none
Domain Admin locked out of local logon

    Question

  • I have a customer we just took over for. They have an existing issue where the domain administrator cannot log in locally to the DC. I've looked through all their GPOs and cannot find any instance of the domain admin groups being specially being denied this right. In fact, it says right in the DC GPO that domain admins have the rights for local log in yet I can't seem to log in. Remote desktop works fine and that is how I've been accessing their DC but I cannot find an answer to this problem. Any ideas? 

    Thursday, February 05, 2015 9:46 PM

Answers

All replies

  • > domain administrator cannot log in locally to the DC.
     
    What error message do they get?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 06, 2015 7:56 AM
  • Hi,

    please post a rsop output for the affected user(s)


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Friday, February 06, 2015 10:18 AM
  • "You can not log on because the method you are using is not allowed on this computer."

    Friday, February 06, 2015 6:51 PM
  • Policy Computer Setting Source GPO
    Access Credential Manager as a trusted caller Not Defined
    Access this computer from the network kcengr\IWAM_DELL-OFV7446Y6N,Everyone,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,Authenticated Users,ENTERPRISE DOMAIN CONTROLLERS,Pre-Windows 2000 Compatible Access,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG Default Domain Controllers Policy
    Act as part of the operating system kcengr\bkupexec Default Domain Controllers Policy
    Add workstations to domain Authenticated Users Default Domain Controllers Policy
    Adjust memory quotas for a process NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,Administrators,IIS APPPOOL\DefaultAppPool,NT SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
    Allow log on locally kcengr\IUSR_DELL-OFV7446Y6N,Administrators,Backup Operators,Account Operators,Server Operators,Print Operators,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG Default Domain Controllers Policy
    Allow log on through Remote Desktop Services Not Defined
    Back up files and directories Administrators,Backup Operators,Server Operators Default Domain Controllers Policy
    Bypass traverse checking NT SERVICE\MSSQL$SCANMAIL,Everyone,Administrators,Authenticated Users,Pre-Windows 2000 Compatible Access,NT SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
    Change the system time Administrators,Server Operators,LOCAL SERVICE Default Domain Controllers Policy
    Change the time zone Not Defined
    Create a pagefile Administrators Default Domain Controllers Policy
    Create a token object kcengr\bkupexec Default Domain Controllers Policy
    Create global objects Not Defined
    Create permanent shared objects Default Domain Controllers Policy
    Create symbolic links Not Defined
    Debug programs Administrators Default Domain Controllers Policy
    Deny access to this computer from the network kcengr\SUPPORT_388945a0 Default Domain Controllers Policy
    Deny log on as a batch job Default Domain Controllers Policy
    Deny log on as a service Default Domain Controllers Policy
    Deny log on locally kcengr\SBS Remote Operators,kcengr\SUPPORT_388945a0,kcengr\SBS STS Worker Default Domain Controllers Policy
    Deny log on through Remote Desktop Services Not Defined
    Enable computer and user accounts to be trusted for delegation Administrators Default Domain Controllers Policy
    Force shutdown from a remote system Administrators,Server Operators Default Domain Controllers Policy
    Generate security audits LOCAL SERVICE,NETWORK SERVICE,IIS APPPOOL\Classic .NET AppPool,IIS APPPOOL\DefaultAppPool Default Domain Controllers Policy
    Impersonate a client after authentication Not Defined
    Increase a process working set Not Defined
    Increase scheduling priority Administrators Default Domain Controllers Policy
    Load and unload device drivers Administrators,Print Operators Default Domain Controllers Policy
    Lock pages in memory Default Domain Controllers Policy
    Log on as a batch job kcengr\bkupexec,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IWAM_DELL-OFV7446Y6N,kcengr\IIS_WPG,kcengr\SUPPORT_388945a0,kcengr\IUSR_DELL-OFV7446Y6N,kcengr\IIS_WPG,IIS_IUSRS Default Domain Controllers Policy
    Log on as a service kcengr\Administrator,NT SERVICE\MSSQL$SCANMAIL,kcengr\SQLServer2005SQLBrowserUser$KC01,IIS APPPOOL\Classic .NET AppPool,kcengr\bkupexec,NETWORK SERVICE,IIS APPPOOL\DefaultAppPool,SYSTEM,NT SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
    Manage auditing and security log kcengr\Exchange Servers,kcengr\Exchange Enterprise Servers,Administrators Default Domain Controllers Policy
    Modify an object label Not Defined
    Modify firmware environment values Administrators Default Domain Controllers Policy
    Perform volume maintenance tasks Not Defined
    Profile single process Administrators Default Domain Controllers Policy
    Profile system performance Administrators Default Domain Controllers Policy
    Remove computer from docking station Administrators Default Domain Controllers Policy
    Replace a process level token NT SERVICE\MSSQL$SCANMAIL,IIS APPPOOL\Classic .NET AppPool,kcengr\IWAM_DELL-OFV7446Y6N,LOCAL SERVICE,NETWORK SERVICE,kcengr\IWAM_DELL-OFV7446Y6N,IIS APPPOOL\DefaultAppPool,NT SERVICE\SQLAgent$SCANMAIL Default Domain Controllers Policy
    Restore files and directories Administrators,Backup Operators,Server Operators Default Domain Controllers Policy
    Shut down the system Administrators,Backup Operators,Server Operators,Print Operators,SYSTEM Default Domain Controllers Policy
    Synchronize directory service data Default Domain Controllers Policy
    Take ownership of files or other objects Administrators Default Domain Controllers Policy

    I am using the domain administrator account to try and log on locally and I cannot see a reason within the DC's GP why it would be prevented. 

    Friday, February 06, 2015 6:56 PM
  • Am 06.02.2015 um 19:56 schrieb ph533:
    > Deny log on locallykcengr\SBS Remote
    > Operators,kcengr\SUPPORT_388945a0,kcengr\SBS STS Worker
     
    Check memebership in these groups...
     
    dsquery group -samid "domain admins" | dsget group -memberof -expand
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 09, 2015 9:34 AM