Solved

cannot logon because logon method is not allowed win 7

Posted on 2014-02-04
31
1,259 Views
Last Modified: 2014-02-12
hi I am currently running a win 2003 local domain via an isa 2006 firewall & xp clients successfully.  - need some advice on specific couple issue below.

important:  I never ever normally re-order to precedence list ie 1, 2, 3 etc - so maybe this is why I have always had issues, messing around troubleshooting and not knowing what I did, thinking the: gpupdate or gpupdate /force or gpupdate /sync - resolves all - but now I think I realise no!!!

I am planning on upgrading to win 2008, but I wish to resolve some of my own learning curve night mare issues due to lack of understanding and sometimes trial and error troubleshooting as below describes.  - I have read things but not quite understanding as practical tests are not following expected procedure unless I have things back to front.

note: I never configure the 'default domain policy' & leave as default settings - instead I do the below:

note: when I logged onto each domain member server, they did not receive 'proxy' details and no internet access - so I 'created & linked the default dc policy' as per screenshot & set precedence for: default dc policy

- after carrying out the above step, all domain member servers received the 'proxy' details and internet access successful

I have also joined a win 7 laptop to the domain with a roaming profile and 'folder redirection' is successful as per eventviewer.

issues I have below:

1.  when I try and access the internet it does not receive the 'proxy internet' settings via 'internet options.

2.  when I run the internet explorer diagnostics - it states that dns is not detected/not responding, even though my master dc/ad/dns/dhcp/gpo server does not show any errors in the eventviewer & the dhcp has allocated a dynamic address as expected.  I have also cross-checked ip address on win 7 laptop and it matches the dhcp address allocated.

random changes below:

the only thing I have done is add the 'default dc policy' directly above the 'default domain policy' - as per screenshot.

I have been playing around with the gpo order of preference via the following:

- linked group policy objects
- group policy inheritance

as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.

note:  the issue I have now is when I logon via my win 7 laptop it now states:

"you cannot logon because the logon method you are using is not allowed on this computer"

normally when I create gpos, I leave the 'computer config & user config' in the same gpo - but was advised to separate so I did for example as per screenshot attached.

fileserver
- fileserver - gpo
- fileuser - gpo - only domain admin logs on

question 1.  can anyone advise on if changing the precedence order decides if the servers or pcs receive their specific configured gpo or not  ?

question 2.  all my machines are ok, except for my win 7 laptop so please help  ?
default-dc-gpo.docx
win7gpo.docx
0
Comment
Question by:mikey250
  • 17
  • 14
31 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
1st of all remove \ unlink default domain controller policy linked to domain.
Then run gpupdate /force /sync on domain controller followed by reboot.
This step need to done for all domain controllers in given domain.

Note that Default domain controller policy is Domain controller specific policy and should not \ never applied to domain level.
Applying domain controller polices at domain level will simply creating malfunction and unnecessary results.

Once you remove that hopefully your problem will get resolved.

GPO preference order:
When you apply multiple GPOs to single OU, higher the GPO link order, lower the preference. It means the last GPO in the list will apply 1st and 1st GPO in the list will apply last, so if there is any setting conflict between 3rd GPO and 1st GPO in the link order, 1st GPO settings will override over 3rd GPO as 1st GPO is applied last(after 3rd GPO)

Hope that helps

What settings do you have in win7 GPOs, if you could post here we can help further.

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi mahesh, screenshots are attached to main thread.

just to clarify below comments:

"note that default domain controller policy is domain controller specific policy and should not \ never applied to domain level.
applying domain controller polices at domain level will simply creating malfunction and unnecessary results."

- normally i do not edit the built-in gpo for 'default domain policy'.

- normally i edit the 'default domain controller policy' and configure settings there  - do you mean i should never configure anything in the 'default domain controller policy' and should configure gpo for the single domain in the 'default domain policy'  ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Sorry, I have not checked complete screen shots earlier.

Those win7 GPOs are looks like OK and its link order as well.

Still I am stand still on my earlier comment.

If you want to force proxy on all servers \ computers, you can create new policy with required proxy settings and append it to domain level.
Right click on the new policy and select Enforce
Now policy should apply to all servers, domain controllers, computers regardless of link order.
Just run Gpupdate /force on domain controller once.

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi mahesh,

just to clarify below comments:

"note that default domain controller policy is domain controller specific policy and should not \ never applied to domain level.
applying domain controller polices at domain level will simply creating malfunction and unnecessary results."

- normally i do not edit the built-in gpo for 'default domain policy'.  - i do know if i configure proxy ((here)) i know it sets proxy on all domain members servers & client machine....but eventually i only do as test to confirm internet access and wish to add & remove internet access specific to host xp or win 7 separate gpo - that is where i get confused.

- normally i edit the 'default domain controller policy' and configure specifically as per screenshotsonly the below & also the same on all multiple ou's for fileprintserver, wsus1, isa2006 domain member servers (as a basic):

settings there  - do you mean i should never configure anything in the 'default domain controller policy' and should configure gpo for the single domain in the 'default domain policy'  ?
0
 

Author Comment

by:mikey250
Comment Utility
step 1

- 1st of all remove \ unlink default domain controller policy linked to domain.

- then run gpupdate /force /sync on domain controller followed by reboot.

task complete below:

itsolutions.local
default domain controller policy - deleted
default domain policy - left by default

logged each domain member server on & restarted each machine - done

step 2

will open:

itsolutions.local
default domain policy - will add user config: proxy details - & confirm all servers have internet access.

question 1.  applying domain controller polices at domain level will simply creating malfunction and unnecessary results."  -  why malfunction surely thats how i configure a single domain controller if i wish rather than have wide spread gpo configurations via 'default domain policy  ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
yes, you are right,

Your comment:
 why malfunction surely thats how i configure a single domain controller if i wish rather than have wide spread gpo configurations via 'default domain policy  ?

Domain Controller policies are actually security policies and they are designed for domain controllers only.
If you apply those polices at domain level, it will try to impose its security settings on every user \computer and server in domain which obviously break some thing simply because all other server roles \ servers are acting as a client and DC server role is acting as master

That is why i suggested you to unlink that GPO from domain level and create new GPOs as required and apply it to domain level.

if you want to modify Domain controller specific policies, you can do that with default DC policy or you could create new policy with required settings and apply it to domain controllers OU.

Policies applied to domain controllers OU will affect all DCs in domain
Policies applied to domain level will affect to all users, computers, servers, DCs in domain.

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi,

when you say 'domain level' i continue to think, do you mean:

- default domain policy
or
- default domain controller policy

domain controller policies are actually security policies and they are designed for domain controllers only.

- yes i know but as i only have (1 domain controller) i only configure for 'windows updates & slow network 0 (meaning fast) plugged into local cisco2950 switch.

i have now removed 'internet/proxy settings' from the following meaning there are no internet/proxy settings configured via any gpo at all.

note: only my isa 2006 firewall policy is configured for internet access but surely if proxy removed from all gpos's so there are (none) then surely internet access should fail...?

master dc

- default domain policy - proxy settings removed
- gpo xp - proxy settings removed

ran: gpupdate /force
restarted master dc
logged back on

xp desktop:

logged on as normal domain user & not run: gpupdate /force
restarted
logged back on
proxy details visually still there & i can still access the internet - why ?
0
 

Author Comment

by:mikey250
Comment Utility
i have rebooted multiple times all machines & run: gpupdate & gpupdate /force /sync.

as i have removed all traces of internet/proxy access on all servers & machines, i can still logon to my xp desktop and still browse the internet.

- i can however manually remove the internet/proxy settings that are left and then no internet access, but that does not make sense as i assumed after removing gpo internet proxy settings would auto remove from each server & xp but it does not...!

the only thing i can think of is that my isa2006 firewall is configured still for internet access but i assumed the control was through the gpo

i have now set the following to enforced:

- isa 2006 firewall
- xp

this still does not make a difference.
i am completely confused now.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Domain level means policies apply to domain.com (your domain) (default domain policy)

Have you removed default domain controller policy from domain level (You have to) ?

Now do you want to remove proxy settings ?

Please note that once proxy settings applied to machines it will not removed automatically even if you removed policy
In order to remove proxy settings, just go to default domain policy and configure empty policy there.
It means, enable proxy setting checkbox but keep Proxy server IP and port empty.
Run gpupdate /force on domain controller.
Now when next time user logs on they will get empty proxy settings and they cannot access internet
Is that what you want ?

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
morning, yes i removed it below as per yesturday comments shown below:

- 1st of all remove \ unlink default domain controller policy linked to domain.

- then run gpupdate /force /sync on domain controller followed by reboot.

task complete below:

itsolutions.local
default domain controller policy - deleted
default domain policy - left by default

---------------------------------------

"please note that once proxy settings applied to machines it will not removed automatically even if you removed policy" - ok but why  ?

"in order to remove proxy settings, just go to default domain policy and configure empty policy there." - yes done yesturday by resetting browser back to default ie none

"now when next time user logs on they will get empty proxy settings and they cannot access internet."

Is that what you want ?

- yes the internet proxy details have now been remove.  i did not realise i had to configure it as 'blank' in order for it to be removed.
0
 

Author Comment

by:mikey250
Comment Utility
hi mahesh, now that the internet/proxy details have been removed.  i would like to move onto part of my other query in main thread as below:

question 1.  can you advise on below  ?

I have been playing around with the gpo order of preference via the following:

- linked group policy objects
- group policy inheritance

as they are numbered 1, 2, 3 etc im not really understanding what this does, although I assume precedence order 1 will take priority or if added to the bottom ie 3, 2, 1 then precedence 1 still takes priority instead of 3.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
When client computer logon to domain 1st its own local policy gets applied
Then Site level policy gets applied if you have.
Then domain level policy gets applied
Then OU level Policies gets applied.
When you apply multiple GPOs to single OU, higher the GPO link order, lower the preference. It means the last GPO at no.3 in the list will apply 1st and 1st GPO in the list will apply last, so if there is any setting conflict between 3rd GPO and 1st GPO in the link order, 1st GPO settings will override over 3rd GPO as 1st GPO is applied last(after 3rd GPO)
In short, on any tab "linked GPO" or GPO inheritance, Higher the link order, lower the priority.

The up level policies (i.e. polices applied at domain level and site level can be viewed in inheritance tab

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi,

just to remind you as i have multiple 'ou & groups' as per main screenshot.

for example if i select:

ou - fileprinter server (all domain member servers are exacly as below)

link order tab - predence order:

fileserver - 1 - highest priority
fileusers - 2 - lowest priority

gpo inheritance tab - precedence order:

fileserver - 1 - highest priority
fileusers - 2 - 2nd lowest priority
default domain policy - 3 - lowest priority


----------------------------------------------

ou - windows7users (win 7 & xp are exactly as below)

linked order tab - precedence order:

win7pc - 1 - heighest priority
win7user - 2 - lowest priority

gpo inheritance tab - precedence order:

win7pc - 1 - heighest priority
win7user - 2 - 2nd lowest priority
default domain - 3 - lowest priority
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
That right

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi i wanted to correct win 7 & laptop as below so ignore the previous and look at below as surely the gpo inheritance would be (win7users 1st) so that internet proxy settings take affect  ?

ou - windows7users (win 7 & xp are exactly as below)

linked order tab - precedence order:

win7users - 1 - heighest priority
win7pc - 2 - lowest priority

gpo inheritance tab - precedence order:

win7users - 1 - heighest priority
win7pc - 2 - 2nd lowest priority
default domain - 3 - lowest priority
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
The GPO which suffice your requirement needs to be on No.1 in link order.

Also if you look in details, you will come to know that you can't change GPO inheritance order.

If you want to disable GPO inheritance, you need to select that OU in GPMC and right click and select "Block Inheritance".
This will ensure that only polices applied to that OU will get apply and up level domain policies will get blocked

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi mahesh,

you say:

"also if you look in details, you will come to know that you can't change gpo inheritance order."

- i slightly disagree, because if i click on: linked group policy objects i can change the precedence order & in turn then access 'group policy inheritance' and switch the 1 or or bottom number around.


"if you want to disable gpo inheritance, you need to select that ou in gpmc and right click and select "block inheritance."

- yes i can see as now resolved 'xp - internet/proxy' issue with your advice!!!! and now i can see how the precedence order works so now i can appreciate the 'block inheritance'.

"this will ensure that only polices applied to that ouU will get apply and up level domain policies will get blocked"

- ok

--------------------------------------------------

note: the following below:

xpusers
xp-pc

but in 'xpusers' - i have only configured the 'user config' for:

- folder redirection
- internet/proxy
- interval updates

but in 'xp-pc' - i have only configured the 'computer config' for:

- windows updates
- specify intranet microsoft update service location
- windows update frequency
- enable client-side targeting

so if the link order is as below:

linked group policy objects tab

xpusers - 1
xp-pc - 2

group policy inheritance tab

precedence order

xpusers - 1
xp-pc - 2
default domain policy - 3

question 1.  my question then is, if the 'xpusers - 1' is the highest priority, how does the 'xp-pc - 2' integrate also the the following into the ou/gpo:  ?

- windows updates
- windows update frequency
- set intranet ms update service location

i can only assume the xp - ou/gpo, integrates the following:

- default domain policy 3 - as it is the lowest priority it is absorbed 1st

- xp-pc - 2 - as it takes 2nd priority this is also then absorbed 2nd

- xp-users - 1 - as it takes 1st priority this is also absorbed 3rd but is actually the highest priority so this ensures the 'user config' is also added ie:

internet/proxy - for example  ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
You can up \ down linked GPOs to OU, so it will reflects to GPO inheritance, but you cannot change domain level policies \ up level polices order in GPO inheritance tab.
For that Block inheritance is there.

You are right

Computer configuration GPO is applied to computers (xp-pc - 2) and user configuration GPO is applied to users (xpusers - 1), so there is no question of precedence there in reality

Policy listed last in the list order will apply 1st and policy listed 1st in list order will apply last

precedence really came into picture when you have multiple polices applied on OU and there is conflicting settings
In that case the 1st policy in the list will apply last and always take precedence over all polices and its overrides those earlier policy settings as it is applying last

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi again, one thing that has always confused me.

question 1.  when i edit each gpo i access them directly below the:

domainname.local

but when i view below i see a folder called:

group policy objects - & in this folder it lists all gpo's where they can also be edited

question 1.  should i edit each gpo directly below the 'domainname.local' or via 'group policy objects' ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
No matter from where you edit the GPO, it is stored under Sysvol folder only
Hence its make no difference,

Group Policy Object container is the one where you can locate all GPOs in one glance
When you check each OU, domain, there you come to know which GPO has linked to that OU, domain level etc which is not possible through Group Policy Objects container.

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
morning mahesh, i have one last question then this thread is definately closed.


question 1.  i have created the following for the domain member servers but as i am only logging on with the 'domain administrator account', should i remove the the following for 'user config'  ?

domainname.local

domain controller
- default domain controller policy

computer config:
- fileserver

user config:
- fileusers - shall i remove  ?

computer config:
- isa2006server

user config:
- isa2006users - shall i remove  ?

computer config:
- wsusserver

user config:
- wsususer - shall i remove  ?

i will close and allocate points now and thanks for your patients and advice! appreciated.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
user config:
- fileusers - shall i remove  ?

user config:
- isa2006users - shall i remove  ?

user config:
- wsususer - shall i remove  ?

Are above polices contains proxy settings or what ?

If you have added proxy settings in any domain level polices, and above polices contains only proxy settings then you can remove those policy settings

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
morning, when you gave me advice yesturday i did add the 'internet/proxy' details to each domain member server to ensure i could receive internet access which was successful, but most importantly remove..which you advised i should enable the 'internet/proxy' settings but leave it blank.

so when i ran: gpupdate /force on the dc, and rebooted and then logged onto the domain member servers, the internet/proxy details were also removed and no internet access was allowed.  so that solved my problem.

- as a result of the above, i have currently now removed the 'internet/proxy' details so the domain member servers do not require internet access, hence my question about removing the 'domain member servers - user config' as nothing else is configured...

and as i am using the domain admin account and this has automatic privilege to logon anyway, i just assumed that 'user config' was able to be removed.......

unless i wanted the domain member servers to have internet access..other than that, i dont know of anything else that the 'user config' is required to keep..

 - unless you know  then please let me know  ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
OK

But I am still don't know what settings do you have in
user config:
- fileusers

user config:
- isa2006users

user config:
- wsususer

That is why I cannot tell you if those settings needs to be retained or not ?

As already stated earlier, whatever settings you configure in domain level polices will propagate to all objects

In that case you don't require to maintain separate OU level polices for same settings
Now you could decide the next step hopefully

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
morning Mahesh,

all my domain member servers only 'had internet/proxy' configured via:

user config:  - after confirming 'internet/proxy' was successful - I then removed.  so no current use for: user config as far as I know.

if I wish to force 'internet/proxy' via whole domain, due to your advice I will access:

itsolutions.local
default domain policy - enable internet/proxy here or create and link a new gpo - as you advised. - I have tested this and yes it is successful, but now removed.

I have created an 'ou' for each domain member server so they are completely separate.  each server: computer config: is identical.

note: one thing that I don't quite understand is when 'not to or to use - enforced'  ?

otherwise all your advice is good.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Ok, fine.
Thanks for confirmation

When you set any GPO to enforced it will forcefully applied to level where you applied (Domain level \ OU level) and all sub levels (i.e. sub OU \ sub sub OU levels) also and settings in that policy cannot be overwritten by any down-level polices.
Even if you set "Block inheritance" on any OU, it cannot block above enforced policy from applying.

Example:
You have set screen saver \ wallpaper in one domain level policy so that it will apply to all users in domain.
You created new OU and on that OU Now you have created new GPO with different screen saver \ wallpaper and applied.
Guess what will happens now, users in that OU will get new screen saver \ wallpaper from new policy because OU level policy will get override to domain level policy because on client computers domain level policy will apply 1st and later on OU level policy get applied, obviously users will get new screen saver from new policy

But now if you set domain level screen saver policy to enforced, then for next login your users will get old screen saver from domain level policy because that policy is set to enforced, it cannot be overwritten by down-level (OU) level policies

Hope that helps

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
hi Mahesh, thanks for that clarity on the 'enforced'.  I think I will select 'enforce' on each and everyone of my multiple ou's, even though they are part of the same single domain.

if I then wished to take control of the whole domain at least I can access the 'default domain policy' and overrule by precedence the 'internet/proxy' for example which will force or 'enforced multiple ous' to use a different 'internet/proxy' details - if I wish, even if each 'multiple ou/group has been 'enforced'.

for example - so thanks for that clarity.
0
 

Author Closing Comment

by:mikey250
Comment Utility
sound advice!
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Normally you would set global polices on top level (i.e. domain level) to enforced only if required so that individual OU policies if tried to overwrite global polices, they will not be able to do that.

Do not enforce OU level polices if same setting with different parameters are enforced through global polices.
It will create unnecessarily conflicts and then it will very difficult for trouble shoot and resolve issues

Try to keep GPO structure as simple as possible to avoid complications

Use "Enforce", "block inheritance" settings only if absolutely required

Mahesh
0
 

Author Comment

by:mikey250
Comment Utility
ok, so do not 'enforce' on multiple ou's if 'policies are of same setting' & just keep as simple as possible.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Ya, that's right
Thanks

Mahesh
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now