Azure virtual machine logon issues

Gareth Davies 0 Reputation points

We have a number of virtual servers in Azure, a mixture of server 2019 and server 2022. The machines are in 5 resource groups.

Most of these are fine, I can connect to them using RDP and Bastion. However, I have 1 server that will only allow me to log on using the local admin account or a global admin account. The others will allow domain admin accounts to log on (global admin accounts are not domain admins and domain admins are not global admins).

If I try to log on to the problem server using a domain admin account it says "A user account restriction (for example a time of day restriction) is preventing you from logging on."

The security event log says the account is not recognized, yet the same account can be used to add users to the administrators group on the server so it is a valid account and is able to log into all other Azure servers without issue.

The problem server is in the same resource group and has the same NSG settings as one other that allows the domain admin accounts to log on.

The server is able to ping the on prem DCs

What can be causing this? The server is configured exactly the same way as the other one in the same RG and NSG, the domain admin accounts are listed in the administrators group on the server and have all been added individually to the admin group yet we are still unable to log in with any account other than a GA or local admin

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,302 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,147 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,499 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alan Kinane 16,646 Reputation points MVP

    This could be a local policy restriction on the server, such as this:

    Otherwise, are you using protected user groups? This can require Kerberos authentication instead of NTLM which might be the issue for this particular server.

  2. Gareth Davies 0 Reputation points

    I found the issue.

    Not sure why, but the admin accounts were not listed as owners of the virtual machine despite being owners of the subscription and everything else including the other machine in this subscription.

    I added the accounts to the owners privileged role, waited a while and tried again. I was able to log in using my admin account.

    These virtual machines were set up by a 3rd party who ignored our naming convention instructions and most other requests we made so I shouldn't be surprised they didn't follow a standard pattern for the setup of them.

    The moral of this story - if you didn't set it up yourself check EVERYTHING.

    Thanks for the advice and suggestions