User cannot logon on their computers because security log is full
Posted on 2011-09-23
Today I faced a weird problem with a client's active directory network. Because of a problem with replication, all sysvol content was deleted. After that all policies stopped to be applied at the computers. This was expected. Unexpected was the fact that no one could log in in their computers because of the following error:
The security log on this system is full
The error appears as a message box before user logon input. Users are not member of local admins, so they can't logon at all.
There is no GPO that enforces Logs configuration at the computers for retention or rotation at all. The only configuration we have in Domain is that Default Domain Policy sets some Audit Policies (sucess an failure for most events).
It's a fact that we are logging a lot of events at computers (much of them I know is useless. we will fix it soon). The Security Logs at the computers might be full or very close to its storage capacity. But we can't have it as the root cause of the problem since when domain policies were fixed, the error message gone away, users can login and security log keeps been filled up.
What is worse is that many users tried to logon this morning at the company's network with their laptops. As they couldn't logon, because of the security log error, they went back home and tried to work through vpn. Unfortunately when they started their laptops, the error message appeared again and didn't let them to log in to the computer.
These outside users came with a problem that we couldn't solve. They don't have local admins rights and we couldn't logon to their computers with our domain admins credentials because they were working from home. If someone asks "why dind't we give local admin's password to these users and instruct them to logon locally and fix the problem? Because we are not allowed to do that. All computers at the domain share the same local admin password. If we give it to one user, we have to change it all over the domain that span 3 different countries.
Anyone has any idea why this problem happened? In other words, If GPO fails to be applied at computer level, the security log issue doesn't let users to login on.