Re: logon failure: user not allowed to log on to this computer

From: Keith (keith.harmsworth_at_bov.com)
Date: 04/05/04 

Date: Mon, 5 Apr 2004 01:01:03 -0700

Hi there...
I had the same thing happening on one of my servers. I have managed to solve the problem temporarily which is not what I would like and am not 100% sure it is the problem really!

Well, my problem seem to have been caused when I amended the local security policy of this standalone webserver. Knowing that the 'Additional restrictions for anonymous connections' should at least be 'Do not allow enumeration of SAM accounts and shares' I changed the policy to the next step thus to 'No access without explicit anonymous permissions' and obviously rebooted the server to make sure it was refreshed.

Once rebooted everything was fine however after a day or two I noticed that I was getting the "Logon Failure: User not allowed to log on to this computer" error on my page. I checked about the logon locally rights and the IUSR_machine user was definitely in this list.

I amended the policy again and reduced it to 'Do not allow enumeration of SAM accounts and shares' and still after reboot I was left with the same problem. Thus it left me with not choice but to set the policy to 'None' again.

Does anyone know what is happening here. I would like to set this policy to 'Do not allow enumeration' especially knowing that I have about 20 more servers having this setup and never have me any problems.

Any help would be appriciated.

Thanks a lot
Keith Harmsworth

----- Paul Lynch wrote: -----
     
     On Thu, 11 Mar 2004 15:11:12 -0800, "fred"
     <anonymous@discussions.microsoft.com> wrote:
     
>event id: 100
>>The server was unable to logon the windows NT account 'IUSR_blah' due to the following error: Logon failure: user not allowed to log onto this computer.
>>Site is anonymous log-in.
>What gives?
>>thanks!
     
     Fred,
     
     Does the IUSR_ account have the log on locally user right ? The
     anonymous user accounts require these rights on an IIS machine :
     
     Access this computer from the network
     Log on locally
     Log on as a batch job
     
     
     Regards,
     
     Paul Lynch
     MCSE

Relevant Pages

  • Re: Account Lockout threshold
    ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ...
    (microsoft.public.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)
  • Re: Default Domain Controllers Policy
    ... I was only looking to change the Local Security Policy on servers that have ... appling to the Computers is if the Computer OU was inside the Default ... Why are you trying to change Local Settings? ...
    (microsoft.public.win2000.group_policy)