Active Directory Domain Login

I'm having an issue with users not being able to log into computers using their AD profile, and it's users who don't have local admin rights to the computer.  These users are Domain Users in AD and the computers are Domain Computers.  A messages displays:

The sign-in method you're trying to use isn't allowed. for more info contact your network administrator.

Any help would be great!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is it just for one computer or more?  Can the affected users login to any machine at all?
Will SzymkowskiSenior Solution ArchitectCommented:
If this is affecting all users that are not local admins check your GPO'S to ensure that no policies were applied that shouldn't have been.

Spike99On-Site IT TechnicianCommented:
Which OS is loaded on the computers in question? Are they trying to log on locally or remotely using RDP or some other method?  Are administrators able to log on to the same computers?

That's the error you get when  you try to log on remotely to a Server 2012 domain controller when remote access hasn't been enabled (I think that's because Server 2012 disables remote connections on domain controllers by default).  But, I think you would also see the same error if local logon is prohibited on a workstation.  So, I'm with Will on this one: would look at local & domain-level group policies to make sure some policy was enabled by default.

You can deny the ability to logon locally using this policy:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Log On Locally

I would make sure that policy hasn't been enabled.

Here's MS's TechNet article on that policy:
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

russellexadminAuthor Commented:
Thanks for the responses.  These are Windows 7 and Windows 8.1 machines and it happens on all machines and not just some.  I should have mentioned this, but we have a Group Policy that allows the user to be a local admin and had the policy at the Domain Level.  This was an issue as some users didn't need these rights,so we deleted the policy from the Default Domain level and only put it within the Ous that need it, now the other machines are getting that error.  Does this additional information help?
I think at this point you need to see the Group Policy result to be sure of what it is being applied.

Go to a machine that's affected and follow the instruction on "How to Use the Group Policy Results"

More info: Determine Resultant Set of Policy with GPResult.exe

Then you will be able to see better of what resultant policy is being applied at the user's end.  If any question in regard to the output please provide the result from gp.txt (step # 3, first link) and we will assist.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
What I would suggest to rule out Group Policy entirely is do the following...
- create a "test ou"
- move a computer and user into this ou
- enable blocked inheritance on this ou
- have the user login to this computer (which the user is NOT a local administrator)
- if this works and the user CAN LOGIN then it is a GPO that is configured in your environment which is causing this

The following article discusses for the cause of this error and how to correct it via GP...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.