	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.7

AD "Log On To..." Changes from All Computers to The Following Computers

Asked by MattShadbolt in Active Directory, Windows 2003 Server, Windows Server 2008

Tags: Active Directory Logon-Workstations

OK, here is a doosy guys!

I've been working on this for about a day and thought it was probably time to ask the community.

I've got a Native 2003 domain with three 08 DCs and one 03 DC. As of last week (while I was on holidays) all of the domains user accounts have been changing their logon-workstations attributes from "All Computers" to "The following computers"... the list of the following computers is only about 30 machines and subsiquently the users can't login to their workstations.

After carefull investiagtion, I've found that the list of computers that show up in "The following computers" are all servers - either 03 or 08 and they spread across different OU's (and even some in the default Computers container)

I've disabled all Group Policies, scoured the logs and can't come up with an answer. The issue seems to re-occur about ever 4 hours. Its affecting ALL users, including disabled users, service accounts and across the whole domain.

When the user account is disallowed access to the server (before I manually change it back to "All Computers" errors are reported on the local machine as below. Of course I've googled every possible error message/description.
Once I change every account back to "All Computers" the users have their normal full access.

Appreciate any help and would gladly award the points to anyone who helps me troubleshoot!

Cheers.

View the Solution FREE for 30 Days

         
             Source: LSASRV
Cat: SPNEGO
Event ID: 40960
The Security System detected an attempted downgrade attack for server cifs/DOMAIN-CONTROLLER.  The failure code from authentication protocol Kerberos was "The user account is restricted such that it may not be used to log on from the source workstation.
 (0xc0000070)".
 
then
 
Source: LSASRV
Cat: SPNEGO
Event ID: 40960
The Security System detected an attempted downgrade attack for server cifs/LINCOLN-FS1.  The failure code from authentication protocol Kerberos was "The user account is restricted such that it may not be used to log on from the source workstation.
 (0xc0000070)".

20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. mkline711,420,124
2. Chris-Dent862,863
3. bluntTony722,847
4. Americom454,065
5. oBdA448,050
6. demazter287,582
7. tigermatt249,187
8. henjoh09242,631
9. Mestha239,913
10. KCTS216,542
11. dstewartjr215,842
12. dariusg194,090
13. snusgubben168,201
14. LauraEHu...139,917
15. zelron22139,016
16. RickSheikh133,815
17. ChiefIT122,546
18. xxdcmast120,314
19. chuku117,870
20. RobSamp...100,003
21. leew87,316
22. MightySW84,159
23. Paranorm...81,852
24. ram_kerala79,657
25. Shift-377,390

1. KCTS2,051,522
2. Chris-Dent1,685,777
3. LauraEHu...1,481,909
4. mkline711,436,374
5. oBdA1,042,208
6. tigermatt849,252
7. bluntTony722,847
8. Jay_Jay70713,427
9. toniur518,828
10. Americom504,351
11. henjoh09493,881
12. Netman66423,334
13. Sembee408,200
14. ChiefIT399,750
15. dariusg399,279
16. leew393,678
17. RobSamp...304,987
18. demazter287,582
19. Pber260,548
20. TechSoEasy248,123
21. Shift-3240,972
22. Mestha239,913
23. dstewartjr236,922
24. ryansoto232,402
25. snusgubben228,976

AD "Log On To..." Changes from All Computers to The Following Computers

Asked by MattShadbolt in Active Directory, Windows 2003 Server, Windows Server 2008

Tags: Active Directory Logon-Workstations

About this solution