Re: your account is configured to prevent you from using this computer

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/02/03 

Date: Mon, 1 Dec 2003 22:53:10 -0700

That domain behavior results from groups listed in the
log on locally and log on over the network user rights
(XP introduced the two deny versions of these, which
are not used in a default domain joining).

You have verified that Users group is grant the log on
locally user right, that the account is in Users, and that
there is no group in the Deny local logon user right that
has as a member the account.

If in the Auditing policies you have login events being
audited for success and failure, it is totally bizarre that
you are not receiving any events in an otherwise functioning
security event log.

What are the NTFS settings on the account's profile ?
Does the account have Full control of its own profile ?
(above does not align with message reported, but . . .)

Is there a registry.pol file in the folder
system32\GroupPolicy\User ? 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
<anonymous@discussions.microsoft.com> wrote in message
news:033401c3b844$7d96fd40$a101280a@phx.gbl...
> I did verify that the security log is configured
> correctly. I have tried verifying that with using an
> incorrect password and I did come up with an event on the
> security log.
>
> This problem is behavior consistant with a domain
> evironment where a user is allow to log onto only specific
> PCs. Thus the rub, I'm a standalone PC. :-(
>
>
> >-----Original Message-----
> >Go into Computer Management/Event Viewer/security log and
> clear [right click/clear
> >all events] it to see if it helps. If it does then set
> your security log to overwrite
> >events as needed.  --- Steve
> >
> >
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:023901c3b837$39781930$a101280a@phx.gbl...
> >> I did try to recreate the account with the same
> >> memeberships and even tried to create other new
> accounts,
> >> all with the same result. I do have logging enabled.
> That
> >> was interesting as well, the security log isn't showing
> >> anything. Since my son isn't being allowed to log on,
> >> it's not coming up with an error such as a wrong
> password.
> >>
> >> Any idea what the deal is?
> >>
> >> Toli
> >> >-----Original Message-----
> >> >If you define a new limited account (one with group
> >> >memberships equal to those of your son's problem
> >> >account) does it show any login issues ?
> >> >
> >> >You seem to have covered the bases as far as user
> rights
> >> >are concerned.
> >> >What is showing in the security event log (assuming you
> >> >have event logging enabled) ?
> >> >
> >> >-- 
> >> >Roger Abell
> >> >Microsoft MVP (Windows Server System: Security)
> >> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >> >"Toli" <beast@ihug.co.nz> wrote in message
> >> >news:04de01c3b7ce$f9225a70$a101280a@phx.gbl...
> >> >> I've run accross an interesting problem. I have my
> >> son's
> >> >> account that's getting the following popup at log on.
> >> >>
> >> >> "your account is configured to prevent you from using
> >> >> this computer"
> >> >>
> >> >> I'm on a stand alone pc. I dont have him in the "deny
> >> >> logon locally" on security policy, nor is he a member
> >> of
> >> >> a group that's affected by that policy. I do have him
> >> in
> >> >> the user's group, which can log on locally. It seems
> >> that
> >> >> only members of the local adminstrators group can log
> >> >> onto this PC. He was able to log on recently, and I
> >> >> haven't messed with the local group policy.
> >> >>
> >> >> Any ideas?
> >> >>
> >> >> Thanks
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Everytime I attempt to login under Basic Authentication, ... IUSR_blah account. ... the anonymous user impersonated by the IIS Server is the ... > Event Viewer Security log. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Need to filter domain admin from GPO
    ... But think always about the part that a deny is the highest blocking you set and if you forget that you have set a deny or you are not in and someone else have to search for errors, it will be really heavy to find it. ... It's best practice to use a 2nd administrator account as your ... Block inheritance (I would have to move the domain admin from ... particular GPO using ACL deny. ...
    (microsoft.public.windows.group_policy)
  • Re: Enormous security problem
    ... What is the LDAP failure return code in Netdiag? ... Are there errors on the file server perhaps kerberos errors in the system ... I had to disable account lock out in the defualt domain> policy. ... > the security log, all I have to do is select the security log and hit> refresh ...
    (microsoft.public.windows.server.general)
  • Re: Problem after migration done
    ... you should enable security log on the DC to gather the ... Write down error message exactly when use domain account to logon to the ... Rebecca Chen ...
    (microsoft.public.windows.server.migration)
  • Re: Web Server 2003 File Sharing
    ... > I've tried removing Deny Everyone, but this doesn't seem to help. ... > Administrator account name. ... > the new administrator credentials ... >>Can anyone give me any pointers as to what Local Security Policy ...
    (microsoft.public.windows.server.general)