Users can't login to PCs unless they have admin rights

Question

Hi,

I have a local AD server with one domain. After moving users from "Users" to their OUs they couldn't login - error "The sign-in method you're trying to use isn't allowed. For more info, contact your network administrator." This error occurs wit hevery account that is not Domain Admin, and does not occur on Windows 10 machines and only one W11 machine.

After googling I did:
Create GPO with "Allow logon locally", link it to the OU and make sure that in "Security Filtering" in "Scope" tab my group is visible - no changes
Disconnected PC from the domain, deleted it's record in AD, connected it back to domain - works by not always. It fixed PC with W11 (different machine from before) but not with W7 (yes, I know I should get rid of it) unless the user was added locally as admin on that machine.

I was using "gpupdate /force". One machine couldn't apply all machine policies but after running it again without changing anything it was succesfull. I made a raport after unsuccesful update, but it just says that it was unsuccesfull and that's all.

nslookup returns
Defaukt Server: Unknown
Address: <correct DC IP>

When I ask to look up machine names it returns
Name: <PC name>.<domain name>
Address: <correct PC IP>

Added DNS Reverse Lookup Zone for machine I was using nslokup on, but that did nothing for both the nslookup and loging

DC is on WinServer 2016 and forest functionality is 2016

Answer 1

It sounds like someone has created a policy to set the Allow Log on Locally setting and set it to override and forgot to include the default entries which allows normal users to logon.

The defaults are Default:

• On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
• On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.

If you run rsop.msc this will create a report of the policy that are applied. You will need to either update the policy or change the settings so it doesn't override other policies.

Gary.

Answer 2

Turns out the Logon policy is not being applied on local machines. Password policy or shortcuts re applied properly, but "allow log on locally" is not. "gpresult /force" still says that both machine and user policy are applied succesfully. I can't change it manually

Answer 3

I think this login problem has to do with missing Users group on "Allow log on locally" policy. I can't modify that policy manually on machines. Creating GPO in domain and linking it to OU does nothing, linking it to the whole domain does nothing as well.

gpresult in html shows that policy I made as applied, but the groups does not change.

"Allow log on locally" has 3 number like groups:
S-1-5-32-548
S-1-5-32-549
S-1-5-32-550

It also has
Administrators
Backup operators
Domain Controllers

Answer 4

That was me, but I didn't set anything to override it. This problem occured after moving Users from folder "Users" to OU. After that I allowed users to log in with only "Users" group added to that policy in different policy object.

All the changes to policy were made on DC, and results from W7 and W11 workstation.

I added:

• Administrators
• Backup Operators
• Domain Controllers
• Users
  to allow log on policy. My logic was to allow every group that local machine has and add group "Users" on top of it.
  I could log into those two machiens with W7 an 11, only after moving machines to new OU, users to their OU, linking both default policies to users OU, and instead of using my policy made only for log on policy, I added that to "Default Domain Policy", and then I just logged on admin's account, run "gpupdate /force" and user could log in with no problems.

The only issue I have now is that they can't shut down the PC. T hey have to log off and from loging screen they can shut down the PC. I see the policy for that in the same place so I'll just add users and admins to do that.

My policy was listed in gpresult, but didn't apply.

So to summarize:

• I don't use my log on policy
• I added log on policy to "Default Domain Policy"
• All users account are in OU, NOT in Users folder
• PC's are in their OU
• "Default Domain Policy" is linked to user's OU, no links to PC's OU, policy is linked to domain as well, and applies to everything

I should delete one of Default domain policies links. I think I can delete the one in users OU and everyone should be able to log in.

Answer 5

Hello there,

If you see The sign-in method is not allowed error, it means that the resulting Group Policy settings prevent local sign-in for a current user account. Most often the error appears if you try to sign in to a computer using a guest account or to a domain controller using a user account without domain administrator privileges.

There is another policy to prevent local interactive sign-in to Windows in the GPO section. The policy is called Deny log-on locally.

Another reason why you can see the “The sign-in method you are trying to use isn’t allowed” error is when a list of computers a user is allowed to log on to is restricted in the LogonWorkstations user attribute in AD . Using the Get-ADUser PowerShell cmdlet, you can display a list of computers a user is allowed to log on to and verify the same.

--------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–