Solved

Cannot Logon to our Server

Posted on 2012-03-28
15
4,575 Views
Last Modified: 2013-12-02
For some reason on our SBS 2011 server I cannot log in to the server, when I'm physically at the computer, with my domain username anymore.

I tried a few accounts and it won't let them either.

But if I log in remotely via my laptop or another computer, I can log in just fine.

This is quite scary, being what happens the network goes down and we can't remote into it anymore.

This is the error message I receive when I try to log in to it when I'm physically at the computer "You cannot log on because the logon method you are using is not allowed on this computer. Please See your network administrator for more information":

You cannot log on because the logon method you are using is not allowed on this computer. Please See your network administrator for more information.
0
Comment
Question by:Pancake_Effect
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 8

Expert Comment

by:PaulD77
ID: 37777963
From Group Policy Object Links list select Default Domain Controller Policy and click on Edit
From Default Domain Controller Policy snap-in in the left pane under Computer Configuration expand Windows Settings.

Expand Security Settings.

Expand Local Policies and from the list select User Rights Assignment.

In the right pane double click on Allow log on locally.

On Allow log on locally Properties box click on Add User or Group button.

On Add User or Group box click on Browse button to open the search window.

In Enter the object name to select list box type the name of the user or group that you want to provide permissions to log on locally to the domain controller and click on Check Names button.

Once verified click on Ok button.
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37777988
-Check your policies in case someone blocked user/groups from logging on locally (saw someone put Everyone in that once).

-Make sure your domain accounts don't have restrictions like time/day and which computers they can log into.

-Make sure users (domain admins or whaever groups you have) are allowed to interactivly login.

-Make sure the account you are using is a domain admin account (servers and DC's generally don't allow Domain Users to log in from the terminal).
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778474
We don't really have any settings that block users from accessing locally. We have the default settings windows provided. For the heck of it I did what PaulD77 stated and added my IT security group to it, and I'm still getting the message.

I'm a domain admin with the highest privileges, again it's odd I can log in remotely...just not physically when I'm in front of it.

Any other ideas? I mean why would it deny me to log in at the machine...but allow me to log in remotely..usually the problem is vice versa..
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37778568
Are you loging in with the 'Administrator" account or with your personal username that has admin rights.  If you're part of another security group that doesn't allow local logon, then you won't be able to get in.  

Also, Make sure the "Administrator" account you're trying to use is not a member of remote operators security group.  I've seen this happen when the admin account is part of a security group it shouldn't be.  Before you remove the admin account from remote operators, make sure another user account  hass access to remote in.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778571
I double checked our Group Policy settings, we do not have any other conflicting policies in regards to allow logon locally that I can sett by looking at the GP summaries.

To make things even more odd, I did a secpol.msc, and looked at the security policy settings on the server, it didn't show any of my changes in group policy "the IT Staff group" I added. So I did another gpupdate, it didn't change anything. So then I did a gpupdate /force...it then added my IT staff group.

I logged out and logged back in, and the local policies were back! So I did a gpupdate /force again and this time I wasn't lucky, it won't change no matter what I do.

:(
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37778586
Oops just saw you post above me there, I'll give that a try. I'm using my my own domain admin user account.

I am part of the domain admins group, remote operators group, and  I'm also apart of the domain users group.

I personally didn't set any restrictions on my domain for the users in regards to this, with my SBS Server 2003 it worked just fine, this just started all happening after the upgrade to SBS 2011
0
 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37778626
Yes I had the same issue...SBS2003 to 2011...the Administrator account could log on locally, but not remotely..and whn I got it to log on remotely, I couldn't log on locally.  I just wish i could remember what the security group was I had to remove the Admin account from, once i removed it from that one security group, I was able to log on both locally and remotely and still have total admin rights.  If your account is a member of remote operators, it probably wont let you log on locally, users group wont matter.
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37779027
But as IT, I need to remote on both physically and remotely, so wouldn't taking me out of the remote operators group take that privileged away from me?
0
 
LVL 8

Assisted Solution

by:PaulD77
PaulD77 earned 500 total points
ID: 37779081
If the actual Administrator account can log on both remotely and local, then remove your account from remote operators security group.  The account does not have to be in remote operators in order to use RDP
0
 
LVL 4

Author Comment

by:Pancake_Effect
ID: 37779443
I removed myself from the group, I still can't log on physically there, I can still logon remotely though :\
0
 
LVL 8

Accepted Solution

by:
PaulD77 earned 500 total points
ID: 37779487
Are you a member of any groups that are members of remote operaters?  Also, did you verify the administrator account it elf can login remotely and locally?  If so verify what groups the admin acct is a member of and if there is a group you're in that the admin acct isn't..that's the group to remove yourself from
0
 
LVL 21

Expert Comment

by:motnahp00
ID: 37779640
Go to dsa.msc -> your account -> Account tab --> Log On To... -> Make sure All Computers is checked
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
ID: 37784010
PaulD77 that did it! I was going through each and every group, I found that Domain Admins and Power Users had the Remote Operators group in it. So future readers, beware of the remote operators group! Thanks for the help everyone
0
 
LVL 8

Expert Comment

by:PaulD77
ID: 37784041
great!
0
 

Expert Comment

by:Jharrisonsnbs
ID: 39609739
I know this thread was closed a while ago, but I was having the exact same issue and my fix was the same as Pancake_Effect's. I had to remove the remote operators from the administrator account in ADUC. I also had to change the GPO for default domain controllers to allow log on locally for Domain Admins. I then had to open the Remote Operators security group and remove Domain Admins from the Members tab. After that. I was able to log into the DC. This thread was extremely helpful!!!
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question