Active directory User "log on to" probem

Posted on 2014-08-06
Medium Priority
Last Modified: 2014-08-14

I have an interesting issue with a new 100 seat site we've taken over. The problem is when new users are created in AD under properties/account/log on to   its always set to "THE FOLLOWING COMPUTERS"
This prevents the user from logging into thin clients & some other machines, Now i can change this option to "ALL COMPUTERS" but this option seems to change back over night....
I cannot see any GPO's settings that could make this change back? Any suggestions would be helpful
I might also mention some admin accounts when newly created cannot log in to some computers also, but when left for a week or two they seem to come right.

Question by:Belton IT
LVL 26

Expert Comment

by:Sekar Chinnakannu
ID: 40245314
You can get the settings under Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment. Using this option you can create a policy and set allow\deny logon to computers
LVL 12

Expert Comment

ID: 40245454

This could be because of a script running as part of a scheduled task which is running every day at night. This script could be populating the computer accounts for all user account in the organization or in a particular OU.

You could try moving user accounts to a different OU to see if it is affecting users in an OU. But this would require all user settings be moved to the new OU, like the GPOs.

Also, you could search for Scheduled Tasks configured on Domain Controllers or Management Workstations.

Another option would be to enable Auditing for the AD Accounts in order to find which account is making modifications to user accounts.
LVL 58

Expert Comment

ID: 40245542
yes, correct, audit account management to see what process that is. It will be a scheduled task for sure, so you could also list all tasks on the DCs and see which of those run after hours and find it.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

by:Belton IT
ID: 40252257
@ Sekar Chinnakannu   i have tried this but was a 50/50 shot.

Seems its something changing AD.  What the best proccess to audit account management to see what process that is?
Currently have 3 domain controllers one which is old 2008 standard and two new 2012 R2. Below are all the schedule task setup.

2008 DC
No tasks have been created on the new domain controllers.
I did notice that it must change between 3am-7am
LVL 12

Accepted Solution

SreRaj earned 2000 total points
ID: 40252824
To audit Account Management, you should first enable the audit setting in Default Domain Controller Policy.

This can be done from a Domain Controller with the help of Group Policy Management Console.
Open GPMC from Administrative Tools -> Group Policy Management
Then Go To Domain Root -> Domain Controllers OU -> Default Domain Controller Policy.

Right click on the Default Domain Controller Policy and select Edit

In the GP Editor, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy

Select Audit Account Management and enable Policy Setting for Success.

Once the Audit Policy is configured, account management events will be logged in Security Log of Domain Controllers. You could check for Event ID 4738, which is the event for successful user modification. You may have to increase the size of Security Log file as it may get overwritten over a period of time.

If you want to find the Domain Controller and exact date and time when a particular user object was changed, you could use the following command.

repadmin /showobjmeta <Name of a DC> <Distinguished Name of User Object>

repadmin /showobjmeta DomainController1 "CN=User1,OU=Users,DC=Test,DC=com"

Author Comment

by:Belton IT
ID: 40254762
Thanks will get this setup and come back to you.

Author Comment

by:Belton IT
ID: 40257011
checked logs this morning and found
this was logged before the second picture

Then this is one of the user accounts that change everyday

From what i see it s must be something on the domain controller because of the Account Name its using.

Author Comment

by:Belton IT
ID: 40261760
Found the problem here!!! :)   Thanks for everyones input!

After finding that event which pointed to something running on the server itself as SYSTEM. Noticed it said Windows Server standard but was Windows 2008 Essentials Business Server!

This has the Windows Essentials Business Server Administration Console. Now it was only licensed for some users and some devices etc... This only allowing login to licensed computers etc......
So real fix is to decommission the DC and use the two 2012 R2 domain controllers.

Thanks again!


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question