Workgroup is not accessible - HTML Forums

scoutt · 07-12-2005, 06:00 PM

ok, here is a tough one for you guys. I have read the Tech document as M$. this one

http://support.microsoft.com/default...b;en-us;318030

I have both checked

NetBIOS over TCP/IP is not turned on (enabled) on one or more computers in the workgroup.
The Computer Browser service is not started or is turned off on one or more computers in the workgroup.

I even reformatted and it still does it. services are running, netbios is enabled over tcp/ip

anybody have any clues? win2003 server - no patches yet after reformat. we have 2 other ones in the same "workgroup" and they work fine.

Gamini · 07-28-2005, 11:50 PM

What's the error message it gives, is it just that there are no other computers when you look inside the workgroup folder? Or does it reject the permissions.

scoutt · 07-29-2005, 12:22 AM

oh I forgot about this thread.

the ext error is jus tthis

Quote:

Workgroup Name is not accessible. You may not have permission to use this network resource.

I cannot see the workgroup folder when this happens. yes, there should be many computers in here.

the final answer was using "browstat" a little program that will find the "Master Browser". this happened to be a Win 2000 server and it thought it dominated. I had to disable "anonymous login" in the registery on that computer. this allows other computers to browse the workgroup.

stupid winodws, especially win2000 servers.

it is also considered a bug in win2000 server and ther eis a hotfix for it

afterburn · 08-01-2005, 10:29 AM

Check the event logs on the computer you are trying to access. It should give details of the error on its side.

Try the firewall also, maybe blocking file and print sharing.

scoutt · 08-01-2005, 11:35 AM

it was a "blocking" that was causing it. it was restircting anonymous login to get the browser list. win2000 server is buggy like that. had to set the registry to allow anonymous login.

afterburn · 08-01-2005, 11:41 AM

Ahhh sounds like you changed the registery setting using group policy for requiring authentication for enumeration of Sam's and Share access.

scoutt · 08-01-2005, 11:49 AM

nope, it was acutally in the controlset key under localmachine, but it may have something to do with that you suggest.

afterburn · 08-01-2005, 11:58 AM

Yes its under controlset\lsa if i remember which lanman server authetication if i recall the issue.

scoutt · 08-01-2005, 02:05 PM

yup, the exact key was

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 0

afterburn · 08-01-2005, 02:18 PM

Yes for future reference that key change is only needed for Internet Facing NT Machines. It prohibits enumeration of sams accounts with NetBios. Netbios is the windows Version of Lanman, where lanman is left over from novell and the name has carried.

scoutt · 08-01-2005, 03:23 PM

neither machine is able to get to the internet, not but any bug, but internally cut off for security reasons. I read on M$ that in server 2000 it is a bug. it thinks it has to be a browser master and it runs over server 2003. even if you tell 2000 not to be browser master.

I wish I would have know all this beofore I reformattted the 2003 server

afterburn · 08-01-2005, 03:38 PM

well it because master browser is anonymous while it runs so it can not authenticate against a remote machine.

Master browser work that way in work group, if you had a domain controller, only domain controllers are master browsers and work stations do not broadcast browser requests.

It could be considered a bug but really is a security setting for webservers and such that have external IP's bound to them.

Otherwise i could ask you machine for all users that are on it, and that is half of the access that I need, just password, with most people a small sample of about 2000 words would crack it.

The setting is to stop allowing Lanman Server from answering un-authenticated requests for information.

scoutt · 08-01-2005, 03:49 PM

yeah, we do have a domain controller, but this particular machine isn't. all was fine until they upgraded that machine to 2000 then I had issues with my 2003 server. all is fine now.

that for the clearing up of how it is suppose to work. I had am idea but you assured me of some of it.

how would you have fixed it without that setting? is it possible? is there any risk, besides from the internet, of having that setting open like that?

afterburn · 08-01-2005, 04:43 PM

place another nic in the machine and actually join it to domain so that it can't use master browser. or just what you did.

There is no risk unless it dials to internet directly or gets external IP address. There are very remote security concerns but that would have to have a user execute a virus that enumerates them then trys to crack accounts but then if you are in firewall it would ahve to break that. Otherwise it can only then transfer the data to another server. but these are very remote as viruses of this nature are caught fast.

scoutt · 08-01-2005, 04:53 PM

makes sense. thanks rusty