Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » "You cannot log on because the logon method you are using is not allowed on this computer"
"You cannot log on because the logon method you are using is not allowed on this computer" [message #155473] Fri, 29 May 2009 22:23 Go to next message
aconti  is currently offline aconti  United States
Messages: 113
Registered: August 2009
Senior Member
This is therror I am getting when I try to log in on the DC with a user
which is not a member of the Domain Admin group. If I log in with the
domain Administrator user and assign the domain admin group to the user
it logs in normally. I have tried to create a different group but still
the same.


--
aconti
------------------------------------------------------------ ------------
aconti's Profile: http://forums.techarena.in/members/73272.htm
View this thread: http://forums.techarena.in/active-directory/1188850.htm

http://forums.techarena.in
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #155474 is a reply to message #155473] Fri, 29 May 2009 23:48 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"aconti" <aconti.3szbnb@DoNotSpam.com> wrote in message news:aconti.3szbnb@DoNotSpam.com...
>
> This is therror I am getting when I try to log in on the DC with a user
> which is not a member of the Domain Admin group. If I log in with the
> domain Administrator user and assign the domain admin group to the user
> it logs in normally. I have tried to create a different group but still
> the same.

The user needs to be in the domain admin group. It is a domain controller. Why would you want a non-admin to log on to a domain controller?

Is this a Terminal Server in Application mode? If this is the case, in order to allow a non-domain admin account to logon on to a Terminal Server, the account would need to be in the Terminal Services group, have Log on Locally rights, as well as Log On Interactive rights.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #155477 is a reply to message #155473] Sat, 30 May 2009 06:17 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello aconti,

Normal user accounts should not logon to a domain controller, what's the
reason for that? By default they are not allowed to logon to a DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> This is therror I am getting when I try to log in on the DC with a
> user which is not a member of the Domain Admin group. If I log in with
> the domain Administrator user and assign the domain admin group to the
> user it logs in normally. I have tried to create a different group but
> still the same.
>
> http://forums.techarena.in
>
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #155491 is a reply to message #155473] Sun, 31 May 2009 10:01 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Aconti,
the simplest approach to allowing non-privileged users to log on to a Domain
Controller is to add them to the "Remote Desktop Users" domain global group.
In general, it is not recommended to use it, though - primarily due to
security implications...

hth
Marcin

"aconti" <aconti.3szbnb@DoNotSpam.com> wrote in message
news:aconti.3szbnb@DoNotSpam.com...
>
> This is therror I am getting when I try to log in on the DC with a user
> which is not a member of the Domain Admin group. If I log in with the
> domain Administrator user and assign the domain admin group to the user
> it logs in normally. I have tried to create a different group but still
> the same.
>
>
> --
> aconti
> ------------------------------------------------------------ ------------
> aconti's Profile: http://forums.techarena.in/members/73272.htm
> View this thread: http://forums.techarena.in/active-directory/1188850.htm
>
> http://forums.techarena.in
>
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #157667 is a reply to message #155491] Sat, 11 July 2009 00:00 Go to previous messageGo to next message
plee61  is currently offline plee61  United States
Messages: 4
Registered: July 2009
Junior Member
> the simplest approach to allowing non-privileged users to log on to a
> Domain
> Controller is to add them to the "Remote Desktop Users" domain global
> group.
> In general, it is not recommended to use it, though - primarily due to
> security implications...
>

I assigned "Remote Desktop Users" to a user account but the user is
still not able to login. I had a look into Local Security
Policy->Security Settings/Local Policies/User Rights Assignment/Allow
log on locally, Remote Desktop Users is not in the list. The Add User or
Group button is disabled

Please advise what security group should I give to the user so that the
user can login to server to perform some administrator tasks such as
reset password.

Thanks
PW


--
plee61
------------------------------------------------------------ ------------
plee61's Profile: http://forums.techarena.in/members/113547.htm
View this thread: http://forums.techarena.in/active-directory/1188850.htm

http://forums.techarena.in
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #157668 is a reply to message #157667] Sat, 11 July 2009 00:55 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"plee61" <plee61.3v56fc@DoNotSpam.com> wrote in message
news:plee61.3v56fc@DoNotSpam.com...
>
>> the simplest approach to allowing non-privileged users to log on to a
>> Domain
>> Controller is to add them to the "Remote Desktop Users" domain global
>> group.
>> In general, it is not recommended to use it, though - primarily due to
>> security implications...
>>
>
> I assigned "Remote Desktop Users" to a user account but the user is
> still not able to login. I had a look into Local Security
> Policy->Security Settings/Local Policies/User Rights Assignment/Allow
> log on locally, Remote Desktop Users is not in the list. The Add User or
> Group button is disabled
>
> Please advise what security group should I give to the user so that the
> user can login to server to perform some administrator tasks such as
> reset password.
>
> Thanks
> PW
>

Hello PW,

A non-domain administrator would not need to logon to a domain controller to
perform such tasks as resetting password. You can install the adminpak.msi
tools on the user's workstation, and once installed, instruct the user to
simply run Active Directory Users and Computers, select the OU they have
been delegated permissions, and they will be able to change or reset
password (depending on their delegated permissions).

You can also create custom consoles to only allow the user access to the OU
they are delegated permissions to. Read the following to show you how.

============================================================ ==========================================
Create a custom ADUC MMC

After you Delegate Permissions in to a limited admin in Active Directory,
such as the ability to reset passwords, you may want to create a custom ADUC
MMC (console or custom taskpad) for the delegated admin to control the
portion of AD they are allowed in.
By Ace Fekay, MCT, MCSE
Last updated - 2/2006
---

The last ones I created for one client, and one for each 'location' OU, I
kept the rt-click context, and the tree view available in the custom console
(left pane and right pane), but I removed everything else including the file
menu buttons and such. So under View, Customize, uncheck everything except
the top one that says Console Tree. This way they can't go up level or click
any of the things in there. But they will have the rt-click feature.

You can also choose to remove the left hand pane (tree view).

MMC 2 and 3 are the same:

Start/run/mmc, hit enter
File, Add-Remove Snap-in, Add ADUC
Drill down under the domain to the OU you want.
Rt-click on that OU, choose new window from here.
A new window pops up with the OU in the left pane and the contents in the
right pane.
Close the original ADUC window leaving the new window open that you've just
created.
Expand the window to take up the whole console.
Now they will not be able to go up levels and are 'stuck' in this OU.
View/Customize
Uncheck everything but Console Tree.
File/Options Choose Console Mode:
User mode: Limited Accessm single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it. Logon as a test user delegated whatever perms to do on those users
and test it.

If you want to eliminate the rt-clicking on a user account, uncheck the
Console Tree above and change the console view by rt-clicking on the OU,
choose New Task View, and choose a vertical or horizontal list, then choose
to create a new task, menu command, highlight a user account, choose reset
pasword, or anything else in the right column, choose an icon, and finish.

Copy the MSC file via a UNC connected to the delegated person's
workstation's Doc and Setttings\username\desktop folder.

Then copy over the following three DLLS from the 2003 DC you are on, to
their XP system32 folder. All three of these are needed on a 2003 DC or the
ADUC won't open. However, on an XP machine, you only need two. If I were to
allow users to change passwords and create a custom MMC for just that OU,
then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

adprop.dll (for object properties)
dsadmin.dll (ability to alter object properties)
dsprop.dll (for object properties related to directory services)

Then you can use PSEXEC (one of the PSTools available free from Microsoft's
site) to remotely regsrv32 the DLLS on their machines.
psexec \\machinename regsvr32 adprop.dll
psexec \\machinename regsvr32 dsadmin.dll
psexec \\machinename regsvr32 dsprop.dll
============================================================ ==========================================
Ace
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #157682 is a reply to message #157668] Sun, 12 July 2009 00:00 Go to previous messageGo to next message
plee61  is currently offline plee61  United States
Messages: 4
Registered: July 2009
Junior Member
Thanks for your simple step by step explaination.

I created a MMC added with snap shots Event Viewers and Active
Directory Users and COmputers on my AD Domain Server 2008, save it as
Users mode-Full access (for testing purpose).

I copied the MMC to another non-AD Server 2008 which is login as the
same domain. I opened the MMC, i can view the event viewers. But when i
click on Active Directory Users and COmputers on the left panel, "MMC
could not create the snap-shot" was shown on the right panel.
Please advise.

Also, if i really want to create a user with "Remote desktop" security
group, but that security group is not listed in the local group policy,
is there a way?

Thanks


--
plee61
------------------------------------------------------------ ------------
plee61's Profile: http://forums.techarena.in/members/113547.htm
View this thread: http://forums.techarena.in/active-directory/1188850.htm

http://forums.techarena.in
Re: "You cannot log on because the logon method you are using is not allowed on this computer&q [message #157683 is a reply to message #157682] Sun, 12 July 2009 00:56 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"plee61" <plee61.3v713b@DoNotSpam.com> wrote in message
news:plee61.3v713b@DoNotSpam.com...
>
> Thanks for your simple step by step explaination.
>
> I created a MMC added with snap shots Event Viewers and Active
> Directory Users and COmputers on my AD Domain Server 2008, save it as
> Users mode-Full access (for testing purpose).
>
> I copied the MMC to another non-AD Server 2008 which is login as the
> same domain. I opened the MMC, i can view the event viewers. But when i
> click on Active Directory Users and COmputers on the left panel, "MMC
> could not create the snap-shot" was shown on the right panel.
> Please advise.
>
> Also, if i really want to create a user with "Remote desktop" security
> group, but that security group is not listed in the local group policy,
> is there a way?
>
> Thanks
>
>
> --
> plee61

Hello Plee61,

The steps I outlined are for the adminpak tools for 2003.

Keep in mind, the idea of making this available on an XP or another 2003
machine is to register those DLLs I mentioned. Did you register them on 2008
before trying to open ADUC in the console?

I have not tested the DLLs with 2008, however you can

I assume you've tried the built-in Remote Desktop Users group in 2008 as
Marcin mentioned, but keep in mind, a non-domain administrator, as I
mentioned in my earlier post, requires "Logon Interactive Rights" as well as
"Logon Locally" rights. This is why I do not allow non-domain admins to
logon and use a domain controller. Because once they have access, they can
do other 'tasks' and may inadvertently make a mistake that they may not
realize they are doing, and cause a problem.

This is why I use a custom MMC on THEIR desktop, not another 2008 server. If
they are only resetting passwords, they do not need to access any of the DCs
directly.

If you follow the instructions for an XP desktop, it should work fine, and
it should also work on Vista Ultimate/Business, because I've already set
this up and have it working on a Vista Business workstation and on a Vista
Ultimate laptop.

Ace
Previous Topic:finding objects *not* in a group
Next Topic:Event logs in real time?
Goto Forum:
  


Current Time: Thu Sep 21 08:20:33 EDT 2017

Total time taken to generate the page: 0.04248 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software