Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1217
  • Last Modified:

Suddenly can't log into domain from one specific PC - getting "account is disabled" error even though the domain accounts aren't disabled in AD

We have a Windows 2000-based domain in our company, running almost exclusively Windows XP clients. However, one of our client machines, a Windows 2000 Pro box (SP3), is having an issue.

When a user tries to log onto the PC with the username/domain that has always worked, it now comes up with an error saying the account is disbled and to call the administrator. The domain account works fine on other PCs in the domain and is not disabled in AD. In fact, every domain account we tried comes up with this error on this PC. The only way to log on is through the local administrator login.

Once I was able to log in locally, I looked at the list of user profiles (obtained through My Computer) and all the domin accounts say "Account Unknown" under the name column! The only ones that show up correctly are the local accounts.

I also tried to have a user (that has never logged into this computer before) log onto the PC with his domain account and he also received the account disabled error. I checked the PCs IP settings and they're fine. I also tested browsing a domain file server and that worked after supplying proper credentials, which proves to me that it's definitely still seeing the network and communicating with the domain controllers.

Does anyone have a solution to fix this problem? We'd like to be able to log into the domain again on this PC without wiping it off and starting over. I'm sure it's not an AD issue since the domain accounts work fine on other PCs on the domain.

I'm wondering if a user was doing something he/she shouldn't have been doing. We allow Domain Users as local administrators, so it's possible that a user could tinker with the registry, local group policy, etc.

Thanks for the help,
Jeff
0
mschmidt14
Asked:
mschmidt14
1 Solution
 
louy3Commented:
Check to be sure that the time on your PC is in sync with the server.
0
 
mschmidt14Author Commented:
The time is right in line with our domain. You made me aware of an area I didn't even think of checking- the local PC's Event Viewer! In there I find tons of entries like this:

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5721
Date:            5/29/2006
Time:            8:41:13 PM
User:            N/A
Computer:      PACCAR-88CF36D8
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller <Unknown> for the domain [our domain] failed because the Domain Controller does not have an account for the computer [insert PC name here].
Data:
0000: 8b 01 00 c0               ?..À
______

I also see a lot of these starting on a specific date/date:

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1000
Date:            5/19/2006
Time:            11:51:46 AM
User:            NT AUTHORITY\SYSTEM
Computer:      [insert PC name here]
Description:
Windows cannot determine the user or computer name. Return value (1317).

Jeff
0
 
caddladyCommented:
I had this problem before and cannot remember where I fixed it at.  It seems as though I had to enable legacy computer support in Group Policy or the Domain Policy and then they were able to logon.

Try the Microsoft page below... It may have the solution for you.  In the meanwhile, I will try to locate the setting that I changed.

http://support.microsoft.com/?id=555038
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
louy3Commented:
Goto active directory users and computers on the server.  Expand computers, and delete the computer name of the problem pc, then re-add it to the list.  Reboot the problem pc.
0
 
mschmidt14Author Commented:
Louy3-

I looked in AD and it turns out this PC was in the Users folder, not the "computers" folder or the "[domain] computers" folder. I moved it to the latter. I wonder if that will help? There's no consequence for deleting the computer from the list and re-adding it?

Thanks,
Jeff
0
 
Mike KlineCommented:
You could also remove the the PC from the domain from the PC and then rejoin it back and see if that helps.

Thanks
Mike
0
 
louy3Commented:
It should help.  But, If the SID is messed up, it will be ok to remove it from the list and re-add it.
0
 
mschmidt14Author Commented:
Once I moved the computer from the Users group to the Domain Computers group and restarted the PC, I was able to log in fine with the domain.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now