You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.

com/kb/839499

Article ID: 839499 - Last Review: December 3, 2007 - Revision: 6.3

You cannot open file shares or Group Policy snap-ins when you
disable SMB signing for the Workstation or Server service on a
domain controller

SUMMARY

This article discusses how to resolve the following two problem scenarios
that may occur in Microsoft Windows Server 2003 or in Microsoft Windows 2000 Server:

Server message block (SMB) signing is disabled for the Workstation service on a domain controller, but
SMB signing is required for the Server service on the same domain controller.
SMB signing is disabled for the Server service on a domain controller, but SMB signing is required for
the Workstation service on the same domain controller.

SYMPTOMS

Scenario 1 - SMB signing is disabled for the Workstation service on a domain controller,
but SMB signing is required for the Server service on the same domain controller.

Windows Server 2003

When you try to open Group Policy snap-ins on the domain controller, you receive an error message that is
similar to the following: You do not have permission to perform this operation.

Access is denied. The server logs the following events in the application event log every five
minutes: Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=Domain_Name,DC=com. The file must be present at the
location <\\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-
00C04FB984F9}\gpt.ini>. (Access is denied.) Group Policy processing aborted.
For more information, see Help and Support Center at http://support.microsoft.com. Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages
previously logged by the policy engine that describes the reason for this. For more information, see Help and
Support Center at http://support.microsoft.com.

When you log on to the server locally and then try to open shares on the server, you receive repeated
password prompts, and you cannot open the shares.

Windows 2000 Server

When you try to open Group Policy snap-ins on the domain controller, you receive an error message that is
similar to the following: You do not have permission to perform this operation.

1 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

Access is denied. The domain controller logs the following event in the application event log: Event Type:
Error
Event Source: Userenv
Event Category: None
Time: 4:07:30 PM
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the registry information at \\Domain_Name.com\sysvol\Domain_Name.com\Policies
\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5). When you log on to the
server locally and then try to open shares on the server, you receive repeated password prompts, and you
cannot open the shares.

Scenario 2 - SMB signing is disabled for the Server service on a domain controller, but
SMB signing is required for the Workstation service on the same domain controller.

Windows Server 2003

When you try to open Group Policy snap-ins on the domain controller, you receive an error message that is
similar to the following: Failed to open the Group Policy Object. You may not have the appropriate rights.

The account is not authorized to log in from this station. In a network trace, if SMB signing is enabled and
required at the client and is disabled at the server, the connection to the TCP session is gracefully closed after
the Dialect Negotiation, and the client receives the following error: 1240
(ERROR_LOGIN_WKSTA_RESTRICTION) The domain controller logs the following events in the application
event log every five minutes: Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=Domain_Name,DC=com. The file must be present at the
location <\\domainname.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-
00C04FB984F9}\gpt.ini>. (The network path was not found.) Group Policy processing aborted. For more
information, see Help and Support Center at http://support.microsoft.com. Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages
previously logged by the policy engine that describes the reason for this. For more information, see Help and
Support Center at http://support.microsoft.com.

When you log on to the server locally and then try to open file shares on the server, you receive an error
message that is similar to the following: \\Server_Name\Share_Name is not accessible. You might not have
permission to use this network resource. Contact the administrator of this server to find out if you have
access permissions.

The account is not authorized to log in from this station.

Note In a network trace, if SMB signing is enabled, and if SMB signing is required at the client and is disabled
at the server, the connection to the TCP session is gracefully closed after the dialect negotiation. Also, the
client receives the following error message:
1240 (ERROR_LOGIN_WKSTA_RESTRICTION)

2 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

Windows 2000 Server

When you try to open Group Policy snap-ins on the domain controller, you
receive an error message that is similar to the following: Failed to open the Group Policy Object. You may
not have the appropriate rights.

The account is not authorized to log in from this station. The domain controller logs the following event in
the application event log every five minutes: Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot access the registry information at \\Domain_Name.com\sysvol\Domain_Name.com\Policies
\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (1240). When you log on to the
server locally and then try to open file shares on the server, you receive an error message that is similar to the
following: \\Server_Name\Share_Name is not accessible.

The account is not authorized to log in from this station.

Note In a network trace, if SMB signing is enabled, and if SMB signing is required at the client and is disabled
at the server, the connection to the TCP session is gracefully closed after the dialect negotiation. Also, the
client receives the following error message:
1240 (ERROR_LOGIN_WKSTA_RESTRICTION)

CAUSE

This behavior occurs if the SMB signing settings for the Workstation service
and for the Server service contradict each other. When you configure the domain controller in this way, the
Workstation service on the domain controller cannot connect to the domain controller's Sysvol share.
Therefore, you cannot start Group Policy snap-ins. Also, if SMB signing policies are set by the default domain
controller security policy, the problem affects all the domain controllers on the network. Therefore, Group
Policy replication in the Active Directory directory service will fail, and you will not be able to edit Group Policy
to undo these settings.

RESOLUTION

To resolve this behavior, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However,
serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these
steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the
registry if a problem occurs. For more information about how to back up and restore the registry, click the
following article number to view the article in the Microsoft Knowledge Base: 322756
(http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

1. On the domain controller, click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\lanmanserver\parameters
3. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click
OK.
4. Double-click requiresecuritysignature, type 1 in the Value data box, and then click OK.
5. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\lanmanworkstation\parameters

3 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

6. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box, and then click
OK.
7. Double-click requiresecuritysignature, type 0 in the Value data box, and then click OK.
8. After you change these registry values, restart the Server and Workstation services. Do not restart the
domain controller, because this action may cause Group Policy to change the registry values back to
the earlier values.
9. Open the domain controller’s Sysvol share. To do this, click Start, click Run, type \\Server_Name
\Sysvol, and then press ENTER. If the Sysvol share does not open, repeat steps 1 through 8.
10. Repeat steps 1 through 9 on each affected domain controller to make sure that each domain controller
can access its own Sysvol share.
11. After you connect to the Sysvol share on each domain controller, open the Domain Controller Security
Policy snap-in, and then configure the SMB signing policy settings. To do this, follow these steps:
a. Click Start, point to Programs, point to Administrative Tools, and then click Domain
Controller Security Policy.
b. In the left pane, expand Local Policies, and then click Security Options.
c. In the right pane, double-click Microsoft network server: Digitally sign communications
(always).

Note In Windows 2000 Server, the equivalent policy setting is Digitally sign server
communication (always).

Important If you have client computers on the network that do not support SMB signing, you
must not enable the Microsoft network server: Digitally sign communications (always)
policy setting. If you enable this setting, you require SMB signing for all client communication,
and client computers that do not support SMB signing will not be able to connect to other
computers. For example, clients that are running Apple Macintosh OS X or Microsoft Windows 95
do not support SMB signing. If your network includes clients that do not support SMB signing,
set this policy to disabled.
d. Click to select the Define this policy setting check box, click Enabled, and then click OK.
e. Double-click Microsoft network server: Digitally sign communications (if client agrees).

Note For Windows 2000 Server, the equivalent policy setting is Digitally sign server
communication (when possible).
f. Click to select the Define this policy setting check box, and then click Enabled.
g. Click OK.
h. Double-click Microsoft network client: Digitally sign communications (always).
i. Click to clear the Define this policy setting check box, and then click OK.
j. Double-click Microsoft network client: Digitally sign communications (if server agrees).
k. Click to clear the Define this policy setting check box, and then click OK.
12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch. To do this, follow these
steps:
a. Click Start, click Run, type cmd, and then click OK.
b. At the command prompt, type gpupdate /force, and then press ENTER.
For more information about the Group Policy Update utility, click the following article number to view
the article in the Microsoft Knowledge Base: 298444 (http://support.microsoft.com/kb/298444/ ) A
description of the Group Policy Update utility Note The Group Policy Update utility does not exist in
Windows 2000 Server. In Windows 2000, the equivalent command is secedit /refreshpolicy
machine_policy /enforce.

For more information about using the Secedit command in Windows 2000, click the following article
number to view the article in the Microsoft Knowledge Base: 227302 (http://support.microsoft.com
/kb/227302/ ) Using SECEDIT to force a Group Policy refresh immediately
13. After you run the Group Policy Update utility, check the application event log to make sure that the
Group Policy settings were updated successfully. After a successful Group Policy update, the domain

4 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

controller logs Event ID 1704. This event appears in the Application Log in Event Viewer. The source of
the event is SceCli.
14. Check the registry values that you changed in steps 1 through 7 to make sure that the registry values
have not changed.

Note This step makes sure that a conflicting policy setting is not applied at another group or
organizational unit (OU) level. For example, if the Microsoft network client: Digitally sign
communications (if server agrees) policy is configured as "Not Defined" in Domain Controller
Security Policy, but this same policy is configured as disabled in Domain Security Policy, SMB signing
will be disabled for the Workstation service.
15. If the registry values have changed after you run the Group Policy Update utility, open the Resultant
Set of Policy (RSoP) snap-in in Windows Server 2003. To start the RSoP snap-in, click Start, click Run,
type rsop.msc in the Open box, and then click OK.

In the RSoP snap-in, the SMB signing settings are located in the following path: Computer
Configuration/Windows Settings/Security Settings/Local Policies/Security Options Note If
you are running Windows 2000 Server, install the Group Policy Update utility from the Windows 2000
Resource Kit, and then type the following at the commmand prompt: gpresult /scope
computer /v After you run this command, the Applied Group Policy Objects list appears. This
list shows all Group Policy objects that are applied to the computer account. Check the SMB signing
policy settings for all these Group Policy objects.

MORE INFORMATION

If you run the domain controller diagnostic tool (DcDiag.exe) in scenario 1,

you receive errors that are similar to the following for Windows 2000 and for Windows Server
2003: Starting test: MachineAccount
Could not open pipe with [SERVERNAME]:failed with 5: Access is denied.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... SERVERNAME failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [SERVERNAME]:failed with 5: Access is denied.
......................... SERVERNAME failed test Services
Starting test: ObjectsReplicated
......................... SERVERNAME passed test ObjectsReplicated
Starting test: frssysvol
[SERVERNAME] An net use or LsaPolicy operation failed with error 5, Access is denied..
......................... SERVERNAME failed test frssysvol
Starting test: frsevent
......................... SERVERNAME failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Access is denied.
......................... SERVERNAME failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Access is denied.
......................... SERVERNAME failed test systemlog If you run the domain controller diagnostic tool in
scenario 2, you receive errors that are similar to the following for Windows 2000 and for Windows Server
2003: Testing server: Default-First-Site-Name\SERVERNAME
Starting test: Replications
......................... SERVERNAME passed test Replications

5 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

Starting test: NCSecDesc

......................... SERVERNAME passed test NCSecDesc
Starting test: NetLogons
[SERVERNAME] An net use or LsaPolicy operation failed with error 1240, The account is not authorized to log
in from this station..
......................... SERVERNAME failed test NetLogons
Starting test: Advertising
......................... SERVERNAME passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVERNAME passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVERNAME passed test RidManager
Starting test: MachineAccount
Could not open pipe with [SERVERNAME]:failed with 1240: The account is not authorized to log in from this
station.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* Missing SPN :(null)
* Missing SPN :(null)
......................... SERVERNAME failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [SERVERNAME]:failed with 1240: The account is not authorized to log in from
this station.
......................... SERVERNAME failed test Services
Starting test: ObjectsReplicated
......................... SERVERNAME passed test ObjectsReplicated
Starting test: frssysvol
[SERVERNAME] An net use or LsaPolicy operation failed with error 1240, The account is not authorized to log
in from this station..
......................... SERVERNAME failed test frssysvol
Starting test: frsevent
......................... SERVERNAME failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error The account is not authorized to log in from this station.
......................... SERVERNAME failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error The account is not authorized to log in from this station.
......................... SERVERNAME failed test systemlog

The third-party products that this article discusses are manufactured by companies that are independent of
Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these
products.

APPLIES TO

Microsoft Windows Small Business Server 2003 Premium Edition

Microsoft Windows Small Business Server 2003 Standard Edition
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows 2000 Datacenter Server

6 of 7 3/21/2009 8:42 PM
You cannot open file shares or Group Policy snap-ins when you di... http://support.microsoft.com/kb/839499

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Server

Keywords: kbmgmtservices kbfileprintservices kbgrppolicyprob kbregistry kbtshoot kbprb KB839499

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Help and Support

©2009 Microsoft

7 of 7 3/21/2009 8:42 PM