none
Users Unable to Login or Restart/Shutdown client machines on Domain

    Question

  • Hello Friends,

    Today we are experiencing a very strange issue. SOme users complaining,while logging onto their machine they see following errors:

    1. 'logon failure: the user has not been granted the requested logon type'

    2. 'The signing method you are typing to use is not allowed'

    Few user on Internet (outside company network) complained that while logging on to the citrix, the get the remote dsktop related error.

    More over many users complained in the evening that options for sleep,Restart/shutdown are greyed out on their machines.

    Any help some one can provide?

    Thanks

    Monday, January 16, 2017 7:27 AM

Answers

  • I found a work around but its risky:

    --->>Some users complained that while logging on to the domain joined windows machine, they are getting errors as
    1. 'login failure the user has not been granted the requested logon type'
    2. 'the signing method you are typing to use is not allowed'

    WORKAROUND: Open GPMC on any DC. Right click 'Default Domain COntroller Policy' and choose edit.
    Navigate to Computer COnfiguration>Policies>Windows Settings>Local Policies>User Right Assignment policy>. Double click 'Allow Logon Locally' and add 'domain\Domain USers' to this policy.
    Run GPupdate /force on and affected client computer and try to login with any normal domain user (non admin). It will be successfull.

    --->>Some Users complained that while they were logged on to their machines, the options for 'Lock, Restart, ShutDown or Sleep' greyed out hence not able to restart or shutdown their machines.. But few of them were able to shut down after logging off the machine and clicking shutdown button appeared on bottom right corner.

    WORKAROUND: Open GPMC on any DC. Right click 'Default Domain COntroller Policy' and choose edit.
    Navigate to Computer COnfiguration>Policies>Windows Settings>Local Policies>User Right Assignment policy>. Double click 'Shutdown the System' and add 'domain\Domain USers' to this policy option.
    Run GPupdate /force on and affected client computer and try to login with any normal domain user (non admin). It will be successfull.

    NOTE: WE cannot push policy update from DC on demand. The clients fetch the policy update at default interval of 90 Minutes.

    Adding 'domain\Domain Users' to these option may also give normal users the access to domain controllers also, So please be care full....

    I need to find out a stable solution



    • Marked as answer by SCCm2012User Wednesday, January 18, 2017 10:26 AM
    • Edited by SCCm2012User Wednesday, January 18, 2017 11:43 AM corrections
    Wednesday, January 18, 2017 10:26 AM

All replies

  • It more or less seems to be issue with GPO, could you check is there nay change in GPO recently?YOu may consider below cases and move accordingly:

    1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.

    1. Run gpedit.msc.
    2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Allow log on locally" includes Administrators, Backup
    Operators, Domain Users or Users.

     

    2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Deny log on locally" is empty.

     

     3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.

     

     4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.

     5:  Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.

    Monday, January 16, 2017 12:18 PM
  • You may want to check on the used ciphers and if anyone of them has been updated. Check the GPOs (http://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/) and the registry keys: https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 17, 2017 1:17 AM
  • Dear Sunny,

    Where to run GPedit on?

    The client machines are on domain and they are under effect of domain default policies.

    The firewall and antivirus configuration is OK

    The current GPO configuration was running from past 2 Years and no change regarding that was done in recent ime or before the issue..

    any suggestions?

    Thanks


    • Edited by SCCm2012User Tuesday, January 17, 2017 9:33 AM more info added
    Tuesday, January 17, 2017 9:26 AM
  • on client machine
    Tuesday, January 17, 2017 12:14 PM
  • It more or less seems to be issue with GPO, could you check is there nay change in GPO recently?YOu may consider below cases and move accordingly:

    1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.

    1. Run gpedit.msc.
    2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Allow log on locally" includes Administrators, Backup
    Operators, Domain Users or Users.

     

    2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Deny log on locally" is empty.

     

     3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.

     

     4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.

     5:  Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.

    Hey, let us know if you need any help with your Norton Firewall. I can help. 

    Thanks

    Raj

    Norton Support

    Wednesday, January 18, 2017 12:21 AM
  • I found a work around but its risky:

    --->>Some users complained that while logging on to the domain joined windows machine, they are getting errors as
    1. 'login failure the user has not been granted the requested logon type'
    2. 'the signing method you are typing to use is not allowed'

    WORKAROUND: Open GPMC on any DC. Right click 'Default Domain COntroller Policy' and choose edit.
    Navigate to Computer COnfiguration>Policies>Windows Settings>Local Policies>User Right Assignment policy>. Double click 'Allow Logon Locally' and add 'domain\Domain USers' to this policy.
    Run GPupdate /force on and affected client computer and try to login with any normal domain user (non admin). It will be successfull.

    --->>Some Users complained that while they were logged on to their machines, the options for 'Lock, Restart, ShutDown or Sleep' greyed out hence not able to restart or shutdown their machines.. But few of them were able to shut down after logging off the machine and clicking shutdown button appeared on bottom right corner.

    WORKAROUND: Open GPMC on any DC. Right click 'Default Domain COntroller Policy' and choose edit.
    Navigate to Computer COnfiguration>Policies>Windows Settings>Local Policies>User Right Assignment policy>. Double click 'Shutdown the System' and add 'domain\Domain USers' to this policy option.
    Run GPupdate /force on and affected client computer and try to login with any normal domain user (non admin). It will be successfull.

    NOTE: WE cannot push policy update from DC on demand. The clients fetch the policy update at default interval of 90 Minutes.

    Adding 'domain\Domain Users' to these option may also give normal users the access to domain controllers also, So please be care full....

    I need to find out a stable solution



    • Marked as answer by SCCm2012User Wednesday, January 18, 2017 10:26 AM
    • Edited by SCCm2012User Wednesday, January 18, 2017 11:43 AM corrections
    Wednesday, January 18, 2017 10:26 AM
  • At last found the Answer:

    It was found that Default Domain COntroller policy was applied at 'Domain Controllers' OU as well as domain level also. So running 'GPresult /r' on affected client computer showed that under 'Applied Group Policy Objects' both Default Domain policy and Default Domain Controller policy were applied.

    Since domain controller policy is a restrictive policy , used only for domain controllers and was applied at wrong level.

    To resolve this issue:

    The policy edited was 'Default Domain COntroller Policy'. It is not required to add 'domain\Domain Users' to this policy as it is meant for domain controllers only and should be applied to 'Domains Controllers' OU only.
    Open GPMC on any DC. It was found that  'Default Domain COntroller Policy' was applied at domain.com level as well as on the 'Domains Controllers' OU also.
    Now click 'Default Domain COntroller Policy' and on right side window, right click domain.com link and choose 'Delete Link'.
    Now the 'Default Domain Policy' will be applied from 'DOMAIN.COm' level where as 'Default Domain COntroller Policy' will be applied and effective on  'Domain COntrollers'OU only.
    Log on to and client machine with end user credentials (Non Admin). On CMD run RSOP /r or GPResult /r.
    Check that the 'Default Domain COntroller Policy' should not be applied to the machine.

    Navigate to Computer COnfiguration>Policies>Windows Settings>Local Policies>User Right Assignment policy>.

    Double click following options and remove 'domain\Domain USers' from them:

    a. Allow Log On Locally

    b. Allow log on through Remote Desktop Services

    c. Shut down the system

    Run GPupdate /force on affected client computer and try to login with any normal domain user (non admin). It will be successfull.

    The issue is RESOLVED..

    All the client will get the policy once they sync with any nearest replicated and updated domain controller.

    Thanks a lot guys for all your help and guidance...

    Warm Regards

    Anoop

    Wednesday, January 18, 2017 11:41 AM
  • Hi,
    Great share, and it will be greatly helpful to others who have the same question.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 19, 2017 2:36 AM
    Moderator