willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
HI.
Got a issue at the moment where users in a certain OU can't roam to different PCs and I can't for the life of me work out why. Essentially they get presented with a message telling them that only an network/administrator can login from the terminal in question.
As far as I was aware roaming was setup, I can login on the workstations in question and so can a dummy user I created in a differnet OU. I'm not getting any errors on the DC (event viewer->security), the users that cannot login are members of more groups than my dummy user and are 'members of' two groups which my dummy user is in.
I've checked the 'Logon to' window in the users settings, they are allowed to login to any machine on the network.
I've gone through the GPO but I'm quite new to all this windows ad lark so I may be missing out on something, is there someway I can compare two users permissions to try and pinpoint where I'm going wrong?
Any help appreciated. 
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Could very well be caused by a GPO, I end up combing through them if somebody else has set it up.
If you move a user from that OU into another OU can they login?
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
delegated rights for deny logon most probably, on some of those groups the users are members of
deny privellages always overrule allow
[Edited on 18-06-2012 by Steve]
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
If its GPO can someone point me as to what setting it can be?
I went through the GPO summaries to see what settings were enabled, I couldnt see any that were enabled that would be affecting this.
What gets me is that the user trying to logon to other machines has more permissions than god. At one point I even made him a member of Domain Admins (he was already part of admins) but no joy.
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
i dont think its gpo, delegated rights more like
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
http://www.youtube.com/watch?v=GfrNxqAVqSs
|
Planty02
Member
Registered: 5th Mar 05
Location: Burslem, Stoke-on-Trent
User status: Offline
|
Might be worth having a look at the Group policy results wizard in the group policy management console Will.
This will show you all the policies that apply to the user and the computer 
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
Gpresult cmd on client pc will tell you the same though I still don't think its gpo
|
Planty02
Member
Registered: 5th Mar 05
Location: Burslem, Stoke-on-Trent
User status: Offline
|
ok im thinking it could be something in Computer Config > Windows Settings > Security Settings > Local Policies > User rights assignment.
theres a couple of deny logon by group options in there...
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
Usually deny logon locally which won't affect the domain however there maybe be some domain related stuff in there
|
Planty02
Member
Registered: 5th Mar 05
Location: Burslem, Stoke-on-Trent
User status: Offline
|
Deny logon locally is applied to domain security groups and domain users. I think the "Local" just means at the terminal
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
you also get a different error message if deny logon locally is enabled something about the local policy does not permit you to logon, along those lines
|
pow
Premium Member
Registered: 11th Sep 06
Location: Hazlemere, Buckinghamshire
User status: Offline
|
Start with gpresult /r (I think) and see what's being applied
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
I'm embarrassed to say this was a password issue 
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
quote:
Originally posted by willay
I'm embarrassed to say this was a password issue
I had a similar debate with a guy at work who couldnt log in using some credentials I had scripted to a MSSQL database using scripts that had worked for months and had not been changed.. He categorically refused to accept he'd made a mistake somewhere because he had 'tried everything'...
I took one look at the screen and pointed out the extra space in the username he was trying to log in with... 
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
Well I was dealing with a fucking MD and he hasnt been the happiest chappy this week. So when I got this issue I was like right what could it be, I couldnt work out why I could roam (but I'm an admin) and he couldnt. The next day my boss was like "just ask for his password, its fine" so I did and when I tried to login to the terminals he was using I noticed it had a US keymap then it was
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
talking of passwords, was out at a school installing a new PC for a member of staff, happened to be a slightly slow caretaker, asked him what his password was so i could set him up the same on the new PC, he paused for a moment, then spelt c u n t, i said you winding me up, nope that was his password  my and my colleague couldnt stop giggling all morning, and in the afternoon another member of staff came in and said the man couldnt get in using his password, which started us off roaring again
|
