Remote Access Rights Changed by NT Update?

Kenn's
Tech
Notes

19990611: Remote Access Rights Changed by NT Update?

June/1999
Tech Note #11

Running the Windows NT Server Prep Update may result in users losing their dial-in privileges if you are using Remote Access. Please note that this is not by design, and will not happen if you follow two simple guidelines. One: Do not use any of the standard accounts for Remote Access (i.e.. don't use Administrator, WSD1Admin, Prof Admin, Tech, Sysop, or Teacher for Remote Access.) Two: Do not give dial-in privileges to accounts which are members of Administrators or Domain Admins.

In situations where it is desirable to have administrative access from remote locations, an alternate "Guideline Two" which will work is: Do not give dial-in privileges to accounts which are used to log on within the building.

Here's why. During the Update, the standard user groups are checked for and/or created, and the standard accounts are set up with the standard passwords. Meanwhile, elsewhere on your network and without your knowledge, some of those accounts may be logged on at a workstation with one or more network connections to the server. When the password changes while the network session is in progress, the logon information (or "credentials") presented to the existing session(s) becomes invalid. Because many network operations automatically retry, it often happens that one or more user accounts get locked out during the process!

Account lock outs occur when the wrong password is used on too many consecutive logon or network connection attempts. And when an account gets locked out, its dial-in permission is also revoked! Simply clearing the X from the lockout box in User Manager (or waiting for the lockout to time-out) does not restore dial-in permission.

If the NT Server you are updating has Remote Access Server service install, you would be well-advised to check dial-in permissions before and after you run the update.

DISCLAIMER: This document is intended for the reference of computer support personnel within Winnipeg School Division No. 1. There is no warranty or liability if procedures recommended here have an adverse affect on any systems. Use them at your own risk. Any trademarks mentioned are the property of their owners, none of whom have certified any information provided here. Opinions expressed here are personal only and do not represent the policy of Winnipeg School Division No. 1 or any other organization anywhere.

Got a Tech Note to share? Submissions are most welcome! [Click here.]
To return to the Tech Notes home page, click here.
To download a copy of all the June/1999 Tech Notes in Rich Text Format, click here.

Click here to visit the Information "Super-Cul-De-Sac". This page was updated
2001 June 9

This page hosted by
Get your own Free Homepage
Check out my neighbours here in Silicon Valley Peaks by clicking here.