none
Cannot RDP onto Server Event ID 4625 RRS feed

  • Question

  • Hi,

    We have a Windows 2016 domain member server that I can't log on using my smart card.

    The account is a member of the Domain Admins group, which is a member of the local administrators group.

    Other users in the group can log on.

    The account isn't in the Deny Log on locally, and the Administrators group is in the Allow log on locally.

    Any idea why this is happening? 

    In the event log I see:

    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: xxx
    Account Domain: xxxx
    Logon ID: 0x3E7

    Logon Type: 10

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: xxx
    Account Domain: xxxx

    Failure Information:
    Failure Reason: The user has not been granted the requested logon type at this machine.
    Status: 0xC000015B
    Sub Status: 0x0

    I'm not sure where to go to further troubleshoot this.

    Wednesday, August 21, 2019 3:06 PM

All replies

  • "The user has not been granted the requested logon type at this machine"

    you don't have permission to logon that.  Check your user name correctly

    0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine

    Refer this,

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

    Thursday, August 22, 2019 12:34 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    On the DC, when we open Default Domain Policy, we can see:

    Default Domain Policy: Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Allow log on through Remote Desktop Services

    Default:

    On workstation and servers, we can logon through RDP with the account in Administrators or Remote Desktop Users groups.





    And on the workstation, when we open Local Group Policy Editor, we can see:

    Local Computer Policy: Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Allow log on through Remote Desktop Services

    Default:
    We can logon through RDP with the account in Administrators or Remote Desktop Users groups.




    So, we can troubleshoot as below:

    1. Check whether the account we mentioned is in Allow log on through Remote Desktop Services on this member server.

    2. Meanwhile, on this member server, we can check whether the account we mentioned is in 
    Control Panel\All Control Panel Items\System\Remote Settings\Remote tab\Allow remote connections to this computer group.






    If all the above is OK. I think maybe there is another domain policy that blocks us to logon this member through RDP .



    Best Regards,
    Daisy Zhou




    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 22, 2019 3:57 AM
    Moderator
  • The account is a member of the domain admin group, which is a member of the local administrators group, I've confirmed it has those rights.

    Other Domain Admin account can log log.

    I suspect there might be some other policy blocking this one account and trying to determine what it is.

    Thursday, August 22, 2019 12:39 PM
  • I found the issue.

    I had added my Domain Admin account to the Enterprise Admin group for an upgrade.  Turns out our Windows 2016 server group policy doesn't allow Enterprise Admin to RDP onto servers. Removing the account from the group resolved the issue.

    Thursday, August 22, 2019 4:10 PM
  • Hi,
    Thank you for your update and sharing. I’m very glad that the problem has been solved.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you! 

    Have a nice day!


     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 23, 2019 5:26 AM
    Moderator