none
Non admin users cannot logon to the domain on Windows 7 wks

    Question

  • Hi guys, i have a problem, i'm not sure if this issue has been raised or what but here is my problem.

    My environment:

    2003 Domain controller
    File and Print server
     WSUS Server
    SQL Server
    Windows XP wks
    2 new Windows 7 wks


    What happens is that when i try to logon to the domain on  the win7 machine as a std user i get error
    "You cannot log on because the logon method you are using is not allowed on this computer"

    If i logon with the domain admin account i'm able to logon and also if i make users members of domain admins they are able to logon to the domain. I realy do not believe that this is the way to go because it compromises my network security. Any help will be gladly appreciated.

    Thanks

    Tuesday, December 29, 2009 6:49 AM

Answers

  • Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."

    Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Allow log on locally" includes Administrators, Backup
    Operators, Domain Users or Users.

     

    Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Deny log on locally" is empty.

     

    Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.

     

    Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.

    Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.


    MCSE, MCSA, MCDST [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Tuesday, December 29, 2009 8:03 AM

All replies

  • Symptom: When trying to logon a computer using non administrator ID, you may receive this message: "You cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details."

    Case 1: Group Policy' "Allow log on locally" was not setup to allow users or domain users. To setup allow users or domain users to logon the computer or domain, you need to add the users or domain users to the "Allow log on locally". Please follow these steps to add the users.

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Allow log on locally" includes Administrators, Backup
    Operators, Domain Users or Users.

     

    Case 2: Group Policy' "Deny log on locally"  was setup to deny users or domain users. To setup allow users or domain users to logon the computer or domain locally, "Deny log on locally" should be empty or no users or domain users in the list. Please follow these steps to remove the users or domain users from the "Deny log on locally".

     

    1. Run gpedit.msc.
    2. Expand Windows Settings\Security Settings\Local Policies
    3. Click on User Rights Assignment
    4. Ensure that "Deny log on locally" is empty.

     

    Case 3: The local group policy allow user to logon. However, domain group policy which overrides local policy doesn't allow users to logon locally. The resolution is modify the domain policy to allow users to logon locally.

     

    Case 4:  The domain policy allows domain users to logon locally, but the local policy doesn't and the domain policy doesn't apply to the computer. The fix is running gpupdate to force to update the domain policy.

    Case 5: Norton Firewall blocks the communication between the client and domain controller. The solution is disabling Norton firewall or re-configuring it to allow to access the domain controller.


    MCSE, MCSA, MCDST [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Tuesday, December 29, 2009 8:03 AM
  •  

    1. Run gpedit.msc.

     

    Sweet! now we are working towards the right direction cdobbs, my next question is  where do i run the gpedit?
    On the wks or on the domain controller?
    Tell you why, I ran group policy editor on the workstation only to find that the "Allow log on locally" is locked, the Add User or Group is greyed out and there is nothing i can do on it.

    I'm running Nortons without firewall.
    Tuesday, December 29, 2009 8:42 AM
  • Generally if its greyed out, then a GPO is in effect from the DC preventing local change.
    MCSE, MCSA, MCDST [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Saturday, January 2, 2010 10:31 PM
  • Thanks, i have ammended my GPO settings on my DC, just waiting for guys to come back from the holidays, i will provide feedback then, thanks for your response, most appreciated.
    Sunday, January 3, 2010 6:50 PM
  • I have this same issue.  Windows 7 workstation in a Windows 2003 domain.  Users can not log into Windows 7 unless they are added to the local Administrators group.

    I ran gpedit on the domain controller, but could not modify the User Rights Assignment, the Add/Remove button were greyed out.
    Wednesday, January 6, 2010 5:08 PM
  • Start a new thread itarc3, this thread has been answered for the original poster, you're more likely to get assistance for you problem(s) that way.
    MCSE, MCSA, MCDST [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    Wednesday, January 6, 2010 7:31 PM
  • Okie! looks like this threat can now be considered the ultimate answer to those who have the same problem. I'm happy to say that the problem is now solved, the solution provided is the correct one to resolve this issue. What i did was to remove the win7 users from my domain admin group and ammended my allow logon locally gpo as per instructions and viola! we are in business. Thanks a lot.
    Monday, January 11, 2010 11:42 AM
  • Hi... can you explain how did you edit GPO settings on DC. I've the same problem and not able to find any solution. Please help.
    Wednesday, March 7, 2012 7:00 AM
  • I too have a client who is having this same issue. It started yesturday with the admin account unable to log onto the server locally & today a user can not log onto their workstation machine. I have tried the suggestions listed above ( as well as all the other sites suggesting the same steps) with no luck. 

    I ran gpupdate from the server, but still can not log on to the workstation computer. any ideas?

    Thursday, January 24, 2013 1:51 PM
  • Hello Sir

    Same issue was occurred today in my organization, i followed the same steps and it resolved after updateing th GP.

    i am trying to search in internet but unable to understand why we require to do this, in my previous organization that setting was not set and we did not face that kind of issue anymore.

    is there any specific reason to enable it.

    Wednesday, October 5, 2016 6:50 PM
  • Allow only authorized accounts/groups of accounts to log on, and you will have a higher security standard.

    Don´t do it, and let anyone logon with a local account, which password can be changed with a boot-device with a special software, to your system and steal data. ;-)



    • Edited by dk14494 Tuesday, June 27, 2017 10:27 AM
    Tuesday, June 27, 2017 10:00 AM