Solved

Cannot Logon to our Server

Posted on 2012-03-28
15
4,433 Views
Last Modified: 2013-12-02
For some reason on our SBS 2011 server I cannot log in to the server, when I'm physically at the computer, with my domain username anymore.

I tried a few accounts and it won't let them either.

But if I log in remotely via my laptop or another computer, I can log in just fine.

This is quite scary, being what happens the network goes down and we can't remote into it anymore.

This is the error message I receive when I try to log in to it when I'm physically at the computer "You cannot log on because the logon method you are using is not allowed on this computer. Please See your network administrator for more information":

You cannot log on because the logon method you are using is not allowed on this computer. Please See your network administrator for more information.
0
Comment
Question by:Pancake_Effect
15 Comments
 
LVL 8

Expert Comment

by:PaulD77
ID: 37777963
From Group Policy Object Links list select Default Domain Controller Policy and click on Edit
From Default Domain Controller Policy snap-in in the left pane under Computer Configuration expand Windows Settings.

Expand Security Settings.

Expand Local Policies and from the list select User Rights Assignment.

In the right pane double click on Allow log on locally.

On Allow log on locally Properties box click on Add User or Group button.

On Add User or Group box click on Browse button to open the search window.

In Enter the object name to select list box type the name of the user or group that you want to provide permissions to log on locally to the domain controller and click on Check Names button.

Once verified click on Ok button.
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37777988
-Check your policies in case someone blocked user/groups from logging on locally (saw someone put Everyone in that once).

-Make sure your domain accounts don't have restrictions like time/day and which computers they can log into.

-Make sure users (domain admins or whaever groups you have) are allowed to interactivly login.

-Make sure the account you are using is a domain admin account (servers and DC's generally don't allow Domain Users to log in from the terminal).
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778474
We don't really have any settings that block users from accessing locally. We have the default settings windows provided. For the heck of it I did what PaulD77 stated and added my IT security group to it, and I'm still getting the message.

I'm a domain admin with the highest privileges, again it's odd I can log in remotely...just not physically when I'm in front of it.

Any other ideas? I mean why would it deny me to log in at the machine...but allow me to log in remotely..usually the problem is vice versa..
0
 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37778568
Are you loging in with the 'Administrator" account or with your personal username that has admin rights.  If you're part of another security group that doesn't allow local logon, then you won't be able to get in.  

Also, Make sure the "Administrator" account you're trying to use is not a member of remote operators security group.  I've seen this happen when the admin account is part of a security group it shouldn't be.  Before you remove the admin account from remote operators, make sure another user account  hass access to remote in.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778571
I double checked our Group Policy settings, we do not have any other conflicting policies in regards to allow logon locally that I can sett by looking at the GP summaries.

To make things even more odd, I did a secpol.msc, and looked at the security policy settings on the server, it didn't show any of my changes in group policy "the IT Staff group" I added. So I did another gpupdate, it didn't change anything. So then I did a gpupdate /force...it then added my IT staff group.

I logged out and logged back in, and the local policies were back! So I did a gpupdate /force again and this time I wasn't lucky, it won't change no matter what I do.

:(
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778586
Oops just saw you post above me there, I'll give that a try. I'm using my my own domain admin user account.

I am part of the domain admins group, remote operators group, and  I'm also apart of the domain users group.

I personally didn't set any restrictions on my domain for the users in regards to this, with my SBS Server 2003 it worked just fine, this just started all happening after the upgrade to SBS 2011
0
 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37778626
Yes I had the same issue...SBS2003 to 2011...the Administrator account could log on locally, but not remotely..and whn I got it to log on remotely, I couldn't log on locally.  I just wish i could remember what the security group was I had to remove the Admin account from, once i removed it from that one security group, I was able to log on both locally and remotely and still have total admin rights.  If your account is a member of remote operators, it probably wont let you log on locally, users group wont matter.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37779027
But as IT, I need to remote on both physically and remotely, so wouldn't taking me out of the remote operators group take that privileged away from me?
0
 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37779081
If the actual Administrator account can log on both remotely and local, then remove your account from remote operators security group.  The account does not have to be in remote operators in order to use RDP
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37779443
I removed myself from the group, I still can't log on physically there, I can still logon remotely though :\
0
 
LVL 8

Accepted Solution

by:
PaulD77 earned 500 total points
ID: 37779487
Are you a member of any groups that are members of remote operaters?  Also, did you verify the administrator account it elf can login remotely and locally?  If so verify what groups the admin acct is a member of and if there is a group you're in that the admin acct isn't..that's the group to remove yourself from
0
 
LVL 21

Expert Comment

by:motnahp00
ID: 37779640
Go to dsa.msc -> your account -> Account tab --> Log On To... -> Make sure All Computers is checked
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 37784010
PaulD77 that did it! I was going through each and every group, I found that Domain Admins and Power Users had the Remote Operators group in it. So future readers, beware of the remote operators group! Thanks for the help everyone
0
 
LVL 8

Expert Comment

by:PaulD77
ID: 37784041
great!
0
 

Expert Comment

by:Jharrisonsnbs
ID: 39609739
I know this thread was closed a while ago, but I was having the exact same issue and my fix was the same as Pancake_Effect's. I had to remove the remote operators from the administrator account in ADUC. I also had to change the GPO for default domain controllers to allow log on locally for Domain Admins. I then had to open the Remote Operators security group and remove Domain Admins from the Members tab. After that. I was able to log into the DC. This thread was extremely helpful!!!
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now