Article ID: 245715
Article Last Modified on 10/31/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q245715
SYMPTOMS
If you try to log on to an Exchange Server mailbox with Outlook Web Access (OWA) from the console of a Domain Controller, using an account with Domain User privileges, you may receive the following error message:
CAUSE
This issue can occur because you need to have the Log On Locally permission. This permission is not assigned to Domain User accounts by default.
RESOLUTION
To work around this issue, use one of the following methods:
- Disable the anonymous access feature and enable the Integrated Windows Authentication feature.
- Enable Domain Users to log on interactively.
STATUS
This behavior is new in Windows 2000, and is by design.
MORE INFORMATION
If you disable anonymous access, you prevent Windows 2000 from prompting the user to enter logon credentials interactively. Enabling Integrated Windows Authentication allows credentials to be passed from the logged-in user to the OWA session.
One drawback to this workaround process is the requirement that the user has already logged on to the domain somewhere else and started OWA on the Domain Controller. Part of the utility of OWA is the ability to view your e-mail messages from any place using a browser.
One benefit to this workaround process is that an administrator can limit user access to e-mail to a set of locations within the domain.
The second workaround constitutes a weakening of security policies. The consequences of doing so must be carefully evaluated before taking such action.
Only the Domain Users group is affected by this issue under default configuration. Account Operators, Administrators, Backup Operators, Server Operators, Print Operators, IUser are not affected.
Keywords: kbenv kberrmsg kbnetwork kbprb KB245715
