Announcement

Collapse
No announcement yet.

Administrators unable to logon to SBS 2003 locally, works over RDC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Administrators unable to logon to SBS 2003 locally, works over RDC

    We have a server running SBS 2003, which we usually only login to using RDC. However on Friday we had to shut the server down and to do this we usually login interactively. This time, we were informed that "The local policy does not permit you to logon locally". As we rarely login locally we can't be sure when this problem arose, however we believe that we were able to login locally on Monday last week. Since then, there have been no changes to the domain security policy, domain controller security policy, or any group policies (which I believe override the security policies anyway?) and the only updates applied through WSUS have been Windows Defender definitions.

    The group policies and security policies are all configured to allow Administrators (which includes Domain Admins), Server Operators, Backup Operators etc to login locally on the server, and nobody is denied this permission. Moving a member server running 2003 Standard into the Domain Controllers OU does not reproduce this issue - we can still login to the member server locally.

    This is a critical issue as our backups are failing to run because the user account the backups run as is denied permssion to logon. Can anybody recommend something we can try to fix this? The reboot on Friday did not clear the issue.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: Administrators unable to logon to SBS 2003 locally, works over RDC

    Hi, unfortuantely i don't have a copy of sbs, however maybe the settings may be the same as server 2003, just to warn you. But here is something to have a look at.

    Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy

    Double-click the Security Settings folder, double-click Local Policies, and then click User Rights Assignment.

    Under the Policy column check for Allow logon locally.

    What does it say there??


    If the settings are different then I apologise in advance.
    And if you change something, remember exactly what u did, so u can undo it.
    Hope it helps.
    Please remember to award reputation points if you have received good advice.
    I do tend to think 'outside the box' so others may not always share the same views.

    MCITP -W7,
    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

    Comment


    • #3
      Re: Administrators unable to logon to SBS 2003 locally, works over RDC

      Account Operators, Administrators, Backup Operators, Print Operators, Server Operators, as in the original post.

      The Administrators group contains Domain Admins, as is the default.

      If I remove Domain Admins from a user account that also has Backup Operators, that user can login. If I add Server Operators to a non administrative user account, that user can login. The problem occurs whenever a member of Domain Admins attempts to login.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Administrators unable to logon to SBS 2003 locally, works over RDC

        My thinking was that the SID for Domain Admins could have been corrupted, so I created a new group, made it a member of everything Domain Admins is a member of, then added all the members of Domain Admins, and granted that group the relevant permission instead of Domain Admins. A server reboot later, no effect.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Administrators unable to logon to SBS 2003 locally, works over RDC

          Do the event logs say anything?
          Please remember to award reputation points if you have received good advice.
          I do tend to think 'outside the box' so others may not always share the same views.

          MCITP -W7,
          MCSA+Messaging, CCENT, ICND2 slowly getting around to.

          Comment


          • #6
            Re: Administrators unable to logon to SBS 2003 locally, works over RDC

            There's nothing in the event logs regarding the failed login. Nor is there anything regarding a failure to apply the group policies at system startup.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Administrators unable to logon to SBS 2003 locally, works over RDC

              It seems sometimes we do get an error in the security log. most of the time we don't get anything though.

              Logon Failure:

              Reason: The user has not been granted the requested logon type at this machine
              User Name: SysAd
              Domain: TRB
              Logon Type: 2
              Logon Process: User32
              Authentication Package: Negotiate
              Workstation Name: SBSSRV
              Caller User Name: SBSSRV$
              Caller Domain: TRB
              Caller Logon ID: (0x0,0x3E7)
              Caller Process ID: 524
              Transited Services: -
              Source Network Address: 127.0.0.1
              Source Port: 0
              Last edited by gforceindustries; 6th October 2008, 13:07.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Administrators unable to logon to SBS 2003 locally, works over RDC

                Do you also have Domain Admins shown under User Rights Assigment, Allow log on through Terminal Services option as well? Not 100% sure if this would work, but it's worth the try.
                Regards,
                John

                Comment


                • #9
                  Re: Administrators unable to logon to SBS 2003 locally, works over RDC

                  That permission is not defined in the group policy, domain security policy or domain controller security policy. It's never needed to be defined as the default is to allow administrators to logon.
                  Last edited by gforceindustries; 7th October 2008, 10:57.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Administrators unable to logon to SBS 2003 locally, works over RDC

                    This issue is resolved, it seems that an ancillary group that the admins are members of was added to the Remote Operators group (by a string of inheritance 5 levels deep - hows that for over-complexity) by a temp who didn't document the change.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: Administrators unable to logon to SBS 2003 locally, works over RDC

                      Maybe there is some kind of vbs script that will tell you all the groups/members ect for sbs.


                      I've found one that worked for me on server 2003.

                      http://www.experts-exchange.com/Micr..._23125429.html
                      Last edited by uk_network; 14th October 2008, 12:54.
                      Please remember to award reputation points if you have received good advice.
                      I do tend to think 'outside the box' so others may not always share the same views.

                      MCITP -W7,
                      MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                      Comment


                      • #12
                        Re: Administrators unable to logon to SBS 2003 locally, works over RDC

                        If it works on 2003 then chances are it works on SBS 2003. In reality though a tool like that is no substitute for a well thought out setup and thorough documentation. The setup I inherited has neither.
                        Gareth Howells

                        BSc (Hons), MBCS, MCP, MCDST, ICCE

                        Any advice is given in good faith and without warranty.

                        Please give reputation points if somebody has helped you.

                        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                        Comment

                        Working...
                        X