Re: Domain Administrator cannot logon to SBS 2003 LOCALLY
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 24 Jan 2006 07:50:32 -0700
Well, in group policy there is a section named User Rights, and some of
these control login privileges. In this case the two that deal with local
login (one granting and one denying) are involved.
You need to either
- locate which GPO is setting this value so that Domain Admins do not
have a local login grant and adjust so they do
or
- locate a dominating GPO applied to the Domain Controllers OU and
set in it, if it is not already there (i.e. prior case) the grant of the
user
right to log in locally so that the needed groups and only the need
groups are allowed.
The User Rights section is in the Computer / Security settings / Local
policy branch.
The bigger question is whether the change is only a symptom of worse
circumstances. That is, something actively made the change, unless you
can figure out a someone that did.
I have concern when you mentioned Veritas Backup. At least twise in
the past half year a machine unshielded from untrusted networks will
have been compromised even if the owner was installing Veritas patches
and updates on the day they were released (i.e. the releases were
reactive to active exploitations for their product's flaws).
"Matthew" <Matthew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F66CF4C1-39BB-417A-A3E5-AC3536F92F7E@xxxxxxxxxxxxxxxx
> Hi, I have a serious error with one of my servers. It is a SBS Server
> 2003
> running a domain, dns, dhcp and AD. Up until late last year I have not
> had
> any issues with this, no new software or hardware has been added either in
> the past 6 months.
> I noticed that the daily backups were failing so I tried to logon to the
> server locally as domain administrator, and the server poped up a message
> 'The user has not been granted the requested logon type at this machine' !
> So
> I tried to remote desktop in to the server and to my susprise I logged on
> successfully as domain administrator. I have got veritas backup exec 10
> installed and the services run as domain/Administrator, backup exec was
> reporting that backups could not be run using this account as login access
> was not granted for the domain\administator !!!!
>
> So I started to look at the event viewer, and found this log from when I
> tried to logon locally:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 534
> Date: 24/01/2006
> Time: 09:31:58
> User: NT AUTHORITY\SYSTEM
> Computer: CMI-SERVER
> Description:
> Logon Failure:
> Reason: The user has not been granted the requested
> logon type at this machine
> User Name: Administrator
> Domain: CMI
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: CMI-SERVER
> Caller User Name: CMI-SERVER$
> Caller Domain: cmi
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 4168
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
> Any help on this matter would a god send, as I have been searching all
> over
> the place for the event error 534 and cannot find anyone with a simular
> problem.
>
> I have check the local security policy and everything looks in order.
>
> Kind Regards
> Matt
.
- Prev by Date: cipher.exe with imporsonated user
- Next by Date: Re: problem with "Restricted Groups" within a GPO linked to my dom
- Previous by thread: cipher.exe with imporsonated user
- Next by thread: Re: accessing a website
- Index(es):
Relevant Pages
|
Loading
