Can't Login to Server 2016 as Administrator

Hello All,

I have a new Server 2016 system that is a DC and will be taking over for an old SBS 2011 server once I have finished the migration.  For some reason I can't login as the Administrator account.  I can RDP into a server as the administrator but can't login locally.  I get the error "The sign in method you're trying to use isn't allowed.  I have checked gpedt and logon locally is set to allow all members of the administrator group and there are no deny logon users set.  So I don't know why I can't login as the Administrator.  I can login as other users that I have set up as administrators just no the Administrator account.  Am I missing something?

Regards,

Rob
Robert BattagliaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Is the 2016 server a member server or have you already performed the process to promote it to a DC?  If you have performed the process to promote it to a DC, does the login page provide the option to login to a different domain?

-saige-
Robert BattagliaAuthor Commented:
It has already been promoted to a DC.  I have tried to add the domain name to the login.  When I type Administrator it shows it in the domain below the password.  I can login as other users that are administrators in the domain.  No options on the login page to login to another domain.  Should I try to login to the local Admin?
it_saigeDeveloperCommented:
You should not be able to login as a local administrator on any DC.  If you can, then that DC has not completed the promotion process.  This is why I had asked if the login page gives an option to login to a different domain.

What are the current domain/forest functional levels?

-saige-
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Robert BattagliaAuthor Commented:
All FSMO functions have been transferred to the new DC.  That is really odd since I can login as the Administrator on several other servers that I maintain with not problems and they have been promoted properly and have been running correctly for a long time.  The majority of them were migrations from an old Server 2008 DC.
Shaun VermaakTechnical SpecialistCommented:
Check the allow to Logon interactively settings
Robert BattagliaAuthor Commented:
I don't see that policy in the local computer policy.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Is the SBS still a DC? Set up a new Domain Admin account with the correct security group memberships and try that.
Robert BattagliaAuthor Commented:
SBS is still a DC until I have everything set.  Then I will demote it and turn it off.  I have other domain admin accounts that i can use.  But since I am trying to copy data from the old SBS server to the new 2016 server it makes it hard since the Administrator accounts owns the folders.  I would have to rdp into the SBS server from the 2016 server and then copy the data.  I would prefer to just log into the new server with the Administrator account and then copy the data.  I just don't know why it won't let me login using that account.
it_saigeDeveloperCommented:
Ok, so you cannot login to the SBS server as Administrator?  Again what are the Forest/Domain functional levels?

-saige-
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Log in to a PC with the Administrator account and use either RoboCopy (we use BeyondCompare by Scooter Software) to copy the data.
Robert BattagliaAuthor Commented:
No I can't login to the SBS either - never could.  I always would rdp if I need to use that account.  But I am kind of tired of doing that and I figured with a new server I would like to login directly like I do on all of the other 2012 and 2016 servers I have set up.

Domain level is 2008 R2 but for some reason the forest level is still 2003.  Not sure how since I did run adprep and move it up to 2008 R2.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Oh, and make sure the destination folder permissions are set up correctly before running the copy process.

Folder Permissions: Properly Disinheriting Folder Permissions
Robert BattagliaAuthor Commented:
Your are recommending using robocopy to copy the data from the sbs server to the 2016 server?
Robert BattagliaAuthor Commented:
So you have to create all of the folders on the new server and then set all of their permissions before using robocopy?  Seems like a lot of work to just copy data.  I understand that this process will sync the files when they are changed but can't I just start the process and go back afteward and set the permissions since the users won't be using the new data right away until I switch their login script to point to the new server.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We create the base folder and set up the permissions as required then copy the data. It takes a minute to do so.

I'm not sure about RoboCopy but BeyondCompare does have a NTFS permissions copy setting that requires the program be started elevated. We use that mode for file copies that have multiple disinherited subfolder setups.
Robert BattagliaAuthor Commented:
If I raise the forest level to 2016 when the domain is set to 2008 r2 will I be able to raise the domain level afterward?  The reason I ask is it now says that the domain level can't be raised beyond 2008 r2 because the domain includes DCs that are not running the appropriate version of Windows.  I assume that is because I still have the SBS serve as a DC.
Robert BattagliaAuthor Commented:
My new server has both the roll of SchemaMaster and InfrastructureMaster.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Forest and Domain can be elevated post SBS removal without issue. I suggest making a System State backup of both DCs prior to removing SBS.
Robert BattagliaAuthor Commented:
I downloaded a trial of the program that you recommended.  But all of the folders say access denied because the administrator can't login to the new server and it is what created the folders on the old server.  Not sure what to try.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Time to do a GPResult /H C:\TEmp\GPResults.HTML using the Administrator account.

The deny is coming from somewhere such blocking the default 500 account from logging in to all machines on the network or just DCs? Check the Default Domain Controllers Policy for any modifications (it's never a good idea to modify the two defaults at all).
Cris HannaSr IT Support EngineerCommented:
Are we talking the actual built in Administrator Account?  that account is disabled by default in SBS servers. When the SBS server was installed, you had to create a new "admin" account.  That would carry over on the new server as well
Robert BattagliaAuthor Commented:
The Administrator account is the one found in the User category in SBS not the My Business - SBS Users.  That administrator is not disabled and I can RDP to the server and use it when necessary.
Cris HannaSr IT Support EngineerCommented:
Then someone has modified the Default configuration of the SBS box.   But that being said...under My Business > SBS Users  there should be an account there that is the "domain administrator" account...can you log into both servers with that account...should get you what you're looking for
Robert BattagliaAuthor Commented:
I am the only one that can do that since no one else has access.  I remember doing this for other SBS boxes where I was able to get the Administrator to login but it was so long ago - when it was set up as SBS 2003 and then I did a swing migration to SBS 2011.  I just can't remember what I did all those years ago.  With this server I don't think that I set up the administrator account to have direct login access so I just always would RDP if I needed it for some reason.  On this box I created an account years ago called Admin Install to be able to login and install programs.  This account is part of the domain admins group.
Robert BattagliaAuthor Commented:
I have run GPResult and don't see any errors during the last user and computer policy refresh.  The default domain policy GPO is being applied for the administrator.
Cris HannaSr IT Support EngineerCommented:
I would look in the SBS Console and you should be able to find the "administrator" account that was created when SBS was installed or in this case, if I understand correctly, when you swung from SBS 2003 to SBS 2011   That's the domain account you should be using for logging on locally to the Server 2016 as well
Robert BattagliaAuthor Commented:
The account is called admin install.  But that account does not "own" the folders so I can't use it to copy from the drive shares.  I am currently logged in using RDP to the new server so I can move data from the old server to the new one using the program you suggested - Beyond Compare.  Very nice little tool to sync files until the point that you turn off the old server.
Robert BattagliaAuthor Commented:
Another odd thing is that none of my users show up in the SBS Console.  I typically don't use it since I like using the admin snap-in tools instead.  But I looked at another server that I had done a swing migration on a few years back from 2003 to 2011 and those users all show in the console.  The users do show up in the adminstrator - domain users and groups snap-in and they don't have any issues logging in.  They have also replicated to the new server as well and I have tested adding a new user and this user shows up on both servers.  Very odd.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
GPResults won't show errors it will show the entire list of applied GPO settings. Check for one such as "Deny Logon Locally" in one of the applicable GPOs including the Default Domain Controllers Policy.
Robert BattagliaAuthor Commented:
These are the ones that are Denied:

Windows SBS User Policy -  Reason Denied      Access Denied (Security Filtering)
Windows SBS CSE Policy  - Reason Denied      False WMI Filter
Local Group Policy [LocalGPO] - Reason Denied      Empty
Update Services Client Computers Policy - Reason Denied      Access Denied (Security Filtering)
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Make sure any GPO that has "Authenticated Users" removed from the SCOPE tab has that group given READ on the SECURITY tab.

Please look in the report for the settings not filtering.
Robert BattagliaAuthor Commented:
So I am looking for "settings not filtering"?  I don't find that in the report anywhere.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
"Deny Logon Locally" is usually the settings and it's usually in the Windows Settings --> Security section.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.