Re: Event 533: User not allowed to logon at this computer

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 01/24/05 

Date: Mon, 24 Jan 2005 12:45:45 -0600

When this happens see if only that user is unable to logon to the "domain"
or this happens to all domain users trying to logon from that workstation.
Since unjoing and rejoining to the domain fixes the problem it sounds like a
problem with secure channel or computer password expiring. When you "reset"
the computer account, make sure you do not do that in AD Users and Computers
as that will break it but netdom should work. Next time it happens run the
netdiag support tool on the problem workstation to see if it reports any
problems with dc discovery, dns, kerberos, trust/secure channel and also
check Vent Viewer on the problem workstation. Also verify that the problem
computers are configured correctly for dns and have network connectivity to
the domain controllers. Since you are experiencing problems I would also run
netdiag and dcdiag on the domain controllers and check Event Viewer on both
of them. A common problem is having ISP dns servers listed in the preferred
dns server list of ANY domain computer which must NEVER be done. The links
below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --- AD
dns FAQ.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and how to install support tools.

"Jeremy Sun" <binmann@hotmail.com> wrote in message
news:OWF4G8dAFHA.3840@tk2msftngp13.phx.gbl...
>I am the system administrator of 400 windows 2000 professional in a windows
> 2000 AD. From time to time, 1 or 2, may be 10 computers suddenly shows
> this
> error message "User not allowed to logon at this computer" or something
> like
> that, when a normal domain user tries to log on.
>
> The same user is able to log into other workstations that are in the same
> OU.
>
> Reboot does not solve the problem. Reset the computer account does not
> solve
> the problem. Leave the workstation for a few days does not solve the
> problem.
>
> Disjoin the workstation from domain and rejoin it back solve the problem.
>
> Users belong to the local administrators group are able to log onto the
> computer.
>
> I used the domain admin to logon and checked the local security settings.
> I
> found nothing wrong. I checked the local groups and found nothing wrong
> too.
> When I checked the event log, there were 533 events generated everytime a
> denied logon was attempted. Other than that there was nothing suspicious.
> I
> used "netdom" to verify the security channel and it returned an ok to me.
> I
> had turned off the workstation maintenance policy ages ago. That did not
> help.
>
> Any idea?
>
> Jeremy
>
>