Announcement

Collapse
No announcement yet.

"Account restrictions are preventing this user from signing in"

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Account restrictions are preventing this user from signing in"

    Hi,

    I have a 2008 R2 DC that has been replicated to a 2012 server.
    When a user tries to logon a 2012 server connected to the replicated 2012 DC using Remote Desktop, he gets the following error message:

    "Account restrictions are preventing this user from signing in"

    No problems RDP using the admin account though.
    I might as well mention that that user is indeed a part of Domain Admins. Even after adding the user to "Administrators" group he still cant logon.

    Could this be due to the fact that the 2012 DC Domain Functional Level is at 2008 R2 state?

    Thanks,
    X

  • #2
    Re: "Account restrictions are preventing this user from signing in"

    So, to summarise:
    User is logging onto a 2012 member server using RDP
    If authenticated against a 2008R2 DC, they log on
    If authenticated against a 2012 DC, they fail

    Is that correct, or am I misinterpreting your post?
    If so, how are you determining which DC is being used to authenticate?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: "Account restrictions are preventing this user from signing in"

      Originally posted by Ossian View Post
      So, to summarise:
      User is logging onto a 2012 member server using RDP
      If authenticated against a 2008R2 DC, they log on
      If authenticated against a 2012 DC, they fail

      Is that correct, or am I misinterpreting your post?
      If so, how are you determining which DC is being used to authenticate?
      I havent checked against the 2008DC yet.
      Other than that you are correct.

      I determine the DC by the DNS ip in the NIC.

      Comment


      • #4
        Re: "Account restrictions are preventing this user from signing in"

        DNS won't give you the actual DC used to authenticate -- check the logonserver environment variable as per http://social.technet.microsoft.com/...on-on-a-server
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: "Account restrictions are preventing this user from signing in"

          Originally posted by Ossian View Post
          DNS won't give you the actual DC used to authenticate -- check the logonserver environment variable as per http://social.technet.microsoft.com/...on-on-a-server
          OMG.
          I just ran nltest /DSGETDC:<domainname>
          and received that the authenticating server was the 2008 one!

          How do I change this? It has to be something with Sites and Services, no?

          Thanks!

          Comment


          • #6
            Re: &quot;Account restrictions are preventing this user from signing in&quot;

            In a site, all DCs will respond equally but you can go into the SRV records (in DNS) and change the weighting of individual DCs - this does not guarantee a logon against one DC, but will encourage it.

            Alternatively, for testing, you can shut down other DCs
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: &quot;Account restrictions are preventing this user from signing in&quot;

              What if I simply want to fix this first other than change the authenticating server?

              Comment


              • #8
                Re: &quot;Account restrictions are preventing this user from signing in&quot;

                Small update:

                I've cut off the communication between 2012 DC from the 2008 DC and now the authentication goes perfectly fine.

                I wont be able to keep it this way obviously.
                Is there a way to force users connecting to my 2012 environement to authenticate with the 2012 DC?

                Thanks!

                Comment


                • #9
                  Re: &quot;Account restrictions are preventing this user from signing in&quot;

                  You could set priority and weight on your SRV records:
                  http://www.minasi.com/forum/topic.asp?TOPIC_ID=9334
                  This would encourage a specific DC, but not enforce it.
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: &quot;Account restrictions are preventing this user from signing in&quot;

                    This is strange...

                    Looking on the DNS each site has it's own SRV records...but they all have the same priorities and weights.
                    What makes this go to my 2k8 DC afterall then?

                    Comment


                    • #11
                      Re: &quot;Account restrictions are preventing this user from signing in&quot;

                      Sites....sites....? First I knew of sites in your environment.

                      OK, authentication will take place in the local site if possible (weighted by SRV records) then against other sites using site connection cost.
                      Can you give a quick show'n'tell on your topography?

                      Perhaps we need to get back to the original problem -- I would not expect differences in access by type of DC, but clearly this is affecting things
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: &quot;Account restrictions are preventing this user from signing in&quot;

                        Sorry if I wasnt clear enough the first time

                        I'll give you all you need to help me out because as you can see I'm quite lost.

                        2 sites connected with IPSEC VPN.

                        2 different sets of subnets.

                        1 is a collection of 2k8 servers and is where my main DC resides.

                        2 is newly established 2012 collection of servers.

                        What else?

                        Comment


                        • #13
                          Re: &quot;Account restrictions are preventing this user from signing in&quot;

                          Well, I think I solved it

                          I was missing some subnets under "Sites and Services".

                          After a quick restart everything now seems in order.

                          Much appreciated my friend!

                          Comment

                          Working...
                          X