russellexadmin
asked on
Active Directory Domain Login
I'm having an issue with users not being able to log into computers using their AD profile, and it's users who don't have local admin rights to the computer. These users are Domain Users in AD and the computers are Domain Computers. A messages displays:
The sign-in method you're trying to use isn't allowed. for more info contact your network administrator.
Any help would be great!
The sign-in method you're trying to use isn't allowed. for more info contact your network administrator.
Any help would be great!
Wayne88
Is it just for one computer or more? Can the affected users login to any machine at all?
If this is affecting all users that are not local admins check your GPO'S to ensure that no policies were applied that shouldn't have been.
Will.
Will.
Which OS is loaded on the computers in question? Are they trying to log on locally or remotely using RDP or some other method? Are administrators able to log on to the same computers?
That's the error you get when you try to log on remotely to a Server 2012 domain controller when remote access hasn't been enabled (I think that's because Server 2012 disables remote connections on domain controllers by default). But, I think you would also see the same error if local logon is prohibited on a workstation. So, I'm with Will on this one: would look at local & domain-level group policies to make sure some policy was enabled by default.
You can deny the ability to logon locally using this policy:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Log On Locally
I would make sure that policy hasn't been enabled.
Here's MS's TechNet article on that policy:
https://technet.microsoft.com/en-us/library/cc728210(v=ws.10).aspx
That's the error you get when you try to log on remotely to a Server 2012 domain controller when remote access hasn't been enabled (I think that's because Server 2012 disables remote connections on domain controllers by default). But, I think you would also see the same error if local logon is prohibited on a workstation. So, I'm with Will on this one: would look at local & domain-level group policies to make sure some policy was enabled by default.
You can deny the ability to logon locally using this policy:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Log On Locally
I would make sure that policy hasn't been enabled.
Here's MS's TechNet article on that policy:
https://technet.microsoft.com/en-us/library/cc728210(v=ws.10).aspx
ASKER
Thanks for the responses. These are Windows 7 and Windows 8.1 machines and it happens on all machines and not just some. I should have mentioned this, but we have a Group Policy that allows the user to be a local admin and had the policy at the Domain Level. This was an issue as some users didn't need these rights,so we deleted the policy from the Default Domain level and only put it within the Ous that need it, now the other machines are getting that error. Does this additional information help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What I would suggest to rule out Group Policy entirely is do the following...
- create a "test ou"
- move a computer and user into this ou
- enable blocked inheritance on this ou
- have the user login to this computer (which the user is NOT a local administrator)
- if this works and the user CAN LOGIN then it is a GPO that is configured in your environment which is causing this
Will.
- create a "test ou"
- move a computer and user into this ou
- enable blocked inheritance on this ou
- have the user login to this computer (which the user is NOT a local administrator)
- if this works and the user CAN LOGIN then it is a GPO that is configured in your environment which is causing this
Will.
The following article discusses for the cause of this error and how to correct it via GP...
http://zamemon.blogspot.com/2013/09/the-sign-in-method-youre-trying-to-use.html
http://zamemon.blogspot.com/2013/09/the-sign-in-method-youre-trying-to-use.html