Re: Huh? "Login failure: the user has not been granted the requested logon type at this computer"
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 11/02/02
- Next message: Michel Gallant (MVP): "Re: Antivirus engine check utility"
- Previous message: Michel Gallant (MVP): "Re: Antivirus engine check utility"
- In reply to: Joel Wachman: "Huh? "Login failure: the user has not been granted the requested logon type at this computer""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Sat, 2 Nov 2002 09:09:26 -0500
"Joel Wachman" <jow@attbi.com> wrote in message
news:I2Gw9.214140$%d2.71965@sccrnsc01...
> Please help. I'm a pretty experienced Windows user and programmer, but
I've
> got to admit this one has me stumped.
>
> - I'm running Windows 2000 Professional on two computers, both members of
> the same workgroup.
> - I'm logged in as X on computer 1, and I'm trying to map a shared network
> drive on computer 2.
> - Computer 2 has a user called Y.
> - User X only exists on computer 1. User Y only exists on computer 2
> - Both users, X and Y, have administrator priveleges on their respective
> machines.
> - The share on computer 2 gives all access rights to "Everyone".
>
> On computer 1, I try to map the network drive on computer 2. It asks me
for
> a username/password to authenticate.
> I supply Y's credentials. The message I get is:
>
> "Login failure: the user has not been granted the requested logon type
> at this computer"
>
> Now, the strange thing is that this has only begun to happen recently. In
> the past, I have been able to map this drive with no problem, giving Y's
> credentials on computer 2. Two things have changed:
>
> 1. I've recently changed Y's password
> 2. I recently ran chkdsk to fix a bad block on computer 2, and it deleted
> some DLLs. (I don't know what was deleted because the list flew off the
> screen before I had a chance to copy it.)
>
> Here's another possible piece of evidence:
>
> Even though the two computers are in the same workgroup, I can't get
> computer 1 to see computer 2 in "Network Neighborhood".
>
> Does this situation sound familiar to anyone?
A lot of people have been having this problem recently. If reinstalling the
Windows Service Pack as recommended in the other post here doesn't help, you
could log locally into the troubled workstation, launch MMC, add the Group
Policy MMC, and find the section on Interactive logons and logons via the
network. This would be under Computer Configuration, Windows Settings,
Security
Settings, Local Policies, User Rights Assignment.
Note that the Deny logon settings override the Grant logon settings, so that
if you are in the Grant list but the Everyone group for example is in the
Deny list, you will not be able to login.
Note that there is a
column for Local settings and one for Effective settings. If the Effective
setting is wrong while the Local setting is right, Group Policy has been
changed in Windows 2000 Active Directory and must be changed there [look in
the Active Directory Users and Computers MMC on the server and right-click
on the appropriate OU to see the Group Policy for that OU].
If this is a problem with missing the Interactive logon type and you can't
log in locally to the troubled computer to fix the problem, here are some of
the other things that have been tried:
=============
If the computer is joined to an Active Directory domain, you could use Group
Policy to change the settings on the computer and reboot the computer or
wait 90 minutes or so for the changes to take effect.
OR, you could try the tips below:
www.jsifaq.com/SUBG/TIP3300/rh3361.htm
www.jsifaq.com/SUBI/tip4100/rh4187.htm
============
OR, the NTRIGHTS.EXE tool can also be used to reset this permission remotely
using another computer on the same network. Note that the Deny Interactive
Logon setting takes precedence over the Allow Interactive Logon setting.
So, if the problem is that the Administrator ID is in a group that has been
assigned the Deny Interactive Logon setting, using NTRIGHTS to add the
Administrator to the Allow Interactive Logon list will not fix the problem.
Instead, you would need to also determine the group that has been added to
the Deny Interactive Logon list and use NTRIGHTS to remove that group from
the list.
More information can be found in the articles below:
http://www.jsifaq.com/SUBI/tip4100/rh4187.htm
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q276590
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q152478
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q227904
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q276580
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q276590 - Using
NTRIGHTS.EXE
While some of the Windows Resource Kit utilities are available for free
download at www.microsoft.com/windows2000/techinfo/reskit/tools, the
utilities discussed here do not appear to be available for free. The
Windows Resource Kit books and CDs are available for purchase at a variety
of stores and web sites where books and software are sold [such as
www.bn.com, www.amazon.com, www.bestbuy.com, www.microsoft.com, etc.] A
full list of Windows 2000 Resource Kit tools is available at:
www.microsoft.com/windows2000/techinfo/reskit/rktour/server/S_tools.asp
OR, manually renaming the SAM files at C:\WINNT\SYSTEM32\CONFIG\SAM and
C:\WINNT\REPAIR\SAM might also fix this problem [and would also delete all
other local accounts which you had created on your computer, and reset the
Administrator password to be blank].
This can be done by booting from a DOS or Windows 9x boot floppy [though if
your hard drive is formatted in NTFS format, you can't rename files this way
unless you purchase NTFSDOS Pro from www.winternals.com ]. You can also
rename the SAM files by moving the hard drive from the computer to another
Windows 2000/XP/NT computer, or by installing a second copy of Windows
2000/XP/NT to a different folder on the computer.
[Thanks to Raymond Sinnappan, Sandi Hardmeier and others]
If none of these help, try booting into Safe Mode or Recovery Console mode
and see if you can run the NTRIGHTS utility from a floppy.
=======================
"praks25" <praks25@aol.com> wrote in message
news:0b5201c27bb6$bebe44c0$35ef2ecf@TKMSFTNGXA11...
> I have solved the problem regarding logon rights for the
> administrators' group to the domain controller.
> It was then that I noticed that the "deny interactive
> logon right" and "deny network logon right" were set in
> the domain controller group policy.
> the use to "net use" command to rename the "secedit.sdb"
> file and copy a new "secedit.sdb" or the "admin pak"
> utility or the "ntrights.exe" utility did not work.
> Since the "deny network logon rights" was set for the
> administratotrs group there was no way to access the
> domain controller from the network. thus the "net use"
> and "admin pak" did not work.
> I obtained the "NTrights.exe" program and tried using that
> but it gave me an "open policy" error, which meant that
> the problem was not with local policy setting but with
> the "domain group policy setting"
> thus I accessd the domain controller using a user account
> and rebooted the machine. I then went into "directory
> services restore mode" using the function key "F8" as the
> computer booted up.
> this mode booted the domain controller into safe mode and
> without the domain.
> the directory services restore mode has a usernmae and
> password which you have to use to access the desktop. it
> has to be the root account which is "administrator" and
> usually has a password set by default to "password"
> this gives you administrator access to the desktop from
> where you can redefine any local policy setting that needs
> to be changed but since the computer has not booted as a
> domain controller or booted into the domain you cannot
> access any of the domain objects
> in "start\programs\administrator".
> thus I went to "mycomputer\root partition-
> C:\winnt\SYSVOL\sysvol\domainname.com\policies\6AC1786.....
> \machine\microsoft\Windows NT\secedit\gptTmpl
> the GPtTmpl is a template that opens in "notepad" and has
> all the group policy rights and different SID's associated
> with all these different rights
> scrolling down to the bottom of the page I noticed
> that "SEDenyInteractiveLogonRight" had a few SID's
> associated with it and also "SEDenyNetworkLogonRight" had
> a few sid's associated with it.
> Lokking through Microsoft's knowledge base and finding out
> the SID's from different groups and users I noticed that
> the administrator group has the following SID which was
> also found next to the deny rights, *S-1-5-32-544
> The everyone group has the following SID *S-1-1-0
> Thus I removed all SID's associated with all teh
> different "deny logon rights" and added the "everyone" SID
> to the "logon locally" right and
> the "InteractiveNetworkLogon" right.
> I saved the file and rebooted the machine I waited for 5
> minutes for the new settigns to propogate and the machine
> was all set. the Administrator had full control of the
> machine.
==================
- Next message: Michel Gallant (MVP): "Re: Antivirus engine check utility"
- Previous message: Michel Gallant (MVP): "Re: Antivirus engine check utility"
- In reply to: Joel Wachman: "Huh? "Login failure: the user has not been granted the requested logon type at this computer""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
