Microsoft KB Archive/816818: Difference between revisions
(importing KB archive) |
m (Text replacement - ">" to ">") |
||
(One intermediate revision by the same user not shown) | |||
Line 12: | Line 12: | ||
<div id="TitleRow"> | <div id="TitleRow"> | ||
= <span id="KB816818"></span>"Picker cannot open because it cannot determine whether | = <span id="KB816818"></span>"Picker cannot open because it cannot determine whether <Network Name Resource> is joined to a domain" error message = | ||
Latest revision as of 10:21, 21 July 2020
Article ID: 816818
Article Last Modified on 10/17/2007
APPLIES TO
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows NT Server 4.0 Enterprise Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
If you are using a Windows 2000-based computer and you try to modify the NTFS file system permissions on a file or folder on a network share, you may receive one of the following error messages:
In this error message, Network Name Resource
is the NetBIOS name (or fully qualified domain name [FQDN]) of the computer you are trying to access. When you click Close, you receive the following error message:
If you are using a Windows NT 4.0-based computer, you may receive the following error message when you try to add entries to the Access Control List (ACL):
You receive this error message if the environment includes a Windows NT 4.0 domain that has a Windows NT 4.0-based server and a Windows 2000 Professional-based client computer. You may receive the error message when you change permissions on a member server only, but you may not receive the error message on a domain controller (primary domain controller [PDC] or backup domain controller [BDC]).
You may also experience the following problems:
- Users or groups that have Full Control access cannot delegate permissions.
- Users who have Full Control access cannot make permission changes on a DFS share.
- If you give the non-privileged user the right to log on locally and you log on locally to the file server where the error message occurs, you can successfully edit the ACL.
If you are using a Windows 2003-based computer and if you try to modify the NTFS file system permissions on a file or on a folder on a network share, you may receive the following error message:
In this error message, Network Name Resource
is the NetBIOS name or the fully qualified domain name (FQDN) of the computer that you are trying to access. When you click Close, you receive the following error message:
RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To troubleshoot this problem, perform each of the following troubleshooting steps. After you complete each step, see if you can delegate permissions. If you still cannot delegate permissions, continue to the next step.
Step 1: Confirm the TCP/IP NetBIOS Settings
- Verify that Netbios over TCP is selected in the Advanced TCP settings on the Windows 2000-based computer.
- Verify that the TCP/IP NetBIOS Helper (LmHosts) service is enabled and started on the domain controllers and on all member servers.
Step 2: Confirm That There Are No Access Restrictions to the Registry
- Verify that 'System\CurrentControlSet\Control\ProductOptions' is listed in the
Machine
value:- Start Registry Editor.
- Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
- Confirm the following settings:
Value: Machine
Type: REG_MULTI_SZ - Multi string
Default Data:
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Server Applications
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion
Machine
value is a valid path to a location in the registry. The purpose of theMachine
value is to allow computer access to listed locations in the registry, provided that no explicit access restriction exists for that location. - Verify that the
winreg
registry key has Read permissions for the System account:- Start Registry Editor.
- Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
- In the Edit menu, click Permissions, and then make sure that the System account has Read permissions for key.
If the
winreg
registry key does not have the correct permissions, you can export the registry key from a server that works to the server you are trying to access.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:314837 How to manage remote access to the registry
Step 3: Confirm that Anonymous Connections Can Perform Enumeration Functions
Confirm the following registry settings on the member servers that you are trying to access:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0
The purpose of the registry value is to configure local system policy to determine whether authentication is required to perform common enumeration functions. You can configure the account name list to require authentication. This authentication requirement is an optional feature.
When the RestrictAnonymous
value is set to 1, anonymous connections that are generated from the Graphical User Interface (GUI) tools for security management receive an "access denied" error message when these connections try to obtain the list of account names.
For additional information about the "RestrictAnonymous" registry value, click the following article number to view the article in the Microsoft Knowledge Base:
178640 Could not find domain controller when establishing a trust
Step 4: Confirm SMB Signing Settings
You may receive the error message that is described in the "Symptoms" section of this article if SMB Signing is turned on and if it is required. To confirm that SMB Signing is not turned on and that it is not required:
- Start Registry Editor.
- Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
This key contains the following values:
Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)
Value Name: RequireSecuritySignature
Type: REG_DWORD
Value: 0 (disable), 1 (enable)
Default: 0 - Set the
EnableSecuritySignature
value and theRequireSecuritySignature
value to 0 (zero).
For additional information about this registry key, click the following article number to view the article in the Microsoft Knowledge Base:
161372 How to enable SMB signing in Windows NT
Step 5: Confirm that the domain controller is reachable
If you cannot view or make permission changes on a Distributed File System (DFS) share, verify that you can reach the domain controller by testing name resolution. If your DNS server returns a list of IP addresses for domain controllers, your computer pings the first IP address to check connectivity. After a successful ping reply, the client tries to connect to the domain controller by using the SMB protocol. If this step fails, you receive the "Object Picker" error message.
MORE INFORMATION
- You can use the Windows NT Cacls.exe utility to verify correct permission settings.
- When you view a network trace that was captured with Network Monitor, you may see SMB STATUS_ACCESS_DENIED and RPC 'Return Value = 5 (0x5)'. This return value corresponds to the 'Access Denied' error in remote procedure calls (RPC) when a named pipe to
winreg
is opened.
Additional Scenarios Where This Problem May Occur
The error messages that are described in the "Symptoms" section may occur if the share is located on a cluster server as a file share resource, and if all of the following conditions exist:
- Microsoft SQL 7.0 is installed on the cluster server, and this cluster server was configured as a cluster resource in an active/passive configuration by using the SQL Failover Wizard.
- The file share that you are connecting to is hosted by a cluster server as a file share resource.
- The file share source is located on the same hard disk as SQL 7.0 on the cluster server, and it is located in the same resource group as SQL 7.0.
- You are trying to modify NTFS permissions on a file that is located on the cluster server by using a user account that does not have administrator credentials on the cluster server.
If these conditions exist, create the File Share resource in a different cluster resource group and on a different hard disk than the hard disk where SQL 7.0 is installed.
For additional information about this procedure, click the following article number to view the article in the Microsoft Knowledge Base:
267833 Cannot set NTFS permissions on files located on clustered file share resource
If you use Web folders to gain access to a workspace, user accounts may not appear on the Security tab in the properties of a folder. If you try to add an account, you may receive the error message described in the "Symptoms" section.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
309353 You cannot view security information when you are connected with virtual hosting or the server
REFERENCES
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
157475 Access denied when trying to add ACL entries
153183 How to restrict access to the registry from a remote computer
143474 Restricting information available to anonymous logon users
263231 Error Message: Object Picker cannot open because no locations from which to choose objects could be found
284914 Error Message: Object Picker Cannot Open Because No Locations from Which to Choose Objects Could Be Found
323170 How to backup, edit, and restore the registry in Windows NT 4.0
322755 How to backup, edit, and restore the Registry in Windows 2000
Additional query words: Objectpicker, STATUS_ACCESS_DENIED 0xC0000022, remote registry, Remote Procedure Call (RPC)
Keywords: kbprb KB816818