none
Active Directory User is logged off immediately after logging on

    Question

  • I'm testing a Windows Server 2008 R2 installation at home and have just setup the DNS, DHCP and Active Directory.

    I added one of my Windows 7 workstations to the domain successfully, and was able to log-on using the default domain administrator account that is created when you first setup the server. I then proceeded to add a user to the AD for the same workstation. 

    The problem is when I try to log-on using the new user I created in the AD, it appears to authenticate the user, because for a split second I see loading profile or similar, but then it kicks back to saying "logging off", and puts me right back at the Ctrl-Alt-Del window.

    I have deleted the user, recreated, and tried a different username with same results. So why is the domain administrator able to log-on successfully to the workstation but any users I create in Active Directory forces a log-off immediately after attempting to log-on?

    Thanks

    Mike

    Monday, May 20, 2013 5:11 PM

All replies

  • Hello Modify_inc,
    I suggest to start your investigation from Event Viewer: logon with Administrator account and see Errors/Warnings on both Application and System Logs.

    Then I suggest to read these articles:

    Bye,
    Luca


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. | Whenever you see a helpful reply, click on "Vote As Helpful" & click on "Mark As Answer" if a post answers your question.

    Tuesday, May 21, 2013 1:01 PM
  • Hello Modify_inc,
    I suggest to start your investigation from Event Viewer: logon with Administrator account and see Errors/Warnings on both Application and System Logs.

    Then I suggest to read these articles:

    Bye,
    Luca


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. | Whenever you see a helpful reply, click on "Vote As Helpful" & click on "Mark As Answer" if a post answers your question.

    Thanks, I will check out that link.

    In the meantime I tried another workstation, and I was able to successfully logon using the newly created username created in the AD, so that leads me to believe it must be something with the other workstation that is causing it to log-off immediately after logging on.

    This being the first time I added a user, I wasn't sure if I was doing something wrong.

    Thanks

    Tuesday, May 21, 2013 2:16 PM
  • Hi Mike,


    I agree with that it may be something wrong with the first workstation you mentioned.


    And, based on the information, I suggest to run gpedit.msc on that workstation and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log on locally, check if Users group is listed in this policy setting.


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Wednesday, May 22, 2013 6:51 AM
    Moderator
  • Hi Mike,


    I agree with that it may be something wrong with the first workstation you mentioned.


    And, based on the information, I suggest to run gpedit.msc on that workstation and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Log on locally, check if Users group is listed in this policy setting.


    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    I tried the suggestion at the link mentioned earlier, but the Winlogon was set correctly already.

    I checked the Local Policies and the Allow Log on Locally had the Users group listed along with __Vmware__, Administrators, Backup Operators, and Guest.

    I will continue to test, though I still do not understand why the administrator of the DC can log on locally without issue, yet any other account created in the AD fails.

    Thursday, May 23, 2013 2:00 AM
  • These are the events that are logged directly after attempting to logon:

    4:48:40 PM Event 6006 - The winlogon notification subscriber <Profiles> took 278 second(s) to handle the notification event (Logon).

    4:48:40 PM Event 1542 - Windows cannot load classes registry file. DETAIL - The system cannot find the file specified.

      (The event 1542 is shown twice)

    4:49:40 PM Event 6005 - The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (EndShell).

    4:52:56 PM Event 6006 - The winlogon notification subscriber <GPClient> took 256 second(s) to handle the notification event (EndShell).

    4:52:57 PM Event 6000 - The winlogon notification subscriber <Wlansvc> was unavailable to handle a notification event.

    4:54:33 PM Event 4101 - Windows license validated.

    Under System:

    4:52:56 PM Event 1053 - The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

    4:52:56 PM Event 7036 - The Portable Device Enumerator Service service entered the running state.

    4:52:57 PM Event 7002 - User Logoff Notification for Customer Experience Improvement Program

    I assume Event 7002 is when the logoff is triggered.

    Any suggestions?



    • Edited by Modify_inc Thursday, May 23, 2013 9:14 PM Added System Event Logs
    Thursday, May 23, 2013 9:06 PM
  • Hello Modify_inc,
    I suggest to start investigation from Event 1053, if not already: TechNet Library article Event ID 1053 — Group Policy Preprocessing (Security).

    About the Events 6005 and 6006: Microsoft Support KB 976399 - FIX: You cannot apply Group Policy settings on a computer that is running Windows 7 or Windows Server 2008 R2 when security group filters are used in Group Policy preference settings.

    Bye,
    Luca


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. | Whenever you see a helpful reply, click on "Vote As Helpful" & click on "Mark As Answer" if a post answers your question.

    Thursday, May 23, 2013 10:01 PM
  • I've noticed that sometimes when I ping the DC by the domain name or the computer name, it replies with my WAN IP address instead of the static IP address I have assigned to the DC. Is that normal?

    I ask because, sometimes when I ping the DC by the computer name, it will reply with the DC's actual IP address (although very rarely) and when it does, I can successfully execute the gpupdate from the Windows 7 workstation, without it failing.

    It seems to fail the Group Policy update when the WAN IP address is displayed.

    Just curious if that might play a part in all of this.

    I have noticed the internet has been acting odd since I have setup the DC. It works most of the time, but at times, some of my devices report the DNS failed, yet I can try it again and it will pass. I have also noticed some websites out of the blue will take forever to load, and then when they do, it is only text, with no graphics or icons.  I can try the same website again in a few minutes and it's back to normal.

    Thanks


    • Edited by Modify_inc Friday, May 24, 2013 12:32 AM
    Friday, May 24, 2013 12:32 AM
  • That means the computer account was not in your AD. So create a account for your computer in AD machine.
    Friday, August 16, 2013 5:40 AM
  • Hi!

    it may be the Harddisk issue. bad sectors in your disk preventing profile loading.

    Run chkdsk /r . To detect and fix badsectors in that computer.

    -VKp

    Friday, August 16, 2013 5:47 AM