The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator

PerserPolis-1732 1,971 Reputation points
2025-03-24T13:50:48.4733333+00:00

Hi,

some users cannot login locally on the domain with following Error

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator.

User's image

I thing but not really sure, after I have removed the "domain users" from one of my groups,

I have a group named "SLQ-Tor". That group have members like others groups and even "domain users". That group "SLQ-Tor" is added on the domain under "Security Settings-->local Policies-->user Right Assignment---->Allow log on locally.

I have removed the "domain users" from the group "SLQ-Tor". After that some users get the above message

The Sign-in Method You’re Trying to Use Isn't Allowed, for more info, contact your network administrator.

Can you explain me why?

Regards

Windows for business | Windows Server | User experience | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Taylor 60,326 Reputation points
    2025-03-24T14:04:50.7533333+00:00

    I'm trying to follow your logic here. You have a domain group called SLQ-Tor. That group has logon permissions to a server. That group had the domain group Domain users as a member which means every domain user was in the group. You then removed domain users from the group. Is this correct?

    At this point any user who needs to log onto the machine would now need to be added to the SLQ-Tor group as well. Furthermore you'd then need to wait for their cached credentials to update to show that they are in that new group. Note that you can check the members of a user via the UX or the CLI to confirm they are a member of the given group.

    But the error you're posting about could be caused by issues other than appropriate logon. Since we have no visibility into the policies being applied to your server you should manually review the GPO policies being applied to the server. Use the gpresult /r command to dump all the relevant memberships for the user and machine (on the server you're having issues with). Then make sure your server isn't more locked down than you thought.


  2. Anonymous
    2025-03-25T03:01:56.92+00:00

    Hello PerserPolis-1732,

    Thank you for posting in Q&A forum.
    Here is the answer for your reference.

    The KDC certificate for the domain controller does not contain the KDC Extended Key . When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template???
    A: Do you have an AD CS server in your domain? If you have one AD CS server in your domain and you do not use certificate to authentication, it is not related to the original question in the post.
    Also, certificate is used to authentication, now the question is about logon. For the relationship between logon and authentication, in my opinion, first, the domain user must have rights to allow to logon, then next step it will be authenticated (successful or failed).

    For the log on question, you can try to check as below:

    Find one GPO (maybe Default Domain Policy or other GPOs) that configured "Allow Log on locally" with the group "SLQ-Tor" (also this GPO is linked to OU or domain with these machine with the error message you mentioned above), edit this GPO and now you need to check if the "Domain Users" is configured in "Allow Log on locally", if no, you should add the "Domain Users" into "Allow Log on locally".

    After that, on one non-working machine with the error message you mentioned above, run gpupdate /force or restart the machine, sign in one domain user, this domain user should be able to logon.

    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.