This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 55.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Hello,
I have a strange issue:
two service accounts:
AccountT
AccountP
Two servers Windows Server 2019 Standard:
ServerA
ServerB
The servers have been rebooted several times during the troubleshooting...
the two servers are in the same OU and should have the same GPOs...
I set the two accounts as Local Administrators on both servers.
When I am on ServerA:
Both accounts are able to start the services...
When I am on ServerB:
The account AccountT is able to start the service.
The account AccountP is not able to start the service
"Error: The user isn't allowed to sign in to this computer"
If I start the service with account AccountT on ServerB and then change the account to AccountP I am able to restart the service successfully!!
They have the same set of WINS servers in the same order.
I verified also their registration ...
nbtstat -a ServerA
Prod: PS C:\Windows\system32> nbtstat -a ServerA
Ethernet0:
Node IpAddress: [10.17.82.70] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
SERVERA <00> UNIQUE Registered
AD <00> GROUP Registered
SERVERA <20> UNIQUE Registered
MAC Address = 00-50-56-8F-49-17
=========================================
Prod: PS C:\Windows\system32> nbtstat -a ServerB
Ethernet0:
Node IpAddress: [10.17.82.70] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
SERVERB <00> UNIQUE Registered
AD <00> GROUP Registered
SERVERB <20> UNIQUE Registered
MAC Address = 00-50-56-8F-49-17
================================================
I checked also :
Local Computer Policy > Windows Settings > Local Policies > User Rights Assignment
Any idea?
Thanks,
Dom
Hello,
They have the same AD policies.
I checked the event log and apparently the services are starting and then later on stopped by themselves...
I am trying to remove FireEye & Sophos to see if it is these products who create issues not having the proper exclusions for the application.
Thanks,
Dom
What about using runas.exe to launch cmd.exe as that account? Then use "whoami /all" to review group and privilege info?
Hello,
For the first account svcBedMasterT it open the Runas window but the path remain mine C:\Users\rmppqx not the one for the account C:\User\svcBedMasterT is it normal? this is the result:
C:\Users**rmppqx**>whoami /all
USER INFORMATION
User Name SID
ad\svcbedmastert S-1-5-21-73586283-1284227242-1801674531-797347
GROUP INFORMATION
See attachment
But for the second account it does not open the window at all!!!
]
So there are differences ???
Send the screen shot to our AD team for answers...
Thanks,
Dom
212724-book1.txt
Hello,
For the first account svcBedMasterT it open the Runas window but the path remain mine C:\Users\rmppqx not the one for the account C:\User\svcBedMasterT is it normal? the result is per attachment:
C:\Users**rmppqx**>whoami /all
USER INFORMATION
User Name SID
ad\svcbedmastert S-1-5-21-73586283-1284227242-1801674531-797347
GROUP INFORMATION
See attachment
But for the second account it does not open the window at all!!!
!
So there are differences ???
Send the screen shot to our AD team for answers...
Thanks,
Dom
[212724-book1.txt][2]
[2]: /api/attachments/212724-book1.txt?platform=QnA
There has got to be something in Active Directory that is preventing that account from logging on.
Hello,
These has been verified several times -- still checking.
Thanks,
Dom
What about events in the security eventlog? And run gpresult to verify that AD policies are the same.
Check the "log on to" restrictions on the account in AD.
We replaced the old accounts (2010):
by two new accounts and everything suddenly works well....
Not sure the reason but the AD team was arguing about various AD upgrades whioch might have interfed with the files/properties on the accounts..
Thanks,
Dom
Thanks a lot I had sent tom the AD team the information above... waiting for them to respond...