based on my googling of the error code 0x80090311 it seems to mimic a trust issue with the iis and the dc's, now i could be way off, but might check the dc's for those 2 pcs

Also, I'd suggest a virus check. I've run into a couple recently that don't show up to all users of the computer--just the one that brought it in. They hide in the individual's accout folder in the Documents and Settings folder.

Hmm strange error, from a desktop that error pops up when you have an admin level account used from a non admin source. But not everything will trigger it.

So it may be related to poking around with trying to fix it.


If its a serious slowdown issue, and the nic cards are gigabit on a 100mb network then it might be just the NIC. Some gigabit broadcom cards have an issue being on 100base PoE switches. And need a registry edit to fix the issue. So I try that put in some off the shelf network cards. And for the life of me I cant find the info on the fix so check back later.

This is a really weird one, esp. since only two computers having problems.

Computer + User = fail
Computer + other User = win
other Computer + User = win
So it must be something specific to this combination.

Do you use any group policies that fiddle with Kerberos and/or IPsec? Perhaps the settings for the computers and the users mix badly, so authentication fails. GPMC is your friend
Or simply dragging the computers into a different OU will help, which might be a quick test for policy problems.

Let's see here,

Virus / spyware check - negative. Symantec is pretty up to date and keeps the systems clean. if anything suspicious pops up a ticket would be loged (automatically) and the PC would be kicked off the domain.

No one out side the GPO group should be messing with the policies - no one outside of IT would even have the access to this.

One of my team members deleted al the profiles on these PCs and he came up with something suspicious. Several files, which can normally (and easily) be deleted under the super-duper admin account (like ntuser.dat) were attribed for read-only and he had to actually go into the registry to completely remove their accounts. Coincidently (or I don't think so) the two accounts that had these issues? The two users in question.

After this was done there wasn't a single complaint from the location.

I also had our data services reset the logs in the router and noticed several errors pop up between when he reset the log and when the users left the location. He hasn't gotten to me about it but he wouldn't note the ticket about it and wouldn't discuss it over email - he asked me to actually call him about it.

Another series of tests were ran overnight and nothing came up.

One of the users is always telling me he thinks it is the cookies - I need to delete all of his cookies. Make sure I delete his cookies - why would he say that??

I have a suspicion that these users are using proxy software (despite my warnings in the past). It is the only thing that can explain everything that's been going on. Non-admin rights would be needed for a minimal instalation, which is what they do. Very hard to trace and re-writes protocols and account settings.

I have told them in the past (when I knew they used them) that if these sites and programs are letting you see the whole internet - what do the (l)users think they're allowing the program to see on our network? We have extremely serious information on our network, 20 million customers (currently active - no telling how many total including deactive accounts) including social security numbers, mailing addresses, birth dates, etc.

I think this location may lose some reps over the next few weeks.

Yeah the best way to nuke a domain, h*ll a whole forest is to play with GPOs without knowledge and proper testing.

Indeed... a read only ntuser.dat is suspicious. I haven't heard about specific attack (yet) that would do that, but when professional attackers are behind this, who knows.

The logs should be an interesting read then... It's either porn, or warez, or job hunt, or an employee with the need for money.

I'm not sure that it's good news that tests came up negative... call me paranoid... but with something weird like that, I'd be super wary.

Wait a sec... those lusers install(ed) potential dangeous software and they got away with that? With the sensitive data you have on your network, those idiots really should get their asses handed to them, if only as a warning to others. Criminals would drool over data like that and would do almost everything to get their hands on it.
Depending on what the logs show, I'm sure the firewall settings will change, even if it's hard to prevent those proxies from doing their dirty work. And perhaps the GPO group needs to research software run restrictions, which can be a pain in the butt, but when coworkers are such idiots, it might be the only way to prevent the use of potential dangerous software.

If you can... please tell us more...

I went to the site today and I think I found the problem.

They were using a cheap LinkSys hub for the two computers that were having the issues. So you have two computers trying to request information from the same IP address on the network (even though from remote they looked like two different IP addresses on the location's LAN).

They didn't have enough ports - luckily one of the non-working ones was wired to the back so I just plugged it in.