General discussion

  • Creator
  • #2306676

    Logon failure?


    by casta ·

    Hi all,

    Here it goes:

    1) Created a computer account for a W2K member server in my W2K domain controller.

    2) Went to the member server and changed the network identificatioto point to my W2K, AD and was prompted for a username and password to add the member server no error messages!

    3) When I tried to access the C$ on the member server from the domain controller, I get an error that states “Logon failure: The user has not been granted the request logon type at this computer”

    4) However, when I type \\DC\c$ from the member server I get in no problem!

    5) I went in the member server local security policy and confirmed that the administrator account from the DC has “access to this computer from the network” rights, as a matter of fact the everyone group has that right!

    One more thing that I noticed is when I am at the DC and want to assign rights to a user for example “Access this computer from the network”, from the drop down menu I can select “entire directory” or “mydomain.local”. However, when I am sitting at the member server and select “add” user or group I can see 3 options “Entire Directory”, “mydomain.local” and “Mydomain” this I believe it would be the netbios name for my AD?
    then how come that name does not show up on the DC?

    I am sorry if I don’t make sense but this thing is very weird!

    I added the IP from the DC into the “Preferred DNS” name on the member server.

    I just wanted to configure this machine as a member server, install some services like DHCP, WINS and DNS and later configure it as a DC for redundancy purposes.

    This is my first time working with AD and I don’t have any group policies in place yet because I am learning as I go.

    Do yu think that because I have not implemented GPOs could be that the problem?

    BTW: I am signed on as the domain admin on both machines.

    Thank you for your time!

All Comments

  • Author
    • #3359527

      Logon failure?

      by joseph moore ·

      In reply to Logon failure?

      Ok, try this.
      On the new Member server, right-click My Computer -> Manage -> Local Users & Groups.
      Expand Groups.
      Double-click Administrators
      See if Domain Admins for your AD domain are listed as Administrators (I am not sure on this, but I alsothink the Enterprise Admins group should be listed; I don’t have a AD DC to check right now).
      Basically, only an Administrator can access the C$ share. If the Member server is rejecting a logon to this share, then the user account you are using is NOT a member of the Administrators local group on that Member server.

      hope this helps

    • #3359287

      Logon failure?

      by casta ·

      In reply to Logon failure?

      Hi Joseph,

      Thanks for your reply!
      Right after I posted this question, I went into Active directory users and computers and right clicked the AD and check the default GPO for the domain, I selected to edit the default GPO and under “user rights and assignment” and then I removed whatever was there (It was late at night I don’t remember what was there to begin with!.)

      Anyway I then added the “everyone” group and Voila! it worked.
      This morning I followed your suggestion and the Domain Admins are listed in the local group on the member server.

      One more thing that I am confused about, I want to place on the member server some shares and finance apps that only the accountig Dept will have access to.

      Do I need to add the global accounting group into the local group on the member server?

      Should I leave the right to “access this computer from the network to the “Everyone group” or should I remove the Everyone group and just add the user or groups from the accounting dept only?

      Thanks again Joseph!

    • #3357857

      Logon failure?

      by cul8rm8e ·

      In reply to Logon failure?

      What has actually happened at the point of joining your MEMBER server to the domain i take it that you had it in a workgroup environment (mydomain) Now! once added to the domain your DC has to refresh all policy`s to remove any records relating to the MEMBER server as being part of a workgroup (the default refresh rate for this is 90 minutes) im thinking that by the time you read this post you have sored this problem but anyway if you come accross this again all you have to do is ad the machineto the Domain and run this command secedit /refreshpolicy machine_policy /enforce

      this will refresh all policy`s and remove anything relating to the added machine being part of a workgroupadn as default as long as your accessing any C$ on anymachine added to the domain you will need to be logged on as DOMAIN ADMIN because as default again only DOMAIN ADMIN has rights to access another machine`s C$ unless manually added to that machine.

      I hope you understand this

      any problems postback here!

    • #3357825

      Logon failure?

      by casta ·

      In reply to Logon failure?

      Hi cul8rm8e,

      Yes you are absolutely right, this morming I noticed that the “domain” option is not there anymore…What a relief I was so confused about this. The best thing of all is that thanks to your information now I know why this happens, soI won’t be freaking out in the future…;-)

      Thanks for your time!


    • #3357777

      Logon failure?

      by curlergirl ·

      In reply to Logon failure?

      Answering your comments – you want to leave the Everyone group in the “Access this computer from the network” permissions, unless there is NOTHING on this computer that will ever need to be accessed by anyone other than the accounting group. I wouldn’t do this, just because it might complicate your life later.

      Permissions for shared resources such as files and folders are different from the local security policy permissions. File and folder permissions are NTFS permissions, which are controlled by the specific permissions settings you put in the security settings for the folder or file itself. Therefore, leaving the “access this computer” policy as is with the Everyone group enabled will not compromise your shared folder permissions at all. As long as you remove the Everyone group from the NTFS permissions for the folder(s) you are sharing, and add just the accounting group, domain admins and SYSTEM, you will be fine.

      Hope this helps!

      • #3357581

        Logon failure?

        by casta ·

        In reply to Logon failure?

        Yes it does help a whole lot!
        Thank You!

    • #3357578

      Logon failure?

      by casta ·

      In reply to Logon failure?

      This question was closed by the author

Viewing 5 reply threads