asked on Active directory User "log on to" probem
Hi
I have an interesting issue with a new 100 seat site we've taken over. The problem is when new users are created in AD under properties/account/log on to its always set to "THE FOLLOWING COMPUTERS"
This prevents the user from logging into thin clients & some other machines, Now i can change this option to "ALL COMPUTERS" but this option seems to change back over night....
I cannot see any GPO's settings that could make this change back? Any suggestions would be helpful
I might also mention some admin accounts when newly created cannot log in to some computers also, but when left for a week or two they seem to come right.
![Capture-Issue.PNG]()
I have an interesting issue with a new 100 seat site we've taken over. The problem is when new users are created in AD under properties/account/log on to its always set to "THE FOLLOWING COMPUTERS"
This prevents the user from logging into thin clients & some other machines, Now i can change this option to "ALL COMPUTERS" but this option seems to change back over night....
I cannot see any GPO's settings that could make this change back? Any suggestions would be helpful
I might also mention some admin accounts when newly created cannot log in to some computers also, but when left for a week or two they seem to come right.
Windows Server 2008Active DirectoryWindows Server 2012
Last Comment
Thomas NZ
You can get the settings under Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment. Using this option you can create a policy and set allow\deny logon to computers
Hi,
This could be because of a script running as part of a scheduled task which is running every day at night. This script could be populating the computer accounts for all user account in the organization or in a particular OU.
You could try moving user accounts to a different OU to see if it is affecting users in an OU. But this would require all user settings be moved to the new OU, like the GPOs.
Also, you could search for Scheduled Tasks configured on Domain Controllers or Management Workstations.
Another option would be to enable Auditing for the AD Accounts in order to find which account is making modifications to user accounts.
This could be because of a script running as part of a scheduled task which is running every day at night. This script could be populating the computer accounts for all user account in the organization or in a particular OU.
You could try moving user accounts to a different OU to see if it is affecting users in an OU. But this would require all user settings be moved to the new OU, like the GPOs.
Also, you could search for Scheduled Tasks configured on Domain Controllers or Management Workstations.
Another option would be to enable Auditing for the AD Accounts in order to find which account is making modifications to user accounts.
yes, correct, audit account management to see what process that is. It will be a scheduled task for sure, so you could also list all tasks on the DCs and see which of those run after hours and find it.
ASKER
@ Sekar Chinnakannu i have tried this but was a 50/50 shot.
Seems its something changing AD. What the best proccess to audit account management to see what process that is?
Currently have 3 domain controllers one which is old 2008 standard and two new 2012 R2. Below are all the schedule task setup.
2008 DC
![new.PNG]()
![new2.PNG]()
![new3.PNG]()
No tasks have been created on the new domain controllers.
I did notice that it must change between 3am-7am
Seems its something changing AD. What the best proccess to audit account management to see what process that is?
Currently have 3 domain controllers one which is old 2008 standard and two new 2012 R2. Below are all the schedule task setup.
2008 DC
No tasks have been created on the new domain controllers.
I did notice that it must change between 3am-7am
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks will get this setup and come back to you.
ASKER
checked logs this morning and found
![experts.jpg]()
this was logged before the second picture
Then this is one of the user accounts that change everyday
![new4.PNG]()
From what i see it s must be something on the domain controller because of the Account Name its using.
this was logged before the second picture
Then this is one of the user accounts that change everyday
From what i see it s must be something on the domain controller because of the Account Name its using.
ASKER
Found the problem here!!! :) Thanks for everyones input!
After finding that event which pointed to something running on the server itself as SYSTEM. Noticed it said Windows Server standard but was Windows 2008 Essentials Business Server!
This has the Windows Essentials Business Server Administration Console. Now it was only licensed for some users and some devices etc... This only allowing login to licensed computers etc......
So real fix is to decommission the DC and use the two 2012 R2 domain controllers.
Thanks again!
![found.JPG]()
After finding that event which pointed to something running on the server itself as SYSTEM. Noticed it said Windows Server standard but was Windows 2008 Essentials Business Server!
This has the Windows Essentials Business Server Administration Console. Now it was only licensed for some users and some devices etc... This only allowing login to licensed computers etc......
So real fix is to decommission the DC and use the two 2012 R2 domain controllers.
Thanks again!
