The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator

Question

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator

PerserPolis-1732 1,971

Hi,

some users cannot login locally on the domain with following Error

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator.

User's image

I thing but not really sure, after I have removed the "domain users" from one of my groups,

I have a group named "SLQ-Tor". That group have members like others groups and even "domain users". That group "SLQ-Tor" is added on the domain under "Security Settings-->local Policies-->user Right Assignment---->Allow log on locally.

I have removed the "domain users" from the group "SLQ-Tor". After that some users get the above message

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator.

Can you explain me why?

Regards

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

2 answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Michael Taylor 60,326

I'm trying to follow your logic here. You have a domain group called SLQ-Tor. That group has logon permissions to a server. That group had the domain group Domain users as a member which means every domain user was in the group. You then removed domain users from the group. Is this correct?

At this point any user who needs to log onto the machine would now need to be added to the SLQ-Tor group as well. Furthermore you'd then need to wait for their cached credentials to update to show that they are in that new group. Note that you can check the members of a user via the UX or the CLI to confirm they are a member of the given group.

But the error you're posting about could be caused by issues other than appropriate logon. Since we have no visibility into the policies being applied to your server you should manually review the GPO policies being applied to the server. Use the gpresult /r command to dump all the relevant memberships for the user and machine (on the server you're having issues with). Then make sure your server isn't more locked down than you thought.

PerserPolis-1732 1,971 Reputation points

2025-03-24T14:29:14.5266667+00:00

No, the user dont need the group "SLQ-Tor" for login, because that group is a Microsoft Dataware House group and is added to the not related for login.

That group is added only on the "Allow log on locally" under under "Security Settings-->local Policies-->user Right Assignment.

Could the error by the following Message I get:

The KDC certificate for the domain controller does not contain the KDC Extended Key . When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.

???
Michael Taylor 60,326 Reputation points

2025-03-24T14:44:10.71+00:00

Possibly. I have no knowledge of KDC certificates. Perhaps someone else can answer your question.

Not sure why you bothered to mention SLQ-Tor and Domain users in your question if the former group doesn't have anything to do with this problem as you're now describing. If Domain Users have login permissions to the server, which they do by default, then the problem isn't a permissions issues at this point.

Answer 2

Hello PerserPolis-1732,

Thank you for posting in Q&A forum.
Here is the answer for your reference.

The KDC certificate for the domain controller does not contain the KDC Extended Key . When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template???
A: Do you have an AD CS server in your domain? If you have one AD CS server in your domain and you do not use certificate to authentication, it is not related to the original question in the post.
Also, certificate is used to authentication, now the question is about logon. For the relationship between logon and authentication, in my opinion, first, the domain user must have rights to allow to logon, then next step it will be authenticated (successful or failed).

For the log on question, you can try to check as below:

Find one GPO (maybe Default Domain Policy or other GPOs) that configured "Allow Log on locally" with the group "SLQ-Tor" (also this GPO is linked to OU or domain with these machine with the error message you mentioned above), edit this GPO and now you need to check if the "Domain Users" is configured in "Allow Log on locally", if no, you should add the "Domain Users" into "Allow Log on locally".

After that, on one non-working machine with the error message you mentioned above, run gpupdate /force or restart the machine, sign in one domain user, this domain user should be able to logon.

User's image

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

PerserPolis-1732 1,971 Reputation points

2025-03-25T09:35:17.88+00:00

Hi Zhou,

Thanks for your replay. I think you have understood my question not correct. The Group "SLQ-Tor" is only a Microsoft Dataware House group and not for login any users. It is only group to manage the Data Ware House. The user has login in the past without any issue. Only when I remove "SLQ-Tor" the "Domain User" from that group, some user cannot login any more to the domain and get the error I mention

Share via

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator

2 answers

Your answer