), 1 (enable)

Default: 0

</li> Set the  value and the   value to 0 (zero).</li></ol>

For additional information about this registry key, click the following article number to view the article in the Microsoft Knowledge Base:

161372 How to enable SMB signing in Windows NT

Step 5: Confirm that the domain controller is reachable
If you cannot view or make permission changes on a Distributed File System (DFS) share, verify that you can reach the domain controller by testing name resolution. If your DNS server returns a list of IP addresses for domain controllers, your computer pings the first IP address to check connectivity. After a successful ping reply, the client tries to connect to the domain controller by using the SMB protocol. If this step fails, you receive the &quot;Object Picker&quot; error message.

<div class="moreinformation_section">

MORE INFORMATION

 * You can use the Windows NT Cacls.exe utility to verify correct permission settings.
 * When you view a network trace that was captured with Network Monitor, you may see SMB STATUS_ACCESS_DENIED and RPC 'Return Value = 5 (0x5)'. This return value corresponds to the 'Access Denied' error in remote procedure calls (RPC) when a named pipe to  is opened.

In a Clustered File Share
The error messages that are described in the &quot;Symptoms&quot; section may occur if the share is located on a cluster server as a file share resource, and if all of the following conditions exist:
 * Microsoft SQL 7.0 is installed on the cluster server, and this cluster server was configured as a cluster resource in an active/passive configuration by using the SQL Failover Wizard.
 * The file share that you are connecting to is hosted by a cluster server as a file share resource.
 * The file share source is located on the same hard disk as SQL 7.0 on the cluster server, and it is located in the same resource group as SQL 7.0.
 * You are trying to modify NTFS permissions on a file that is located on the cluster server by using a user account that does not have administrator credentials on the cluster server.

If these conditions exist, create the File Share resource in a different cluster resource group and on a different hard disk than the hard disk where SQL 7.0 is installed.

For additional information about this procedure, click the following article number to view the article in the Microsoft Knowledge Base:

267833 Cannot set NTFS permissions on files located on clustered file share resource

In Microsoft SharePoint Portal Server
If you use Web folders to gain access to a workspace, user accounts may not appear on the Security tab in the properties of a folder. If you try to add an account, you may receive the error message described in the &quot;Symptoms&quot; section.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

309353 You cannot view security information when you are connected with virtual hosting or the server

<div class="references_section">