AD domain users must logon twice to run some applications

In my current AD domain environment, domain users must logon twice in order to run some applications or for some services to simply work. I'm wondering if anyone knows why that might be or where I should start to look (i.e., a particular subset of group policy). The OS on our workstations is Windows 7 and 8 and the DC's are all running 2008R2.
LVL 1
SnAkEhIpSAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
When you say they have to logon twice, could you describe the exact behavior?  Do they log on once, then try to run the application and it doesn't work, then have to log off and back on? Is there any error message on screen or event log error that occurs when this happens?
SnAkEhIpSAuthor Commented:
The exact behavior is as you described. If they logon with their AD credentials once and try to run an application during that session the process may start, but fail or terminate right away without displaying any error. If they try to install software during that same session  they get the UAC prompt for administrator credentials.

If they subsequently log off, then logon again for the second time, they will be able to run the same application without error and install any software without receiving the UAC prompt.
Will SzymkowskiSenior Solution ArchitectCommented:
How is the applicaiton configured? Also are any of these on Web Interfaces? If they are, you will want to add those to your Local Intranet Zones in Internet Options.

You also need to make sure that the user has the correct permissions and also that the application is installed properly.

Does this happen for everyone?

Another good test would be make srue that they are a local administrator on the machine and try again.

Will.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Hypercat (Deb)Commented:
Do they by any chance have both a domain user account and a local administrator account with the same user name and password?  The correct way to enable them to log on once with both domain user and local administrator rights (BTW this is NOT recommended) would be to add their domain user account to the local administrators group.
SnAkEhIpSAuthor Commented:
hypercat - when the computers are imaged they are joined to the domain and put into the field. We never create local admin accounts for individuals, but something tells me we're headed down the right path with your comment...

Will - all apps, all users are affected.
Hypercat (Deb)Commented:
But it does appear from your comments that they are members of the local administrators group, otherwise their accounts would not allow them to install software. Try removing their accounts from the local administrators group and put them in the Users group; see if that makes any difference.

If some services aren't starting, make sure that those services are set to log on as "Local System" or "Network Service."

I assume you sysprepped them properly when you did the images, otherwise I might suggest looking at something having to do with the SIDs of the computers...

Have you checked the event logs on the workstations to see if there are any clues as to what's causing the applications not to run?  Are all the required workstation services starting up properly? Also does it make any difference if they stay logged on for, say, 5 minutes or so and then try running the application again?

Also, it could be connected to the computer account rather than the user account, even if it's not a SID problem. If none of the above suggestions work, try this on one of the computers as a troubleshooting step:  Unjoin the domain, manually DELETE the computer account from the AD OU, then reboot and rejoin the domain.
SnAkEhIpSAuthor Commented:
I don't know if I'm not clearly communicating or if I'm just not understanding something. Let's say I have a freshly imaged workstation and join it to the domain. A new user sits down at the console and logs in for the first time. If they immediately try to install application "A" it will not install.

However, if they log off and immediately log back on, they can install application "A" successfully.
Hypercat (Deb)Commented:
Is this something that happens only when the machine is first imaged and joined to the domain and/or when the user logs on to the machine for the first time?  If so, this may be due to a group policy that is set up to add the domain user account to the local Administrators group, or to give special local program installation rights to users.  Depending on the nature of the group policy, sometimes when a new workstation is first joined to the domain it takes a few restarts to get all of the group policies properly applied to the user. Particularly given the nature of a policy that would operate to give users administrative rights (i.e., adding them to the local admins group), it would take a second log off and back on again for the user to be given those rights.  IOW, one logon would be required to add the user to the admins group, and then a logoff and second logon would be required for them to actually be assigned the admin rights, because those rights are put into effect at user logon.

If this is something that happens each and every time a user logs on, it's a bit of a mystery to me what could be causing it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SnAkEhIpSAuthor Commented:
Domain users are receiving local admin rights on their computers. Not an ideal arrangement, but out of my purview at the moment. I'm assuming that it takes a second logon for the GPO to be applied. Still a little fuzzy as to why.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.