Domain Logon

[tvanduzee]

Hey All

I'm having a bit of an issue here (hense the post hehe)
Windows Server 2008 R2 Domain Server
Windows 7 Pro 64 client (several)

When I put together a new machine/install of Windows 7, I set the domain users' account as a local admin on the windows 7 machine. No problems there, Im able to log into the domain. However, when I attempt to use the same machine to log into the domain as another user, I get the message saying "You cannot login because the login method you are using is not allowed on this computer. See your network admin.... Well thats me, and Im not sure how to get rid of it. It does not make sense to have to create a local account for each domain user that could potentially log into that machine. This error was the reason I made each domain user an local admin on their primary machine.

When I use my domain admin account to log in, I do not get the error.....

Is there another fix for this?

Thank You
Terry

 

[seepy83]

Does the "Domain Users" group have "Allow Log On Locally" enabled in the local security policy?

That should be a default in a domain environment, so they may have been denied that right in a group policy somewhere...

 

[tvanduzee]

I see that Logon Locally has admins and backup operators, but I also see accounts beginning with S-1-5-32-548, S-1-5-32-549, S-1-5-32-550

But the ability to add/remove users is greyed out. Im logged in as my Domain Admin.

 

[seepy83]

Are you on the network and able to communicate with a Domain Controller? Those S-1-5... accounts are either SIDs of accounts that were previously deleted, or they may be SIDs for accounts on the Domain that the computer can't resolve the names for because a domain controller is not available.

Create a new GPO that's linked to the OU where your domain computers (not servers) are kept, and give Domain Users the Log On Locally right in the GPO.

Maybe I'm wrong about Domain Users having allow logon locally by default...been a while since I've stood up a domain from scratch. Did someone else build your domain environment or have their hands in it?

 

[Lifted]

I see that Logon Locally has admins and backup operators, but I also see accounts beginning with S-1-5-32-548, S-1-5-32-549, S-1-5-32-550

But the ability to add/remove users is greyed out. Im logged in as my Domain Admin.

These are SID's of built in security groups.

SID: S-1-5-32-548
Name: Account Operators

SID: S-1-5-32-549
Name: Server Operators

SID: S-1-5-32-550
Name: Print Operators


Did you verify that DNS is working and configured correctly on the server and each workstation (ideally via an AD DHCP server)?

Did you modify the default domain policy or create any new policies?

 

[tvanduzee]

Every other machine on the network works fine.. DNS - No problems. It's only new systems with windows 7 or 8.
No modifications to the Domain policies were made.
This is an inherited network; I did not set it up, but I can say up until I began adding new machines all worked well. Any of the Windows 7 machines that were on the network already seem to work fine, and anyone can login on any workstation.
I'm kind of at a loss here. I know that If I add a domain user as a local admin to the machine, I can then log in from that machine. So, that leads me to believe there is a policy in place (which I did check out) or security somewhere.

Thanx
Terry

 

[seepy83]

The root problem is absolutely that the Domain Users group does not have the Allow Log on Locally permission. I would probably try disjoining one of the problem PCs from the domain, reboot, re-join the domain again, reboot, and then see if the problem persists.

Check event viewer for errors.

Run gpresults to confirm that group policies are being applied.

Look at what GPOs are being applied to the computer and look at the settings for each GPO. Compare that to the GPOs being applied to one of the old computers that works.

It may take some time, but you need to figure out why Domain Users has not been added to Allow Log On Locally.

 

[tvanduzee]

Ok, Not sure what I did that made it work properly. As domain admin, on the local station I created a user called "Domain User" and made this user a local admin. I also noticed that this user belonged to the "Domain Users" Group. But after adding the user, I was able to log in as any user in the domain. Perhaps there is someone that can give some logic behind this?

Thank You
Terry

 

[tvanduzee]

I actually had disjoin the domain/reboot and rejoin, but had the same issue.....

 

[seepy83]

Ok, Not sure what I did that made it work properly. As domain admin, on the local station I created a user called "Domain User" and made this user a local admin. I also noticed that this user belonged to the "Domain Users" Group. But after adding the user, I was able to log in as any user in the domain. Perhaps there is someone that can give some logic behind this?

Thank You
Terry

What? None of this makes sense...

There is no reason you should have a local user called "Domain User"

It is not possible to make a local user a member of the Domain Users group (unless you have a local group that you named Domain Users...which is just completely confusing the situation).

You should stop making changes until you understand what exactly you're doing. You should look at the GPOs like I suggested, or call a consultant that knows what they're doing if you don't know what you're looking at. If you don't take the time to understand what you're doing, and do it the right way, then you're probably going to screw up the AD environment more than it already is.

 

[seepy83]

Excuse me for giving some 1/2 good information earlier...
Now that I've got an AD environment in front of me to look at, it's the local "Users" group that should have the Allow Log On Locally right. Domain Users should be a member of the local Users group.

 

[tvanduzee]

1. you're right, it does not make sense.
2. I'm not making changes to my AD at all, I'm only changing the client side.
3. I understand your frustration seeing someone investigating their inherited network as a "noob".
4. Yes, Local users group has "Allow Logon Locally". Although I can make no changes in this particular gpo; I cannot add or remove from here.

After I was able to login with other users' accounts, I deleted the local "Domain User" account and everything continued to work. I am going to begin investigating this to see what gpo's are actually at work. I did run gpresult and now have a starting place. There are a ton of groups created in AD and I will need to find out the particulars about them all.

Thank you for your help

Terry

 

[kevnich2]

Ok, Not sure what I did that made it work properly. As domain admin, on the local station I created a user called "Domain User" and made this user a local admin. I also noticed that this user belonged to the "Domain Users" Group. But after adding the user, I was able to log in as any user in the domain. Perhaps there is someone that can give some logic behind this?

Thank You
Terry

This part really doesn't make any sense and don't think it had anything to do with it working/not working. The biggest thing with AD for it not to work is for your dns to not be configured properly. make sure your client PC's dns was pointing exclusively to your domain's dns server (usually the same server). This way all domain requests hit the DC correctly. It sounds like the client didn't fully get joined 100% the first time, likely to it not communicating 100% to the DC in the first place so permissions only made it through part of the way.

You shouldn't have to add any user's to any group EXCEPT in the odd instance you want to add domain user's to the local administrators group. If your having to add user's to local group's, something isn't configured correctly with the DC you have. First check your dns settings, then reboot, and do a gpupdate and see if that fixes it. may also need to remove the pc from the domain, reboot then re-add it and see what happesn.

 

[Lifted]

I think you should check the membership of the existing computers in your domain, and their location in AD.

Are the new computers in the default computer container (this container is not an OU)?

Are the old computers in OU's? If so, do those OU's have GPO's applied to them?

Are the existing computers that don't have this issue members of any specific security groups?