Announcement

Collapse

Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

the sign-in method you're trying to use isn't allowed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • the sign-in method you're trying to use isn't allowed

    when im on my DC 1 and try to log in as a user it says the sign-in method you're trying to use isn't allowed , i granted acces in the NPS and chnges to properties of the user so it has acess to DC 1, but it still says the sign-in method you're trying to use isn't allowed

  • #2
    I believe (could be very wrong!) that normal user accounts can't logon to a DC, period. You don't want users ever having access to your DC, because if they log in, the installed tools for Active Directory are there to be used. However good intentioned anyone may be, monkey curiosity will out and accidents can happen.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      FOUND IT, had to do some shit but i managed to figure it out

      Comment


      • #4
        Originally posted by wijnand View Post
        FOUND IT, had to do some shit but i managed to figure it out
        What was your solution? Could you share it so that others who have the same question can benefit. Thanks!
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          I know this is almost 3 years late, but I hope it helps someone.

          I think I got one of the nastiest versions of this problem. Upgraded from SBS2k3 to Server 2012std (non-R2) DC and did away with the old DC over 2 years ago. One user at that company updates their software on the server and had been able to sign in locally until recently (that was our first mistake). She was in the allow logon locally and not in the deny logon locally. It was very frustrating and took about 2.5 hours to resolve for me. In the end, here's what worked:

          1. Disabled the allow logon locally and deny logon locally in group policy, which enable the button to add from the local security policy.
          2. Open the local security policy editor and define there (yes this was on a DC, SMH)

          Then it worked fine. I noticed, after creating a new GPO (didn't help) with the same settings and enforcing, that the GPO "Default Domain Controllers.." still took precedence after checking in RSOP. So I gave up on the new GPO suggested by another board. Then I noticed that the same policy settings in local security policy editor were different than what the GPO was telling it to do. That's when I gave up on the GPO. Once I disabled the Allow Logon Locally and Deny Logon Locally settings in the GPO, the add users button was no longer grayed out on the same settings in the local security policy editor on the DC. Then I was able to manipulate the local security policy. Here's a couple things I noticed that probably lead to this.

          1. Someone had been jacking with policies trying to deny logons to users. There's no excuse for this.
          2. There's obviously a bug here. local security policies should always reflect the GPO settings that take precedence. In this case, RSOP and secpol.msc were in conflict.


          Comment


          • #6
            Thanks for the update, but the idea of users in general being able to log into a DC for everyday use is ordinarily considered a very bad idea. I believe that the default conditions in a domain is to deny interactive user logons to enforce that security principle. So there is an excuse for it, however inappropriate you may feel that to be in your environment.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment

            Working...
            X