Announcement

Collapse
No announcement yet.

Some users cannot log into domain after profile caching disabled

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Some users cannot log into domain after profile caching disabled

    Now this is weird!

    Here's the scenario:

    Windows 2003 Active Directory Domain running in native mode.

    I've been having a problem with some workstations (WS) not running startup scripts. The WS's work fine otherwise; DNS, roaming profiles etc..

    So, I decided to do disable cached profiles (previous logons set to 0) and enabled "always wait for network" setting in GPO.

    Well....... the next morning, I had five workstations that would refuse to allow users to log into them! Users would log on, the system would wait and then tell them "The system cannot log you on because domain name is not available.

    The domain is available! I got a workaround going by logging in locally to the machine, authenticating to the domain from there, logging out and then the user could log in normally.

    After a reboot I had to do the workaround all over again.

    I don't know what has went on at this place before, so I assumed the worst.

    I disjoined one of the WS from the domain, removed the computer object and then used the Sysinternal utility to deploy a new SID to it.

    It finished, I logged in locally, rejoined the domain, placed the computer where it needed to be, etc.. rebooted. It let me in! I was thinking wow, great. I log out, and attempt to log back in, the problem returns!

    Anyone ever seen this crazy stuff before?

    On a side note, I blew away the install on one WS and did a manual reinstall; it worked fine after that.

    I really don't want to blow away the workstations (since I'm building an imaging server for them ATM...)

    Thanks in advance!!
    Last edited by Parkham; 7th May 2009, 18:33.

  • #2
    Re: Some users cannot log into domain after profile caching disabled

    I think I'm crazy sometimes. I totally forgot to reset the computer accounts in Active Directory and see if that would fix the problem. But on the other hand, the steps I did for the other computer would effectively be considered resetting the computer account...Hrm..

    I'll post an update if that works.

    Comment


    • #3
      Re: Some users cannot log into domain after profile caching disabled

      Well, scratch that; it didn't fix the issue.

      Comment


      • #4
        Re: Some users cannot log into domain after profile caching disabled

        Unbelievable. I figured out the problem. Symantec Client Firewall was causing the issue. I don't know why and I don't know why it was only on five workstations.

        Comment


        • #5
          Re: Some users cannot log into domain after profile caching disabled

          Well it is Symantec huh?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Some users cannot log into domain after profile caching disabled

            Originally posted by Parkham View Post
            Unbelievable. I figured out the problem. Symantec Client Firewall was causing the issue. I don't know why and I don't know why it was only on five workstations.
            Is it Symantec Endpoint by any chance?

            Comment


            • #7
              Re: Some users cannot log into domain after profile caching disabled

              Originally posted by Virtual View Post
              Is it Symantec Endpoint by any chance?
              How did you know? *laughs* Yes, it is client security 3.1.

              Comment


              • #8
                Re: Some users cannot log into domain after profile caching disabled

                Originally posted by Virtual View Post
                Is it Symantec Endpoint by any chance?
                Hey Virtual. I'm curious, why did you ask if it was Endpoint? Client Security 3.1 is part of the 'overall endpoint' package.

                Do you have a few horror stories with Symantec?

                Comment


                • #9
                  Re: Some users cannot log into domain after profile caching disabled

                  I do with the endpoint but not hte product they had before.

                  When consulting at a customer's site, one of their IT team was trialling the product and installed it on a Production server with DNS/DC roles. ?????

                  Anywa, they were having various issues with the domain/DNS etc, so we were brought in. The issue was endpoint. Removing it immediately resolved the problem.

                  I have never come across an AV solotion that effects a system out-of-the box like that.

                  I have seen similar issues since.

                  Symantec AV prior to endpoint were fine.

                  I am sure there is a solution to the issue but I wasn't willing to risk it. It was easier and more cost effective to go with a known, tried and tested AV solution. I have found Mcafee to be good when used with epolicy orchestrator and having Gold Support. Norman is also worth considering as a lot of AV base their scanning on their products. (so I've heard)

                  Comment


                  • #10
                    Re: Some users cannot log into domain after profile caching disabled

                    I'll echo those thoughts. We used to supply Symantec AV all the time. When Endpoint came we did a handful and instantly regretted it. I don't think anything worked right and god forbid you try to upgrade to a higher maintenance release.

                    Worst problems were the IIS logfiles growing very quickly, the downloaded updates not being cleaned out and sucking up disc space rapidly, major increase in logon times and one SBS domain controller that decided it had enough and threw a wobbler until we took Endpoint off.

                    We've shifted 70 odd clients over to Trend Worry Free with the Worry Free Remote Manager and not looked back.

                    Comment


                    • #11
                      Re: Some users cannot log into domain after profile caching disabled

                      Our licensing is up with Symantec next month. I suggested we 'move on' to something else and we are doing so.

                      Goodby Symantec!!

                      Comment

                      Working...
                      X