SnAkEhIpS
asked on
AD domain users must logon twice to run some applications
In my current AD domain environment, domain users must logon twice in order to run some applications or for some services to simply work. I'm wondering if anyone knows why that might be or where I should start to look (i.e., a particular subset of group policy). The OS on our workstations is Windows 7 and 8 and the DC's are all running 2008R2.
When you say they have to logon twice, could you describe the exact behavior? Do they log on once, then try to run the application and it doesn't work, then have to log off and back on? Is there any error message on screen or event log error that occurs when this happens?
ASKER
The exact behavior is as you described. If they logon with their AD credentials once and try to run an application during that session the process may start, but fail or terminate right away without displaying any error. If they try to install software during that same session they get the UAC prompt for administrator credentials.
If they subsequently log off, then logon again for the second time, they will be able to run the same application without error and install any software without receiving the UAC prompt.
If they subsequently log off, then logon again for the second time, they will be able to run the same application without error and install any software without receiving the UAC prompt.
How is the applicaiton configured? Also are any of these on Web Interfaces? If they are, you will want to add those to your Local Intranet Zones in Internet Options.
You also need to make sure that the user has the correct permissions and also that the application is installed properly.
Does this happen for everyone?
Another good test would be make srue that they are a local administrator on the machine and try again.
Will.
You also need to make sure that the user has the correct permissions and also that the application is installed properly.
Does this happen for everyone?
Another good test would be make srue that they are a local administrator on the machine and try again.
Will.
Do they by any chance have both a domain user account and a local administrator account with the same user name and password? The correct way to enable them to log on once with both domain user and local administrator rights (BTW this is NOT recommended) would be to add their domain user account to the local administrators group.
ASKER
hypercat - when the computers are imaged they are joined to the domain and put into the field. We never create local admin accounts for individuals, but something tells me we're headed down the right path with your comment...
Will - all apps, all users are affected.
Will - all apps, all users are affected.
But it does appear from your comments that they are members of the local administrators group, otherwise their accounts would not allow them to install software. Try removing their accounts from the local administrators group and put them in the Users group; see if that makes any difference.
If some services aren't starting, make sure that those services are set to log on as "Local System" or "Network Service."
I assume you sysprepped them properly when you did the images, otherwise I might suggest looking at something having to do with the SIDs of the computers...
Have you checked the event logs on the workstations to see if there are any clues as to what's causing the applications not to run? Are all the required workstation services starting up properly? Also does it make any difference if they stay logged on for, say, 5 minutes or so and then try running the application again?
Also, it could be connected to the computer account rather than the user account, even if it's not a SID problem. If none of the above suggestions work, try this on one of the computers as a troubleshooting step: Unjoin the domain, manually DELETE the computer account from the AD OU, then reboot and rejoin the domain.
If some services aren't starting, make sure that those services are set to log on as "Local System" or "Network Service."
I assume you sysprepped them properly when you did the images, otherwise I might suggest looking at something having to do with the SIDs of the computers...
Have you checked the event logs on the workstations to see if there are any clues as to what's causing the applications not to run? Are all the required workstation services starting up properly? Also does it make any difference if they stay logged on for, say, 5 minutes or so and then try running the application again?
Also, it could be connected to the computer account rather than the user account, even if it's not a SID problem. If none of the above suggestions work, try this on one of the computers as a troubleshooting step: Unjoin the domain, manually DELETE the computer account from the AD OU, then reboot and rejoin the domain.
ASKER
I don't know if I'm not clearly communicating or if I'm just not understanding something. Let's say I have a freshly imaged workstation and join it to the domain. A new user sits down at the console and logs in for the first time. If they immediately try to install application "A" it will not install.
However, if they log off and immediately log back on, they can install application "A" successfully.
However, if they log off and immediately log back on, they can install application "A" successfully.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Domain users are receiving local admin rights on their computers. Not an ideal arrangement, but out of my purview at the moment. I'm assuming that it takes a second logon for the GPO to be applied. Still a little fuzzy as to why.