Solved

User cannot login to desktop

Posted on 2011-09-19
33
497 Views
Last Modified: 2012-06-27
Hello,

I have a user that all of a sudden couldn't log into her desktop. I tried logging her into another machine, thinking maybe it's her system, however I still couldn't log her in. I know my AD and domain controller is working fine, it's just this one user as far as I know. How can I troubleshoot this issue? I don't want to lose any of her files.

Server 2008 Enterprise
Desktop is running XP Pro

Thanks,

nimdatx
0
Comment
Question by:nimdatx
  • 16
  • 13
  • 4
33 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 36561297
Check the account in ADUC to make sure its not been locked out, disabled or expired.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36561304
Make sure she's logging into the domain not the local machine.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36561309
Nope, not disabled or expired.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36561313
logging her into domain not local account.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 36561345
What error message are you getting - is it possible that the user has changed or forgot their password?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 36561351
If the use has no certificates and no encrypted files, then its safe to reset the password. In ADUC right click and select 'reset password'
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36561381
I tried resetting password and still no luck. The only thing it says is The system could not log you on. Make sure User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 36561722
Try typing the username in the format DomainName\UserName
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36561856
I tried that early and it didn't work. I tried again on another system and it let me login. Now when I try to map a network drive it asks for user name and password to directory. I put in the users credentials and it does't do anything but the same logon screen comes backup. If I put in my admin account information, it maps the drive. I created another account in the same OU and tried the same thing and same results. Any idea why this is happening?

Thanks.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562048
I created a new account to see if this is just with the user I'm working on. I created a testad user account and logged onto my machine. I tried to map a network drive and it asked me to put in username and password to share folder. I put in testad and password and it didn't do anything except ask me for password again. I tried my admin account and it allowed me to map network drive. Another weird thing is I tried to verify permissions on the directory/folder I'm trying to map to. Now when I select permissions for folder, hit add and enter the user/object name testad, it says An object named "testad" cannot be found. I tried the initial user account this issue got started with and same response. It's as if these users don't exist. What is going on?
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562166
Is there more than one DC?
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562215
Yes, my old DC running Win2k3 Standard. My old server is Fileserver. My new DC is Fileserver2, which seems to be ok when I run dcdiag.

C:\Users\nimda>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Fileserver2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Connectivity
         ......................... FILESERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Advertising
         ......................... FILESERVER2 passed test Advertising
      Starting test: FrsEvent
         ......................... FILESERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... FILESERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... FILESERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... FILESERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... FILESERVER2 passed test KnowsOfRoleHolde
      Starting test: MachineAccount
         ......................... FILESERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... FILESERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... FILESERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... FILESERVER2 passed test ObjectsReplicate
      Starting test: Replications
         ......................... FILESERVER2 passed test Replications
      Starting test: RidManager
         ......................... FILESERVER2 passed test RidManager
      Starting test: Services
         ......................... FILESERVER2 passed test Services
      Starting test: SystemLog
         ......................... FILESERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... FILESERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValida

   Running partition tests on : RAPA
      Starting test: CheckSDRefDom
         ......................... RAPA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... RAPA passed test CrossRefValidation

   Running enterprise tests on : RAPA.local
      Starting test: LocatorCheck
         ......................... RAPA.local passed test LocatorCheck
      Starting test: Intersite
         ......................... RAPA.local passed test Intersite
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562494
echo %logonserver% point to FILESERVER2 when you logon to her desktop?
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562631
I'm sorry, but not sure what your asking.

FYI: I logged on to my second DC (Fileserver) which use to be my primary DC and noticed some errors. Bunch of these errors. Now I did have a HD fail last week, so not sure if somethings got corrupted. On my New primary DC (Fileserver2) all seems to be working ok. I'm not sure how the old DC affects my new DC. Here are the errors.

Application: Event ID 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event ID 1079
Windows cannot search for Group Policy objects. (Operations Error). Group Policy processing aborted.

Directory Services:
NTDS Replication Event ID: 2108
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local

User Action
 
 Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
 1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.   If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
 5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
 6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
 7. Perform an offline defragmentation using the "ntdsutil files compact" function.
 8. The "ntdsutil semantic database analysis" should also be performed. If errors are found, they may be corrected using the "go fixup" function.  Note that this should not be confused with the database maintenance function called "ESE repair", which should not be used, since it causes data loss for Active Directory Databases.
 
 If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.
 
Additional Data
Primary Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
Secondary Error value:
-1018 JET_errReadVerifyFailure, Checksum error on a database page

Event ID: 1084
Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local
 
Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
 
This operation will be tried again at the next scheduled replication.
 
User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
 
Additional Data
Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562653
Some more info.....

C:\Users\nimda>repadmin /replsummary
Replication Summary Start Time: 2011-09-19 13:40:20

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 FILESERVER                45m:18s    0 /   6    0
 FILESERVER2       07d.04h:47m:22s    1 /   9   11  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 VLS-D6DNY8C1          02h:45m:18s    0 /   3    0


Destination DSA     largest delta    fails/total %%   error
 FILESERVER        07d.04h:47m:22s    1 /   6   16  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 FILESERVER2           02h:45m:18s    0 /   9    0
 VLS-D6DNY8C1          02h:54m:05s    0 /   3    0
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562709
FYI - C:\Users\nimda>netdom query fsmo
Schema master               Fileserver2.RAPA.local
Domain naming master        Fileserver2.RAPA.local
PDC                         Fileserver2.RAPA.local
RID pool manager            Fileserver2.RAPA.local
Infrastructure master       Fileserver2.RAPA.local
The command completed successfully.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562734
My thinking is that the problem desktop is hitting the DC that you had issues with. If you can logon to the problem desktop as another user you can find your logon server with the above command.

If possible you could even take the other DC offline or demote it.
0
 
LVL 29

Accepted Solution

by:
Randy Downs earned 500 total points
ID: 36562745
The errors on Fileserver are probably why your one user can't get in. If the DC is either removed or fixed you should be fine.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562754
The old DC is not synching so changes you make in A/D won't get replicated

Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562760
What command are you referring to? Are you talking about ....echo %logonserver% point to FILESERVER2 when you logon to her desktop?

How would I find out my logon server?
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562791
Yeah just use comand line echo %logonserver% to tell you which logon server you used.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36562831
The procedure above you quoted with the error on Fileserver should get you on the right path.

Just demoting the machine from being a global catalog might get your user on.

1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36562998
Not sure where I would uncheck Global Catalog. This picture is from my old DC Server.  

NTDS on old DC
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36563091
The MMC lists both servers so you could uncheck from either. The site you want is the one that the problem desktop logs in with. I assume it's Fileserver since that's where you get errors.

http://technet.microsoft.com/en-us/library/cc782402(WS.10).aspx

To clear the global catalog setting
1.Open Active Directory Sites and Services.

2.Expand the Sites container, and then expand the site from which you are removing a global catalog server.

3.Expand the Servers container and then expand the Server object for the domain controller that you want to remove as a global catalog server.

4.Right-click the NTDS Settings object for the target server, and then click Properties.

5.If the Global Catalog check box is selected, clear the check box, and then click OK.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36563396
Not sure what happend, But I got more calls that users that were mapped to share off the Fileserver (old DC) are now being prompt for their username and password. When they put in username and password it doesn't work, now some mapped drives worked with my admin account, but then I get this error on other mapped drives:

The network folder specified is currently mapped using a differant username and password. To connect using a differant user name and password, first disconnect any existing mapping to this network share.

The mapped network drive could not be created because the following error has occurred: Multiple connections to a server or shared resource by the same user using more then one username are not allowed. Disconnect all previuos connections to the server or shared resource and try again.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36563443
Looks like you are going to have to fix Fileserver. I assume #1 is OK. Can you get it to rebuild in #2?

1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36563595
Yes, let me try. What happened? I need to explain to my boss while I fix.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36563635
Ok, I ran #2 and got "Modified" which I believe started the SD propagator. Now please note I connected to old DC (Fileserver. Was I supposed to connect to Fileserver2? Thanks for staying with me.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36563658
Removing Fileserver from the global catalog meant that the DC no longer validated logins. The clients should fail over to the other DC but it may take some time for them to catch up. Apparently the shares had to have the credentials refreshed (disconnect/connect).

Meanwhile Fileserver hopefully will rebuild and you can add global catalog once again.

We didn't check that the error occurred in the read-only partition but knew Fileserver was creating problems.

 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36563690
Fileserver was the one with the error. If it was successful add the global catalog back and all should be well.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36563771
Is it normal that when i try to map a network drive on the user it ask me for credentials (username/password) and doesn't take it? Why is it doing this still?
0
 
LVL 1

Author Comment

by:nimdatx
ID: 36563785
When I ran the ldp I didn't get any errors, however I didn't really see any confirmation that it ran successfully. The map drive I trying to connect to is on my Fileserver2 and Fileserver, either one work.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36566811
I would check the logon server to see which Server is causing issues. Perhaps it has settled down by now.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now