locked
Domain Admin account not able to login to a Domain Machine RRS feed

  • Question

  • I am having a strange issue. We are running several Windows 2003 and 2008 server with Active Directory. I am able to login to all of the server with the Domain administrator's account without issue. When I try to login to a domain computer with the Admin Domain account it states that the username or password is incorrect. I have remove the machine from the domain, which required the domain admin username and password which worked fine and readded it to the domain without issue. I then rebooted the machine and I was still unable to login to the machine with the Domain admin account. I was still able to login to the machine with other accounts. What could be causing this and is there a way to fix it?

    Further info, I am able to RDP into any of the servers using the domain admin account, and I can also access all network shares using this account.

    Monday, March 19, 2012 4:26 PM

Answers

  • There must be something up with one of our servers, after all of this. I tried to remote into several of our classroom machines and they would randomly work. I gave it about 20-30 minutes and tried mine again and it is working again as it should. I am not sure if it could be a replication issue but considering the timing that was the first thing that crossed my mind. Thank you everyone for the help.
    • Marked as answer by Bruce-Liu Thursday, March 22, 2012 5:27 AM
    Tuesday, March 20, 2012 5:53 PM

All replies

  • What error message are you getting?  Please post the actual error message here.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, March 19, 2012 4:34 PM
  • I guess there is some settings with the allow logon locally setting on the computer applied via GPO or script to deny domain admin logon. You can use gpresult /z or rsop.msc to verify. If this is not the case, it might be corrupt profile issue.

    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 4:36 PM
  • You are not able to login to server with domain admin account.Pleas let us know which admin login(built-in) or manually created admin id.Are you facing this isue on multiple server/workstation?

    It seems that you are not able to login to Win7 or Win2008/ Server.Ensure that you are using correct domain while login.Try this domainname \username.Most of the time this message occurs on win7\Win2k8 if domain is not selected correctly.

    If you are facing issue with single server/WS it could be due to corrupted profile.Rename the admin profile from other admin login and try to login with admin and see how does it work this will create new profile,once you are login copy the data from old profile to new profile and configure required setting(outlook,proxy setting,mapping drives/printer,etc)

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, March 19, 2012 4:59 PM
  • Hello,

    sounds for me that you use restricted groups with GPO settings for the client machines and have removed the adminstrator account from this.

    Please check the GPOs applied on a client with rsop.msc under the computer configuration part, windows settings, security settings, restricted groups.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 7:33 AM
  • Thanks everybody, none of these seem to be the issue. It is on all 400 of our classroom machines. It started yesterday after loosing air conditioning in our server room, everything was still running after a weekend of 100+ tempuratures in the closet. We shutdown all of our servers, got the room temp under control and then brought the servers back up. There is no group policy that prevents this, we are using the built in administrator account, I checked rsop for a restricted group, and the most telling thing is that the administrator account worked on all 400 machines on friday and I am the only one that makes changes on our servers and have made none.
    Tuesday, March 20, 2012 12:33 PM
  • Hello,

    which user accounts/security groups are listed in the local machines administrators security group?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 12:48 PM
  • The local machine administrators group has;

    Administrator

    cs-admin

    ilisadmin

    student

    temp

    then an account that must not have resolved, s-1-5-21-1482476501------------

    Tuesday, March 20, 2012 12:55 PM
  • Hello,

    there is no domain account listed, neither domain admins or any other. It should look like:

    Administrator

    DOMAIN\Administrator

    DOMAIN\Domain Admins

    So something seems to be changed, either with GPO or manual.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 1:02 PM
  • Ok, that appears to be it, when I added the Domain/adminstrator account to the local machine admin group the s-1---- account changed to the Domain/Domain Admins account. The problem is that this only fixes it on one machine, how can I resolve this for all of them, and why would Windows loose that account and give it the s-1-5-21----- designation, as we have made no changes, other than rebooting?
    Tuesday, March 20, 2012 1:10 PM
  • I agree with Meinolf. This does not look like a default list of accounts in the local administrators group.

    So you're saying there are absolutely no GPOs whatsoever affecting local groups on your workstations?

    For example, how did cs-admin, ilisadmin, student and temp get in the list? Did you manually add them each time you joined a machine, or are they being populated by a Restricted Groups GPO?

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 1:11 PM
  • Ok, that appears to be it, when I added the Domain/adminstrator account to the local machine admin group the s-1---- account changed to the Domain/Domain Admins account. The problem is that this only fixes it on one machine, how can I resolve this for all of them, and why would Windows loose that account and give it the s-1-5-21----- designation, as we have made no changes, other than rebooting?

    Hello,

    now you can start using the restricted groups with GPO, see for details: http://www.frickelsoft.net/blog/?p=13


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 1:16 PM
  • Ok, after adding the Domain/administrator and having Domain/Domain admin I am still unable to login using the domain/administrator account.

    Yes all of these users are being added manually at the time we create the image for our classroom builds. There are GPO's but they do not have Restricted Groups.

    Tuesday, March 20, 2012 1:17 PM
  • Hello,

    which exact error message do you get?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 1:20 PM
  • So apparently the unresolved SID is the domain admin. It really shouldn't lose that account in the list, even if the DCs are not available.

    There seems to be something else going on. Can you post an unedited ipconfig /all from a sample workstation and from two of your DCs, as well as any event log errors on the workstation and DCs, please?

    .

    In addition, here is some info on Restricted Groups, where you can control this centrally through a GPO.

    .

    In AD, create an OU, or just identify what OU you want to use that all computers are in that you want to add a Help Desk group to the local administrators group.
    In AD, create a group and call it Help Desk Group
    Create a GPO.
    Right click the GPO, choose Edit.
    Drill down expanding Computer Configuration, Policies, Windows Settings,  Security Settings. You should see "Restricted Groups" node under Security Settings.
    Right Click Restricted Groups, choose Add Group.
    Type in "Administrators" (plural and without the quotes),  Click on OK
    In the next Window that comes up, on the bottom portion, click Add, and type in or browse for the Help Desk Group you created in the second step above.

    Note:
    We don't want to add users or other groups in the group we just added, rather we want to add this group to the local Administrators group on our client machines, with the steps outlined above using the bottom portion.

    Now to take this further, if we were to inadvertently select "Add" to the "Members of this group” in the upper portion of the box, (such as erroneously selecting the upper box in the next steps), it would be a wipe/replace action. That's good to wipe out anything else in the groups on all machines, such as if all users at one time or other had access to their local machines and left it a mess. I don't usually see this too often. Plus, if you were to unlink this GPO when you no longer want it, such as when it becomes out of scope of what you need, then what happens, it will essentially wipe and leave the local administrators group empty on all machines, which will of course cause dire consequences. Therefore, we will configure it to add to the current list of members on the Local Administrators group on all machines without touching the current list of members by using the following steps.


    Click on Add next to “This group is member of” (the bottom portion of the Windows).
    Type in Administrators.
    Click on Apply.
    Click on Ok to close the window.
    Close the GPO Edit console.

    This results in adding our Help Desk Group into the "Local Administrators” group of all machines that are in the OU this GPO is linked to. If there are any other existing members in the Local Administrators group, they won't be touched - it simply adds our group.

    Link the GPO to the OU you created above.
    Move a test computer to the OU.
    Add a test user to the Help Desk Group.
    Logon as a Domain Administrator on the test machine.
    Run gpupdate /force (to force a GPO refresh).
    Log the Domain Administrator off.
    Logon as the Test user account.
    In the workstation's Computer Management console, look at the Local Administrators Groups. You should see Domain\Help Desk Group as a member. Notice that the group is grayed out, meaning that the policy is controlling it and it can't be manually removed.  they will show up as grayed out, meaning the policy is working.
    Also notice that you can other objects to the group.
    You're done!


    ------
    Related Links:

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Restricted groups are made for that:
    http://www.frickelsoft.net/blog/?p=13


    ------
    You can also use Group Policy Preferences:

    You can take advantage of the Local Users and Groups settings of Group
    Policy Preferences, which gives you an option to add the current user to an
    arbitrary local group (including local Administrators). For more info, refer
    to:

    Local Users and Groups Extension
    http://technet.microsoft.com/en-us/library/cc731972.aspx 

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 1:21 PM
  • Hi Meinolf,

       When I try to login with that account I get the message ;

         "The user name or password is incorrect"

    Hi Ace,

    This is the Ipconfig /all off of one lab machine, the one I am currently on;

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : OFFICETEST
       Primary Dns Suffix  . . . . . . . : DNS.ILISLABS.EDU
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DNS.ILISLABS.EDU

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : DNS.ILISLABS.EDU
       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
       Physical Address. . . . . . . . . : 7C-6D-62-8D-1A-D7
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.111.20.180(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Lease Obtained. . . . . . . . . . : Monday, March 19, 2012 11:06:04 AM
       Lease Expires . . . . . . . . . . : Wednesday, March 21, 2012 11:06:04 A
       Default Gateway . . . . . . . . . : 10.111.20.1
       DHCP Server . . . . . . . . . . . : 10.111.20.14
       DNS Servers . . . . . . . . . . . : 172.18.181.226
                                           10.1.6.20
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.DNS.ILISLABS.EDU:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : DNS.ILISLABS.EDU
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    This is from one DC;

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ILISFS05
       Primary Dns Suffix  . . . . . . . : DNS.ILISLABS.EDU
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DNS.ILISLABS.EDU

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-15-60-0F-71-60
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.18.181.226(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 172.18.181.254
       DNS Servers . . . . . . . . . . . : 172.18.181.225
                                           10.1.6.20
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{76EA9F4C-5D8E-4697-AB18-B0A4D9D9A0B2}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    And the other;

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : ilisfs09
       Primary Dns Suffix  . . . . . . . : DNS.ILISLABS.EDU
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : DNS.ILISLABS.EDU
                                           ILISLABS.EDU

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
    apter
       Physical Address. . . . . . . . . : 00-1B-78-95-FD-7A
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 10.111.20.14
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Default Gateway . . . . . . . . . : 10.111.20.1
       DNS Servers . . . . . . . . . . . : 172.18.181.225

    I have the event logs from this machine and I can get the others, but how can I upload those?


    • Edited by Shadoww69 Tuesday, March 20, 2012 2:05 PM
    Tuesday, March 20, 2012 2:01 PM
  • Event Logs from my machine;

    Application

    Warning 3/20/2012 8:11:13 AM User Profiles Service 1530 None
    Information 3/20/2012 8:11:13 AM Desktop Window Manager 9009 None
    Information 3/20/2012 8:11:11 AM MouseWithoutBordersSvc 0 None
    Error 3/20/2012 7:41:53 AM CAPI2 4107 None
    Error 3/20/2012 7:29:38 AM CAPI2 4107 None
    Error 3/20/2012 7:29:38 AM CAPI2 4107 None
    Information 3/20/2012 7:28:20 AM Windows Error Reporting 1001 None
    Error 3/20/2012 7:28:19 AM Application Error 1000 (100)
    Error 3/20/2012 7:26:48 AM CAPI2 4107 None
    Error 3/20/2012 7:26:48 AM CAPI2 4107 None
    Error 3/20/2012 7:26:40 AM CAPI2 4107 None
    Error 3/20/2012 7:26:20 AM CAPI2 4107 None
    Error 3/20/2012 7:26:20 AM CAPI2 4107 None
    Error 3/20/2012 7:26:20 AM CAPI2 4107 None
    Information 3/20/2012 7:24:54 AM Symantec AntiVirus 2 None
    Error 3/20/2012 7:24:29 AM CAPI2 4107 None
    Error 3/20/2012 7:24:28 AM CAPI2 4107 None
    Error 3/20/2012 7:24:28 AM CAPI2 4107 None
    Error 3/20/2012 7:24:27 AM CAPI2 4107 None
    Information 3/20/2012 7:24:24 AM Desktop Window Manager 9003 None
    Information 3/20/2012 7:24:24 AM Winlogon 4101 None
    Information 3/20/2012 7:23:55 AM MouseWithoutBordersSvc 0 None
    Warning 3/20/2012 7:23:41 AM User Profiles Service 1530 None

    Systems log;

    Information 3/20/2012 7:54:07 AM Service Control Manager 7036 None
    Information 3/20/2012 7:51:43 AM Service Control Manager 7036 None
    Error 3/20/2012 7:51:16 AM NETLOGON 5719 None
    Information 3/20/2012 7:51:07 AM Service Control Manager 7036 None
    Information 3/20/2012 7:51:01 AM Service Control Manager 7036 None

    Tuesday, March 20, 2012 2:17 PM
  • Thanks for posting the info.

    The first thing that stands out in the ipconfig /all is this:
    IP Routing Enabled. . . . . . . . : Yes

    .

    Why is IP routing enabled? Is RRAS installed? If so, what is its purpose? IP routing being enabled can cause what you're seeing. I would suggest disabling RRAS, if it is installed.

    .

    How to disable IP Routing:
    Click on Start, Administrative Tools, click on "Routing and Remote Access"
    Right click Servername, choose Disable.
    Once you've disabled it, or even if Routing and Remote Access is already disabled, please navigate to the following registry location:
    HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Change value of IPEnableRouter from 1 to 0
    Reboot

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 4:04 PM
  • Odd thing is I checked that on this machine as well as on all of our servers and IP Routing is not enabled even though it states that it is in the IPconfig. Is there anywhere else to dissable.
    Tuesday, March 20, 2012 4:47 PM
  • Were my instructions to disable it not helpful?


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 4:51 PM
  • Hi Ace,

    No they were, but on the local machine there is no Routing and Remote Access under administrative tools or anywhere else that I could find. In the registry, IPEnableRouter is already set to 0.

    Tuesday, March 20, 2012 5:00 PM
  • Hmm, interesting. Drill down and look elsewhere in the TCP reg key.

    In Network & Sharing Center, is there a VPN, or bridged, PPPoE, Demand Dial, or some other interface that was added manually?

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 5:51 PM
  • There must be something up with one of our servers, after all of this. I tried to remote into several of our classroom machines and they would randomly work. I gave it about 20-30 minutes and tried mine again and it is working again as it should. I am not sure if it could be a replication issue but considering the timing that was the first thing that crossed my mind. Thank you everyone for the help.
    • Marked as answer by Bruce-Liu Thursday, March 22, 2012 5:27 AM
    Tuesday, March 20, 2012 5:53 PM
  • Glad to hear it's resolved, or at least for now. :-)

    Regarding IP Routing, since it'd DHCP client, is that being provided by a DHCP option? IP routing definitely causes issues, especially on server, and especially so on a DC. I would look into it further to at least eliminate this as a possible factor moving forward.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 20, 2012 7:12 PM