Can't Login to Server 2016 as Administrator

Robert Battaglia
Robert Battaglia used Ask the Experts™
on
Hello All,

I have a new Server 2016 system that is a DC and will be taking over for an old SBS 2011 server once I have finished the migration.  For some reason I can't login as the Administrator account.  I can RDP into a server as the administrator but can't login locally.  I get the error "The sign in method you're trying to use isn't allowed.  I have checked gpedt and logon locally is set to allow all members of the administrator group and there are no deny logon users set.  So I don't know why I can't login as the Administrator.  I can login as other users that I have set up as administrators just no the Administrator account.  Am I missing something?

Regards,

Rob
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Is the 2016 server a member server or have you already performed the process to promote it to a DC?  If you have performed the process to promote it to a DC, does the login page provide the option to login to a different domain?

-saige-

Author

Commented:
It has already been promoted to a DC.  I have tried to add the domain name to the login.  When I type Administrator it shows it in the domain below the password.  I can login as other users that are administrators in the domain.  No options on the login page to login to another domain.  Should I try to login to the local Admin?

Commented:
You should not be able to login as a local administrator on any DC.  If you can, then that DC has not completed the promotion process.  This is why I had asked if the login page gives an option to login to a different domain.

What are the current domain/forest functional levels?

-saige-
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
All FSMO functions have been transferred to the new DC.  That is really odd since I can login as the Administrator on several other servers that I maintain with not problems and they have been promoted properly and have been running correctly for a long time.  The majority of them were migrations from an old Server 2008 DC.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Check the allow to Logon interactively settings

Author

Commented:
I don't see that policy in the local computer policy.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Is the SBS still a DC? Set up a new Domain Admin account with the correct security group memberships and try that.

Author

Commented:
SBS is still a DC until I have everything set.  Then I will demote it and turn it off.  I have other domain admin accounts that i can use.  But since I am trying to copy data from the old SBS server to the new 2016 server it makes it hard since the Administrator accounts owns the folders.  I would have to rdp into the SBS server from the 2016 server and then copy the data.  I would prefer to just log into the new server with the Administrator account and then copy the data.  I just don't know why it won't let me login using that account.

Commented:
Ok, so you cannot login to the SBS server as Administrator?  Again what are the Forest/Domain functional levels?

-saige-
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Log in to a PC with the Administrator account and use either RoboCopy (we use BeyondCompare by Scooter Software) to copy the data.

Author

Commented:
No I can't login to the SBS either - never could.  I always would rdp if I need to use that account.  But I am kind of tired of doing that and I figured with a new server I would like to login directly like I do on all of the other 2012 and 2016 servers I have set up.

Domain level is 2008 R2 but for some reason the forest level is still 2003.  Not sure how since I did run adprep and move it up to 2008 R2.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Oh, and make sure the destination folder permissions are set up correctly before running the copy process.

Folder Permissions: Properly Disinheriting Folder Permissions

Author

Commented:
Your are recommending using robocopy to copy the data from the sbs server to the 2016 server?

Author

Commented:
So you have to create all of the folders on the new server and then set all of their permissions before using robocopy?  Seems like a lot of work to just copy data.  I understand that this process will sync the files when they are changed but can't I just start the process and go back afteward and set the permissions since the users won't be using the new data right away until I switch their login script to point to the new server.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
We create the base folder and set up the permissions as required then copy the data. It takes a minute to do so.

I'm not sure about RoboCopy but BeyondCompare does have a NTFS permissions copy setting that requires the program be started elevated. We use that mode for file copies that have multiple disinherited subfolder setups.

Author

Commented:
If I raise the forest level to 2016 when the domain is set to 2008 r2 will I be able to raise the domain level afterward?  The reason I ask is it now says that the domain level can't be raised beyond 2008 r2 because the domain includes DCs that are not running the appropriate version of Windows.  I assume that is because I still have the SBS serve as a DC.

Author

Commented:
My new server has both the roll of SchemaMaster and InfrastructureMaster.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Forest and Domain can be elevated post SBS removal without issue. I suggest making a System State backup of both DCs prior to removing SBS.

Author

Commented:
I downloaded a trial of the program that you recommended.  But all of the folders say access denied because the administrator can't login to the new server and it is what created the folders on the old server.  Not sure what to try.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Time to do a GPResult /H C:\TEmp\GPResults.HTML using the Administrator account.

The deny is coming from somewhere such blocking the default 500 account from logging in to all machines on the network or just DCs? Check the Default Domain Controllers Policy for any modifications (it's never a good idea to modify the two defaults at all).
Cris HannaSr IT Support Engineer

Commented:
Are we talking the actual built in Administrator Account?  that account is disabled by default in SBS servers. When the SBS server was installed, you had to create a new "admin" account.  That would carry over on the new server as well

Author

Commented:
The Administrator account is the one found in the User category in SBS not the My Business - SBS Users.  That administrator is not disabled and I can RDP to the server and use it when necessary.
Cris HannaSr IT Support Engineer

Commented:
Then someone has modified the Default configuration of the SBS box.   But that being said...under My Business > SBS Users  there should be an account there that is the "domain administrator" account...can you log into both servers with that account...should get you what you're looking for

Author

Commented:
I am the only one that can do that since no one else has access.  I remember doing this for other SBS boxes where I was able to get the Administrator to login but it was so long ago - when it was set up as SBS 2003 and then I did a swing migration to SBS 2011.  I just can't remember what I did all those years ago.  With this server I don't think that I set up the administrator account to have direct login access so I just always would RDP if I needed it for some reason.  On this box I created an account years ago called Admin Install to be able to login and install programs.  This account is part of the domain admins group.

Author

Commented:
I have run GPResult and don't see any errors during the last user and computer policy refresh.  The default domain policy GPO is being applied for the administrator.
Cris HannaSr IT Support Engineer

Commented:
I would look in the SBS Console and you should be able to find the "administrator" account that was created when SBS was installed or in this case, if I understand correctly, when you swung from SBS 2003 to SBS 2011   That's the domain account you should be using for logging on locally to the Server 2016 as well

Author

Commented:
The account is called admin install.  But that account does not "own" the folders so I can't use it to copy from the drive shares.  I am currently logged in using RDP to the new server so I can move data from the old server to the new one using the program you suggested - Beyond Compare.  Very nice little tool to sync files until the point that you turn off the old server.

Author

Commented:
Another odd thing is that none of my users show up in the SBS Console.  I typically don't use it since I like using the admin snap-in tools instead.  But I looked at another server that I had done a swing migration on a few years back from 2003 to 2011 and those users all show in the console.  The users do show up in the adminstrator - domain users and groups snap-in and they don't have any issues logging in.  They have also replicated to the new server as well and I have tested adding a new user and this user shows up on both servers.  Very odd.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
GPResults won't show errors it will show the entire list of applied GPO settings. Check for one such as "Deny Logon Locally" in one of the applicable GPOs including the Default Domain Controllers Policy.

Author

Commented:
These are the ones that are Denied:

Windows SBS User Policy -  Reason Denied      Access Denied (Security Filtering)
Windows SBS CSE Policy  - Reason Denied      False WMI Filter
Local Group Policy [LocalGPO] - Reason Denied      Empty
Update Services Client Computers Policy - Reason Denied      Access Denied (Security Filtering)
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Make sure any GPO that has "Authenticated Users" removed from the SCOPE tab has that group given READ on the SECURITY tab.

Please look in the report for the settings not filtering.

Author

Commented:
So I am looking for "settings not filtering"?  I don't find that in the report anywhere.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
"Deny Logon Locally" is usually the settings and it's usually in the Windows Settings --> Security section.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial