Link to home
Start Free TrialLog in
Avatar of MomForLife
MomForLifeFlag for United States of America

asked on

Getting error the signin method you're trying to use isn't allowed.

I am helping a friend out sort out through his computer server and desktop computers.    His company has Windows Server 2012 Essentials.  
I added a user and added him to the domain user's group.  I basically copied an existing user and his group membership to the new user I created.  When I tried to logon to his about using the following format "Domain name\user name.  I received the following error

Getting error the signin method you're trying to use isn't allowed.

When I go back and login as the user he was login in as  domain name\existinguser he can log in just fine.

I tried logging him on another computer, and get the same message.   Seems as is the computer name is somehow tied to a particular domain user.  

How can I fix this problem?
Avatar of Spike99
Spike99
Flag of United States of America image

It sounds like the logon method isn't allowed. Is this a local log on? (meaning they are sitting down at the PC and trying to log on directly & not remotely)

There is a security setting in local security policy that can block local logon.  By default, authenticated users & administrators can log on locally to client PCs.  But, if someone changed local security policy, that might be what's blocking it.

To get into local security policy, you can run "secpol.msc" at a command prompt (or click on Start and type that in the search box).
Then, browse to Security Settings > Local Policies > User Rights Assignment.
Check the settings for the "Allow log on locally" policy.  By default, Administrators and Users have rights to log on to client PCs:
User generated image
There is a similar setting in group policy.  In the group policy console (GPMC.msc), that setting would be in this policy:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
But, at the domain level, that GPO is normally only changed to allow administrators to log on to domain controllers locally.
Avatar of MomForLife

ASKER

Thanks Alicia.  I used gpedit on the local user computer not the DC. and  this setting was grayed out, and has the settings applied by a group policy on our Domain server.  I can disjoin the domain and use a workgroup and of course I can now edit the local policy and of course has no reference to the Domain policy.  

Do you have any idea, why anyone would do this?  It has caused problems, because only those users listed on the DC group policy can logon to the local computer (not the DC) .  To get around this I have to add AD users to the local admin group on the local computer.
ASKER CERTIFIED SOLUTION
Avatar of Spike99
Spike99
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So if i go i to the default policy on the domain controller and  disable this policy it should go with the default settings-  Administrators users etc.  - correct?  I thought this  was only used for local access to domain server not local computer users on workstations
Ok.  I am totally baffled.  I am going to give  description of our setup in regards to the policies on the domain server.

There are 4 policies.  The default domain policy, default domain controller policy, wse policy, map drive policy

The default domain policy takes precedence over all  of them, since it has the lowest number of 1. All are enabled and inherited. None are enforced.  

The default domain policy has the following users  on "allow logon locally"   buildin\remote desktop users, ourdomain\user1, ourdomain\user2, cadet\administrator, buildin\administrators

I have go into this particular policy and removed "define these policy settings."   I have then  executed
a "gpupdate /force" on the user's computer.  Logged in with a permitted account, executed a gpedit and  and looked up "allow logon locally".  The users are still there and it is still grayed out.  Therefore only those specific accounts can logon to that user computer.

PUlling my hair out. What is wrong?
Okay.  Don't understand why this happened, may someone can explain.  After removing the users that had been add to the domain policy on the server under "allow logon locally".  I did a gpudate /force on the workstation (not on the server), it still showed the users under the local policy for the workstation and of course it was grayed out, and I was not able to logon to any other user other than those specified in the policy.  

Today I went in and everything is now working as it should.  I have logged on to other computers and the local policy is now as it should be and I can now login as any ad user on any computer.  

Why did it take so long for the server to update, even though I did a gpupdate /force?

Thanks in advance for your input.
Usually, after you run "gpupdate /force" it will prompt you to reboot or log off if needed to fully apply policies. That's because some policies can't be updated until the next reboot or until the next logon.  Did it prompt you to reboot or log off?
To Alicia W.  - no never prompted me for  a reboot or log off.