I have two windows 2000 DC. one called domain1.local and the other called
domain2.com. I setup an external trust between the two domains. I
Authenticate to domain2.com and i created a share on domain1.local and gave
my account admin@domain2.com full access to this share but when i try to
access it from a mapped drive it says access denied. Dont know what im doing
wrong.

Assuming you have your dns set up correctly [and maybe wins if it is not a small
network], try adding that account to the domain users group in the other domain. Also
try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename in case of a
name resolution problem. Other things that can be causing lack of access would be
incompatible security options such as ipsec negotiation policies, lan manager
authentication level, smb signing [have client/server digitally sign communications
set to always when the other computer can not comply], and the option for
"additional restrictions for anonymous access" being set to no access without
explicit anonymous permissions in certain situations. --- Steve


"Dan" wrote in message
news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...[color=blue]
> I have two windows 2000 DC. one called domain1.local and the other called
> domain2.com. I setup an external trust between the two domains. I
> Authenticate to domain2.com and i created a share on domain1.local and gave
> my account admin@domain2.com full access to this share but when i try to
> access it from a mapped drive it says access denied. Dont know what im doing
> wrong.
>
>[/color]

i did setup IPSEC i wonder if that is the issue.
"Steven L Umbach" wrote in message
news:8S_gc.29757$ru4.30191@attbi_s52...[color=blue]
> Assuming you have your dns set up correctly [and maybe wins if it is not a[/color]
small[color=blue]
> network], try adding that account to the domain users group in the other[/color]
domain. Also[color=blue]
> try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename[/color]
in case of a[color=blue]
> name resolution problem. Other things that can be causing lack of access[/color]
would be[color=blue]
> incompatible security options such as ipsec negotiation policies, lan[/color]
manager[color=blue]
> authentication level, smb signing [have client/server digitally sign[/color]
communications[color=blue]
> set to always when the other computer can not comply], and the option for
> "additional restrictions for anonymous access" being set to no access[/color]
without[color=blue]
> explicit anonymous permissions in certain situations. --- Steve
>
>
> "Dan" wrote in message
> news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...[color=green]
> > I have two windows 2000 DC. one called domain1.local and the other[/color][/color]
called[color=blue][color=green]
> > domain2.com. I setup an external trust between the two domains. I
> > Authenticate to domain2.com and i created a share on domain1.local and[/color][/color]
gave[color=blue][color=green]
> > my account admin@domain2.com full access to this share but when i try to
> > access it from a mapped drive it says access denied. Dont know what im[/color][/color]
doing[color=blue][color=green]
> > wrong.
> >
> >[/color]
>
>[/color]

I remember messing with IPsec is there a way to turn it off, I set the
option Do not use IPSEC under the TCP/ip Properties but still the same.
"Dan" wrote in message
news:e1tQJcnJEHA.1392@TK2MSFTNGP09.phx.gbl...[color=blue]
> i did setup IPSEC i wonder if that is the issue.
> "Steven L Umbach" wrote in message
> news:8S_gc.29757$ru4.30191@attbi_s52...[color=green]
> > Assuming you have your dns set up correctly [and maybe wins if it is not[/color][/color]
a[color=blue]
> small[color=green]
> > network], try adding that account to the domain users group in the other[/color]
> domain. Also[color=green]
> > try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename[/color]
> in case of a[color=green]
> > name resolution problem. Other things that can be causing lack of access[/color]
> would be[color=green]
> > incompatible security options such as ipsec negotiation policies, lan[/color]
> manager[color=green]
> > authentication level, smb signing [have client/server digitally sign[/color]
> communications[color=green]
> > set to always when the other computer can not comply], and the option[/color][/color]
for[color=blue][color=green]
> > "additional restrictions for anonymous access" being set to no access[/color]
> without[color=green]
> > explicit anonymous permissions in certain situations. --- Steve
> >
> >
> > "Dan" wrote in message
> > news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...[color=darkred]
> > > I have two windows 2000 DC. one called domain1.local and the other[/color][/color]
> called[color=green][color=darkred]
> > > domain2.com. I setup an external trust between the two domains. I
> > > Authenticate to domain2.com and i created a share on domain1.local and[/color][/color]
> gave[color=green][color=darkred]
> > > my account admin@domain2.com full access to this share but when i try[/color][/color][/color]
to[color=blue][color=green][color=darkred]
> > > access it from a mapped drive it says access denied. Dont know what im[/color][/color]
> doing[color=green][color=darkred]
> > > wrong.
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

You will have to "unassign" the policy you assigned in the appropriate security
policy either domain/local/OU/domain controller, etc. You can run netdiag on a
computer as in "netdiag /test:ipsec " and it may help showing what policy is applied.
Gpresult also tells where you are receiving ipsec policy from I believe. Both those
tools are on the install cdrom in the tools/support folder where you will have to run
the setup program. --- Steve


"Dan" wrote in message
news:eClP6knJEHA.3688@TK2MSFTNGP10.phx.gbl...[color=blue]
> I remember messing with IPsec is there a way to turn it off, I set the
> option Do not use IPSEC under the TCP/ip Properties but still the same.
> "Dan" wrote in message
> news:e1tQJcnJEHA.1392@TK2MSFTNGP09.phx.gbl...[color=green]
> > i did setup IPSEC i wonder if that is the issue.
> > "Steven L Umbach" wrote in message
> > news:8S_gc.29757$ru4.30191@attbi_s52...[color=darkred]
> > > Assuming you have your dns set up correctly [and maybe wins if it is not[/color][/color]
> a[color=green]
> > small[color=darkred]
> > > network], try adding that account to the domain users group in the other[/color]
> > domain. Also[color=darkred]
> > > try accessing the share via IP address as in \\xxx.xxx.xxx.xxx\sharename[/color]
> > in case of a[color=darkred]
> > > name resolution problem. Other things that can be causing lack of access[/color]
> > would be[color=darkred]
> > > incompatible security options such as ipsec negotiation policies, lan[/color]
> > manager[color=darkred]
> > > authentication level, smb signing [have client/server digitally sign[/color]
> > communications[color=darkred]
> > > set to always when the other computer can not comply], and the option[/color][/color]
> for[color=green][color=darkred]
> > > "additional restrictions for anonymous access" being set to no access[/color]
> > without[color=darkred]
> > > explicit anonymous permissions in certain situations. --- Steve
> > >
> > >
> > > "Dan" wrote in message
> > > news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...
> > > > I have two windows 2000 DC. one called domain1.local and the other[/color]
> > called[color=darkred]
> > > > domain2.com. I setup an external trust between the two domains. I
> > > > Authenticate to domain2.com and i created a share on domain1.local and[/color]
> > gave[color=darkred]
> > > > my account admin@domain2.com full access to this share but when i try[/color][/color]
> to[color=green][color=darkred]
> > > > access it from a mapped drive it says access denied. Dont know what im[/color]
> > doing[color=darkred]
> > > > wrong.
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

I rant the IPsec test adn this is what i got on both servers.
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.

Could it be cause there is an external trust?

I can verify the trusts betwee the servers fine. Or maybe a dns issue that
im overlooking.

"Steven L Umbach" wrote in message
news:Fn1hc.2364$GR.326371@attbi_s01...[color=blue]
> You will have to "unassign" the policy you assigned in the appropriate[/color]
security[color=blue]
> policy either domain/local/OU/domain controller, etc. You can run netdiag[/color]
on a[color=blue]
> computer as in "netdiag /test:ipsec " and it may help showing what policy[/color]
is applied.[color=blue]
> Gpresult also tells where you are receiving ipsec policy from I believe.[/color]
Both those[color=blue]
> tools are on the install cdrom in the tools/support folder where you will[/color]
have to run[color=blue]
> the setup program. --- Steve
>
>
> "Dan" wrote in message
> news:eClP6knJEHA.3688@TK2MSFTNGP10.phx.gbl...[color=green]
> > I remember messing with IPsec is there a way to turn it off, I set the
> > option Do not use IPSEC under the TCP/ip Properties but still the same.
> > "Dan" wrote in message
> > news:e1tQJcnJEHA.1392@TK2MSFTNGP09.phx.gbl...[color=darkred]
> > > i did setup IPSEC i wonder if that is the issue.
> > > "Steven L Umbach" wrote in message
> > > news:8S_gc.29757$ru4.30191@attbi_s52...
> > > > Assuming you have your dns set up correctly [and maybe wins if it is[/color][/color][/color]
not[color=blue][color=green]
> > a[color=darkred]
> > > small
> > > > network], try adding that account to the domain users group in the[/color][/color][/color]
other[color=blue][color=green][color=darkred]
> > > domain. Also
> > > > try accessing the share via IP address as in[/color][/color][/color]
\\xxx.xxx.xxx.xxx\sharename[color=blue][color=green][color=darkred]
> > > in case of a
> > > > name resolution problem. Other things that can be causing lack of[/color][/color][/color]
access[color=blue][color=green][color=darkred]
> > > would be
> > > > incompatible security options such as ipsec negotiation policies,[/color][/color][/color]
lan[color=blue][color=green][color=darkred]
> > > manager
> > > > authentication level, smb signing [have client/server digitally sign
> > > communications
> > > > set to always when the other computer can not comply], and the[/color][/color][/color]
option[color=blue][color=green]
> > for[color=darkred]
> > > > "additional restrictions for anonymous access" being set to no[/color][/color][/color]
access[color=blue][color=green][color=darkred]
> > > without
> > > > explicit anonymous permissions in certain situations. --- Steve
> > > >
> > > >
> > > > "Dan" wrote in message
> > > > news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...
> > > > > I have two windows 2000 DC. one called domain1.local and the other
> > > called
> > > > > domain2.com. I setup an external trust between the two domains. I
> > > > > Authenticate to domain2.com and i created a share on domain1.local[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> > > gave
> > > > > my account admin@domain2.com full access to this share but when i[/color][/color][/color]
try[color=blue][color=green]
> > to[color=darkred]
> > > > > access it from a mapped drive it says access denied. Dont know[/color][/color][/color]
what im[color=blue][color=green][color=darkred]
> > > doing
> > > > > wrong.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]

Apparently you do not have any ipsec policy assigned then. Did trying to access the
share via IP address such as \\\xxx.xxx.xxx.xxx\sharename work?? If not have you
changed any of the security options on the two domains from default? It may also help
to enable auditing of logon events on the server where you are trying to access the
share and then view the security log in Event Viewer for any failed logons to see if
an event is recorded when you attempt access. Often the failed events have helpful
information. --- Steve


"Dan" wrote in message
news:eR7jhrsJEHA.1764@TK2MSFTNGP12.phx.gbl...[color=blue]
> I rant the IPsec test adn this is what i got on both servers.
> IP Security test . . . . . . . . . : Passed
> IPSec policy service is active, but no policy is assigned.
>
> Could it be cause there is an external trust?
>
> I can verify the trusts betwee the servers fine. Or maybe a dns issue that
> im overlooking.
>
> "Steven L Umbach" wrote in message
> news:Fn1hc.2364$GR.326371@attbi_s01...[color=green]
> > You will have to "unassign" the policy you assigned in the appropriate[/color]
> security[color=green]
> > policy either domain/local/OU/domain controller, etc. You can run netdiag[/color]
> on a[color=green]
> > computer as in "netdiag /test:ipsec " and it may help showing what policy[/color]
> is applied.[color=green]
> > Gpresult also tells where you are receiving ipsec policy from I believe.[/color]
> Both those[color=green]
> > tools are on the install cdrom in the tools/support folder where you will[/color]
> have to run[color=green]
> > the setup program. --- Steve
> >
> >
> > "Dan" wrote in message
> > news:eClP6knJEHA.3688@TK2MSFTNGP10.phx.gbl...[color=darkred]
> > > I remember messing with IPsec is there a way to turn it off, I set the
> > > option Do not use IPSEC under the TCP/ip Properties but still the same.
> > > "Dan" wrote in message
> > > news:e1tQJcnJEHA.1392@TK2MSFTNGP09.phx.gbl...
> > > > i did setup IPSEC i wonder if that is the issue.
> > > > "Steven L Umbach" wrote in message
> > > > news:8S_gc.29757$ru4.30191@attbi_s52...
> > > > > Assuming you have your dns set up correctly [and maybe wins if it is[/color][/color]
> not[color=green][color=darkred]
> > > a
> > > > small
> > > > > network], try adding that account to the domain users group in the[/color][/color]
> other[color=green][color=darkred]
> > > > domain. Also
> > > > > try accessing the share via IP address as in[/color][/color]
> \\xxx.xxx.xxx.xxx\sharename[color=green][color=darkred]
> > > > in case of a
> > > > > name resolution problem. Other things that can be causing lack of[/color][/color]
> access[color=green][color=darkred]
> > > > would be
> > > > > incompatible security options such as ipsec negotiation policies,[/color][/color]
> lan[color=green][color=darkred]
> > > > manager
> > > > > authentication level, smb signing [have client/server digitally sign
> > > > communications
> > > > > set to always when the other computer can not comply], and the[/color][/color]
> option[color=green][color=darkred]
> > > for
> > > > > "additional restrictions for anonymous access" being set to no[/color][/color]
> access[color=green][color=darkred]
> > > > without
> > > > > explicit anonymous permissions in certain situations. --- Steve
> > > > >
> > > > >
> > > > > "Dan" wrote in message
> > > > > news:O0lNhumJEHA.1000@TK2MSFTNGP11.phx.gbl...
> > > > > > I have two windows 2000 DC. one called domain1.local and the other
> > > > called
> > > > > > domain2.com. I setup an external trust between the two domains. I
> > > > > > Authenticate to domain2.com and i created a share on domain1.local[/color][/color]
> and[color=green][color=darkred]
> > > > gave
> > > > > > my account admin@domain2.com full access to this share but when i[/color][/color]
> try[color=green][color=darkred]
> > > to
> > > > > > access it from a mapped drive it says access denied. Dont know[/color][/color]
> what im[color=green][color=darkred]
> > > > doing
> > > > > > wrong.
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]