Solved

Cannot logon because the logon method you are using is not allowed...

Posted on 2016-10-06
16
46 Views
Last Modified: 2016-12-09
I noticed the other day that our company wide blast (every email address in the company) was listed as a security group and not a distribution group.  I had an exchange "expert" here looking at a backup issue on my exchange server and asked him whether this was a problem.  He told me that if that blast wasn't being used to apply security to shared folders, etc. that it could end up being a security risk.  I had never seen it this particular group used for anything except communication.  I went into AD and changed it over to a distribution group.  Now all users that don't have local admin access to their computers get the "Cannot logon because the logon method you are using is not allowed..." message when logging into their machines.  They can only log in again if I  make them a local admin.  Is there anything I can do globally in AD or elsewhere to rectify this situation without waiting for my users to complain and addressing each situation individually?  It is a Windows Server 2016 running Exchange 2013
0
Comment
Question by:4MIT
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 41

Expert Comment

by:Amit
ID: 41832004
This looks more GPO issue. Check what all GPO applied on client machine.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 41832006
Personally I don't create distribution groups - all groups I create are security groups, which are mail enabled as required. I would be asking what the perceived security risk is.

It would seem that the group was being used for permissions - there are more to permissions than just shared folders.

It sounds like something has been changed so that user login is allowed when they are a member of that group - removing Users or Domain Users from the permissions.
You need to look through group policy most likely to see whether the permissions are being set.

However in the short term I would just change the group back to a security group. That will allow you to work as you were before while you try to find where that setting was changed.

And as a lesson, don't change something that could potentially affect all users without knowing the full consequences of that action.
1
 

Author Comment

by:4MIT
ID: 41832110
In terms of GPO, that same guy asked if we do any automatic drive mapping.  We do map a shared drive via Group Policy when a computer is configured with an enterprise profile for the first time.  Would this have any effect on this issue?  Also, are there any drawbacks to flipping that blast back to  a security group as it was before?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41832163
The logon effect is easy to explain. There'll be a GPO in effect for all client computers that allows the local logon only to administrators and to that (former, no longer) security group. Edit that GPO or, as Sembee said, first reverse the action.
https://technet.microsoft.com/en-us/library/dn221980%28v=ws.11%29.aspx
-> GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment ->Allow logon locally
1
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41832174
I don't think there will be any drawbacks to changing the group back to Security. The underlying SID should be the same, so the permissions will be in effect again.

It is what I would do, then go looking for how the group is used.
0
 

Author Comment

by:4MIT
ID: 41832178
Rather than mess with GPO, I just made it a security group again.  It wasn't hurting anything before the change  Thanks again!
0
 

Author Comment

by:4MIT
ID: 41834424
I know I closed this question... but after changing the blast back to a security group, the issue is not resolved.  not sure what to look for in GPO.  any help would be greatly appreciated.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41834477
See my links. You can easily find out which gpo to modify if you use rsop.msc on such a client (as admin). Rsop will list the gpo name right in the section that is mentioned in my links. Then, locate that gpo in gpmc and change it, so that also the group domain user may logon locally.
0
 

Author Comment

by:4MIT
ID: 41838342
McKnife,

I found what you were talking about but I still have a couple of questions.  Am I editing this on my primary domain controller or does it have to be done on every computer affected?  Also, when I got to that policy on my DC, options to modify it were grayed out even though I am logged into the DC as the administrator.  What could be causing that?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41838359
You need a crash course in GPO.
You should proceed like this:
As admin, open rsop.msc at a client and in the results navigate to where I mentioned:  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment ->Allow logon locally
On the right hand side of that setting, you'll see a column "origin or GPO Name" which will list the GPO that contains the setting we are talking about. Equipped with that name, logon to a DC and open the group policy management console ("GPMC"). List the GPOs and edit that very GPO. In that section (again:  GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment ->Allow logon locally) and add the group domain users.
It will apply after some time (background refresh: every 90 minutes).
Make sure, that policy does not apply to servers, as well, but only to clients.

"Also, when I got to that policy on my DC, options to modify it were grayed out even though I am logged into the DC as the administrator.  What could be causing that?"
That means, you are looking at rsop, not at the GPMC. In rsop, only results are displayed, not editable.
0
 

Author Comment

by:4MIT
ID: 41838379
Am I editing this on my primary domain controller only or does it have to be done on every computer affected?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41838391
No, just at one DC.
0
 

Author Comment

by:4MIT
ID: 41838561
Edited the "Log on Locally" GPO on my primary DC and still can't add a profile to a laptop without seeing "Cannot logon because the logon method you are using is not allowed..."
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41838708
Please verify if the gpo got applied. Again use rsop.mac at the client.
0
 

Author Comment

by:4MIT
ID: 41838710
It just took a little while to replicate across the network.  I am able to log in locally again.  Thanks for your assistance and more importantly your patience with me.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41838798
Ok, let me finish this:

-you did not know whether or not to follow the consultant's advice - but you did.
-you did not know that the group was used within GPOs

->You need to document your settings and you need someone in the know. Without, this will not end good. Your workaround (making people local admins) ruined the security. If you undo it now, who knows what backdoors those people might have opened to restore administrative rights. Very easily done, once you are admin for 5 minutes.
--
Please try to answer the following questions:

-why was that setting (logon restricted to a certain group) in use at all? In other words: what is the default setting and why might someone felt it needed changing?
-is the status quo reached? Should it be reached?
-what was meant by my "Make sure, that policy does not apply to servers, as well, but only to clients" - why does it matter and how can you verify?

I am just trying to raise awareness :-) Modifying security settings on a large scale without the knowhow is dangerous and should be avoided. Using a forum to help you out might work, but we can only deal with the things that you notice and not with the errors you might have made while trying.
Many big security incidents are based on errors that happened while people kind of panicked, while people try desperately to find a timely solution at all costs.
0

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now