Announcement

Collapse
No announcement yet.

After Swing Migration, Users are unable to log into Domain without Local Admin Rights

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • After Swing Migration, Users are unable to log into Domain without Local Admin Rights

    OK, I'm completely stumped.
    We have a SBS 2003 environment. We recently performed a swing migration to upgrade our server (the hardware).
    After the upgrade on Monday morning, users came into the office and users were unable to log into the domain from thier machines.
    However, all of the Domain Admins were able to login fine.
    A few users were able to log into the domain only because they had local admin rights to thier machines.
    I gave eveyone local admin rights to thier machines and now everyone is logged in.
    Obviously this is not the ideal environment.
    I forsee utter chaos in our near future if we don't lock down our environment.

    My questions are:
    1. Why do we need local admin rights to login to the domain?
    2. How can we change this so users with "user" rights can log in?
    3. What could have changed during the swing migration?

    Does anyone have any ideas?

  • #2
    Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

    What error do you get and when?
    Do the users have rights to their profiles?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

      If the user does not have local admin rights when attempting to log in, they will get this error,

      "You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more infomation"

      Before the migration any domain user was able to log onto any machine on the domain. Now they need local admin rights.

      hmmm...

      Thanks for responding and any help you can provide.
      Last edited by ivan schlachter; 6th November 2008, 22:46.

      Comment


      • #4
        Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

        There is a reply here about SmartCard - basically check your GPOs (especially allow log on locally)
        http://www.eggheadcafe.com/software/...t-allowed.aspx

        Your post here also got a couple of replies
        http://forums.anandtech.com/messagev...readid=2245277

        A lot of posts that I've seen imply this happens with Vista, are the clients that OS?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

          Thanks Andy...

          Comment


          • #6
            Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

            If you found a fix please post it for the benefit of everyone.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

              I did find a fix. However, I'm still trying to figure out how to change the grayed out Group Policy for "Allow Log on Locally" in the GPO... If you have any ideas I would appreciate the guidance.
              Here is what I found so far:

              Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.



              1. Run gpedit.msc.
              2. Expand Windows Settings\Security Settings\Local Policies
              3. Click on User Rights Assignment
              4. Ensure that "Allow log on locally" includes Administrators, Backup
              Operators, Domain Users or Users.



              Case 2: Group Policy' "Deny log on locally" was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".



              1. Run gpedit.msc.
              2. Expand Windows Settings\Security Settings\Local Policies
              3. Click on User Rights Assignment
              4. Ensure that "Deny log on locally" is empty.



              Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.



              Case 4: The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.

              Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.

              Comment


              • #8
                Re: After Swing Migration, Users are unable to log into Domain without Local Admin Ri

                You are probably best off contacting Jeff M directly as he has indicated to me that there is probably something wrong with your group policies and not directly connected to Swing Migration.
                TIA

                Steven Teiger [SBS-MVP(2003-2009)]
                http://www.wintra.co.il/
                sigpic
                Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                We donít stop playing because we grow old, we grow old because we stop playing.

                Comment

                Working...
                X