Solved

User cannot login to desktop

Posted on 2011-09-19
33
496 Views
Last Modified: 2012-06-27
Hello,

I have a user that all of a sudden couldn't log into her desktop. I tried logging her into another machine, thinking maybe it's her system, however I still couldn't log her in. I know my AD and domain controller is working fine, it's just this one user as far as I know. How can I troubleshoot this issue? I don't want to lose any of her files.

Server 2008 Enterprise
Desktop is running XP Pro

Thanks,

nimdatx
0
Comment
Question by:nimdatx
  • 16
  • 13
  • 4
33 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Check the account in ADUC to make sure its not been locked out, disabled or expired.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Make sure she's logging into the domain not the local machine.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Nope, not disabled or expired.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
logging her into domain not local account.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
What error message are you getting - is it possible that the user has changed or forgot their password?
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If the use has no certificates and no encrypted files, then its safe to reset the password. In ADUC right click and select 'reset password'
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
I tried resetting password and still no luck. The only thing it says is The system could not log you on. Make sure User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Try typing the username in the format DomainName\UserName
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
I tried that early and it didn't work. I tried again on another system and it let me login. Now when I try to map a network drive it asks for user name and password to directory. I put in the users credentials and it does't do anything but the same logon screen comes backup. If I put in my admin account information, it maps the drive. I created another account in the same OU and tried the same thing and same results. Any idea why this is happening?

Thanks.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
I created a new account to see if this is just with the user I'm working on. I created a testad user account and logged onto my machine. I tried to map a network drive and it asked me to put in username and password to share folder. I put in testad and password and it didn't do anything except ask me for password again. I tried my admin account and it allowed me to map network drive. Another weird thing is I tried to verify permissions on the directory/folder I'm trying to map to. Now when I select permissions for folder, hit add and enter the user/object name testad, it says An object named "testad" cannot be found. I tried the initial user account this issue got started with and same response. It's as if these users don't exist. What is going on?
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Is there more than one DC?
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Yes, my old DC running Win2k3 Standard. My old server is Fileserver. My new DC is Fileserver2, which seems to be ok when I run dcdiag.

C:\Users\nimda>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Fileserver2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Connectivity
         ......................... FILESERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILESERVER2
      Starting test: Advertising
         ......................... FILESERVER2 passed test Advertising
      Starting test: FrsEvent
         ......................... FILESERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... FILESERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... FILESERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... FILESERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... FILESERVER2 passed test KnowsOfRoleHolde
      Starting test: MachineAccount
         ......................... FILESERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... FILESERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... FILESERVER2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... FILESERVER2 passed test ObjectsReplicate
      Starting test: Replications
         ......................... FILESERVER2 passed test Replications
      Starting test: RidManager
         ......................... FILESERVER2 passed test RidManager
      Starting test: Services
         ......................... FILESERVER2 passed test Services
      Starting test: SystemLog
         ......................... FILESERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... FILESERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValida

   Running partition tests on : RAPA
      Starting test: CheckSDRefDom
         ......................... RAPA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... RAPA passed test CrossRefValidation

   Running enterprise tests on : RAPA.local
      Starting test: LocatorCheck
         ......................... RAPA.local passed test LocatorCheck
      Starting test: Intersite
         ......................... RAPA.local passed test Intersite
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
echo %logonserver% point to FILESERVER2 when you logon to her desktop?
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
I'm sorry, but not sure what your asking.

FYI: I logged on to my second DC (Fileserver) which use to be my primary DC and noticed some errors. Bunch of these errors. Now I did have a HD fail last week, so not sure if somethings got corrupted. On my New primary DC (Fileserver2) all seems to be working ok. I'm not sure how the old DC affects my new DC. Here are the errors.

Application: Event ID 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event ID 1079
Windows cannot search for Group Policy objects. (Operations Error). Group Policy processing aborted.

Directory Services:
NTDS Replication Event ID: 2108
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local

User Action
 
 Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
 1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.   If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
 5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
 6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
 7. Perform an offline defragmentation using the "ntdsutil files compact" function.
 8. The "ntdsutil semantic database analysis" should also be performed. If errors are found, they may be corrected using the "go fixup" function.  Note that this should not be confused with the database maintenance function called "ESE repair", which should not be used, since it causes data loss for Active Directory Databases.
 
 If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.
 
Additional Data
Primary Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
Secondary Error value:
-1018 JET_errReadVerifyFailure, Checksum error on a database page

Event ID: 1084
Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.
 
Object:
CN=DBTF72G1,OU=BO Computers,OU=Business Office,DC=RAPA,DC=local
Object GUID:
bc7cd65c-88d5-4100-8cbc-2e466d9fa71e
Source domain controller:
7b7ffb9e-cc90-4923-acd2-7a54d62b980d._msdcs.RAPA.local
 
Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
 
This operation will be tried again at the next scheduled replication.
 
User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
 
Additional Data
Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Some more info.....

C:\Users\nimda>repadmin /replsummary
Replication Summary Start Time: 2011-09-19 13:40:20

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 FILESERVER                45m:18s    0 /   6    0
 FILESERVER2       07d.04h:47m:22s    1 /   9   11  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 VLS-D6DNY8C1          02h:45m:18s    0 /   3    0


Destination DSA     largest delta    fails/total %%   error
 FILESERVER        07d.04h:47m:22s    1 /   6   16  (1127) While accessing the h
ard disk, a disk operation failed even after retries.
 FILESERVER2           02h:45m:18s    0 /   9    0
 VLS-D6DNY8C1          02h:54m:05s    0 /   3    0
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
FYI - C:\Users\nimda>netdom query fsmo
Schema master               Fileserver2.RAPA.local
Domain naming master        Fileserver2.RAPA.local
PDC                         Fileserver2.RAPA.local
RID pool manager            Fileserver2.RAPA.local
Infrastructure master       Fileserver2.RAPA.local
The command completed successfully.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
My thinking is that the problem desktop is hitting the DC that you had issues with. If you can logon to the problem desktop as another user you can find your logon server with the above command.

If possible you could even take the other DC offline or demote it.
0
 
LVL 29

Accepted Solution

by:
Randy Downs earned 500 total points
Comment Utility
The errors on Fileserver are probably why your one user can't get in. If the DC is either removed or fixed you should be fine.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
The old DC is not synching so changes you make in A/D won't get replicated

Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
What command are you referring to? Are you talking about ....echo %logonserver% point to FILESERVER2 when you logon to her desktop?

How would I find out my logon server?
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Yeah just use comand line echo %logonserver% to tell you which logon server you used.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
The procedure above you quoted with the error on Fileserver should get you on the right path.

Just demoting the machine from being a global catalog might get your user on.

1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
 3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Not sure where I would uncheck Global Catalog. This picture is from my old DC Server.  

NTDS on old DC
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
The MMC lists both servers so you could uncheck from either. The site you want is the one that the problem desktop logs in with. I assume it's Fileserver since that's where you get errors.

http://technet.microsoft.com/en-us/library/cc782402(WS.10).aspx

To clear the global catalog setting
1.Open Active Directory Sites and Services.

2.Expand the Sites container, and then expand the site from which you are removing a global catalog server.

3.Expand the Servers container and then expand the Server object for the domain controller that you want to remove as a global catalog server.

4.Right-click the NTDS Settings object for the target server, and then click Properties.

5.If the Global Catalog check box is selected, clear the check box, and then click OK.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Not sure what happend, But I got more calls that users that were mapped to share off the Fileserver (old DC) are now being prompt for their username and password. When they put in username and password it doesn't work, now some mapped drives worked with my admin account, but then I get this error on other mapped drives:

The network folder specified is currently mapped using a differant username and password. To connect using a differant user name and password, first disconnect any existing mapping to this network share.

The mapped network drive could not be created because the following error has occurred: Multiple connections to a server or shared resource by the same user using more then one username are not allowed. Disconnect all previuos connections to the server or shared resource and try again.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Looks like you are going to have to fix Fileserver. I assume #1 is OK. Can you get it to rebuild in #2?

1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
 2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Yes, let me try. What happened? I need to explain to my boss while I fix.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Ok, I ran #2 and got "Modified" which I believe started the SD propagator. Now please note I connected to old DC (Fileserver. Was I supposed to connect to Fileserver2? Thanks for staying with me.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Removing Fileserver from the global catalog meant that the DC no longer validated logins. The clients should fail over to the other DC but it may take some time for them to catch up. Apparently the shares had to have the credentials refreshed (disconnect/connect).

Meanwhile Fileserver hopefully will rebuild and you can add global catalog once again.

We didn't check that the error occurred in the read-only partition but knew Fileserver was creating problems.

 4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Fileserver was the one with the error. If it was successful add the global catalog back and all should be well.
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
Is it normal that when i try to map a network drive on the user it ask me for credentials (username/password) and doesn't take it? Why is it doing this still?
0
 
LVL 1

Author Comment

by:nimdatx
Comment Utility
When I ran the ldp I didn't get any errors, however I didn't really see any confirmation that it ran successfully. The map drive I trying to connect to is on my Fileserver2 and Fileserver, either one work.
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
I would check the logon server to see which Server is causing issues. Perhaps it has settled down by now.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now