Network User cannot logon from this Workstation - 0xc0000070 RRS feed

  • Question

  • I have multiple PCs all of them running Windows 7 (in Editions ranging from Home Premium to Ultimate)
    All of the PCs are in the same wired Network, have the Network type set to Work and are in the same workgroup. They can see each other just fine and the basic Network Stuff is working just fine.
    All of them also have Password Protected Sharing and 128-bit Encryption enabled as these are the default Values.
    The Network is just a regular Network, not an Active Directory.

    One of the PCs (running Ultimate to be called Server from now on) has a couple of Files which I would like to access from one of the other PCs.
    The Server does have an Account that is to be used for this purpose which has been prevented from logging on locally by the use of Local Security Policies. (Deny log on locally).
    Other Settings that might be of relevance:

    Lan Manager Authentication Level: Send NTLMv2 only. Refuse LM.

    A Network Share is present on the Server with both Share & NTFS Permissions set to Read Only / Read & Execute for the Useraccount and ANONYMOUS LOGON (plus additional default NTFS Permissions for default Groups & Principals - e.g. SYSTEM, Administrators, Users)

    When trying to access the Server from any of the other PCs I get asked for Credentials which I provide correctly. A few moments later I get an Error telling me I may not have Permissions to access the server and a the last line saying "This Account cannot login from this workstation".

    On the Server the Eventlog says:
    [code]An account failed to log on.

    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Network
    Account Domain: PC-3-W7U

    Failure Information:
    Failure Reason: User not allowed to logon at this computer.
    Status: 0xc000006e
    Sub Status: 0xc0000070

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: PC-1-W7P
    Source Network Address: fe80::3438:cb28:e4bb:7bb7
    Source Port: 49224

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    The Sub Status according to MSDN is STATUS_INVALID_WORKSTATION which is documented as: The user account is restricted so that it may not be used to log on from the source workstation.

    The Questions now are:
    * How did these Restrictions came into place?
    * How can I remove these Restrictions?
    or even better yet:
    * How can I modify these Restrictions to include specific Workstations to be allowed to logon using this Account?

    I am not really willing to remove the need for providing Credentials in order to access the other Computers, so turning off Password protected sharing, enabling Anonymous Access to everything is not really an option.

    If you need any more information which I somehow forgot to include just ask - will be happy to provide them.

    Saturday, March 10, 2012 9:42 PM

All replies

  • The account should not be disallowed to log on locally. If you would not like users to log on with this account, try to hide the account from Logon Screen.

    Hide User Accounts on Windows 7 Logon

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Monday, March 12, 2012 6:29 AM
  • There is no Logon Screen on that particular System so that is no issue. Thanks to Do not require Ctrl+Alt+Del =  Disabled, Do not display last user name = Enabled that machine requires one to Enter Username and Password after pressing Ctrl + Alt + Del.

    In either case the Security Option Deny log on locally should have nothing to do with logging on from the Network. Since I definitely do not want anyone to access that machine locally with that account it seems logical to use the Deny log on locally Security Policy to prevent it. For those who need to access that machine locally (e.g. me) there are other accounts to use.

    Anyway just to be sure I checked the Local Security Policy on that System again and made sure the Account is not listed in the Deny log on locally policy. However I still get the same Error Message when trying to access the Machine with that account from any machine and the very same Event as in the Original Post is logged on the machine which I try to log on to.

    Monday, March 12, 2012 6:21 PM
  • I removed the Answer Tag from your Post, because it DOES NOT answer the Question nor does it solve the Problem or lead to a Solution.

    Please reread my previous Post! I did remove that Account from the List of Accounts who cannot logon locally despite that it should've nothing to do with the Problem but the Problem remains.

    Your presumption that everyone uses that damned Logon Screen where all Accounts are being displayed is also quite presumptuous and not at all true as I explained in my previous post, which you obviously ignored entirely. Hell even If I'd be using that Logon Screen, hiding said Account from the Screen (using some Registry Hack which I am aware of) would NOT prevent the account from being able to logon at all and as such is no solution.

    Local is local as in sitting in front of PC A logging on using PC A using that account which shouldn't be allowed. Remote is remote as in sitting in front of another PC logging into PC A. So if I use the Setting to prevent said Account from using PC A to logon to PC A it should be fine and not possible for anyone using PC A to logon as that account, while using PC B to logon at PC A using said Account should still work. Unless my Logic is somehow seriously flawed here (in which case an explanation with examples would be appreciated) the setting in question should've nothing to do with the Problem.

    In either case, Problem still exists.

    • Edited by SilentStorm Thursday, April 5, 2012 4:48 PM
    Thursday, April 5, 2012 4:40 PM