Azure virtual machine logon issues

Question

Azure virtual machine logon issues

Gareth Davies 0

We have a number of virtual servers in Azure, a mixture of server 2019 and server 2022. The machines are in 5 resource groups.

Most of these are fine, I can connect to them using RDP and Bastion. However, I have 1 server that will only allow me to log on using the local admin account or a global admin account. The others will allow domain admin accounts to log on (global admin accounts are not domain admins and domain admins are not global admins).

If I try to log on to the problem server using a domain admin account it says "A user account restriction (for example a time of day restriction) is preventing you from logging on."

The security event log says the account is not recognized, yet the same account can be used to add users to the administrators group on the server so it is a valid account and is able to log into all other Azure servers without issue.

The problem server is in the same resource group and has the same NSG settings as one other that allows the domain admin accounts to log on.

The server is able to ping the on prem DCs

What can be causing this? The server is configured exactly the same way as the other one in the same RG and NSG, the domain admin accounts are listed in the administrators group on the server and have all been added individually to the admin group yet we are still unable to log in with any account other than a GA or local admin

Answer 1

Alan Kinane 16,646 MVP

This could be a local policy restriction on the server, such as this: https://www.windowsdigitals.com/remote-desktop-a-user-account-restriction-is-preventing-you-from-logging-on/

Otherwise, are you using protected user groups? This can require Kerberos authentication instead of NTLM which might be the issue for this particular server.

https://www.easy365manager.com/a-user-account-restriction-is-preventing-you-from-logging-on/

Gareth Davies 0 Reputation points

2023-11-02T13:25:12.4566667+00:00

The server is domain joined, the only local account is the localadmin which can log on via RDP. The accounts that are being blocked are all domain admin accounts, there are no time restrictions in place (they can all log on to other servers just fine no matter the time of day. I checked the time restrictions in ADUC anyway but there was nothing set as I expected. There are no users or groups set in the deny logon policy setting. Password complexity is set via GPO and applies the same requirement on all servers.

So none of the possible causes listed apply here but the accounts are still denied logon
Gareth Davies 0 Reputation points

2023-11-02T16:09:00.08+00:00

ok, so it looks like this is caused by the accounts being in the protected users group in AD.

However, I don't understand why only this 1 server is blocking logon, we have 7 servers in Azure, 6 of them allow the protected users group members to log in using RDP.

I've been searching for how to resolve this, and everything points to this being a universal restriction with a universal fix, clearly not the case if only this 1 server is blocking the accounts from logging on.

As a test I removed my admin account from the protected users group and was able to log on to the server. As soon as I added the account back into protected users I lost access to the server again.

Is there a local security setting I have missed on this machine?
Alan Kinane 16,646 Reputation points MVP

2023-11-02T16:40:48.2066667+00:00
Protected Users Groups prevent a number of things from happening such as:

Authenticate with NTLM authentication.

Use DES or RC4 encryption types in Kerberos pre-authentication.

Be delegated with unconstrained or constrained delegation.

Renew the Kerberos TGTs beyond the initial four-hour lifetime.

There must be something specific with this server that is not allowed. Have a look at this article: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

I'd say you will need to log at the Windows event logs as mention in the troubleshooting section in the link to try and pinpoint what the specific issue is here.

Answer 2

Gareth Davies 0

I found the issue.

Not sure why, but the admin accounts were not listed as owners of the virtual machine despite being owners of the subscription and everything else including the other machine in this subscription.

I added the accounts to the owners privileged role, waited a while and tried again. I was able to log in using my admin account.

These virtual machines were set up by a 3rd party who ignored our naming convention instructions and most other requests we made so I shouldn't be surprised they didn't follow a standard pattern for the setup of them.

The moral of this story - if you didn't set it up yourself check EVERYTHING.

Thanks for the advice and suggestions

vipullag-MSFT 22,741 Reputation points Microsoft Employee

2023-11-03T05:22:35.0966667+00:00

Hello Gareth Davies

Thanks for sharing the resolution for the benefit of community.

We noticed your have rated low on one of the answer as not helpful. Thank you for taking time to share feedback.

As the issue is resolved now, request you to take a resurvey.

Azure virtual machine logon issues

2 answers

Activity