Re: How to verify why user group membership is failing
From: Glenn L (the.only_at_gmail.com)
Date: 10/22/04
- Next message: Frank Szita [MSFT]: "Re: New Domain"
- Previous message: Glenn L: "Re: SID Resolution Across Trusted Domains"
- In reply to: ptwilliams: "Re: How to verify why user group membership is failing"
- Next in thread: Marlon Brown: "Re: How to verify why user group membership is failing"
- Reply: Marlon Brown: "Re: How to verify why user group membership is failing"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 21 Oct 2004 19:41:42 -0700
This error "'your account does not permit you
to logon interactively'" is very similiar to the error you get when you do
not have the user right "allow logon locally"
Or if logging on through terminal services "allow logon through terminal
services" user right.
Is this application server a Citrix server?
Since you made a copy of the account, that copy would have all the same
domain group memberships as the original, and yet it could logon.
This makes me think of 2 possibilities...al-be-it long shots
User1 was specifically added to the "deny logon locally" user right
User1 is a member of the local server guests group.
If this is a citrix server, then perhaps that error is Citrix specific.
-- Glenn L CCNA, MCSE 2000, MCSE 2003 + Security "ptwilliams" <ptw2001@hotmail.com> wrote in message news:e18TrW6tEHA.2956@TK2MSFTNGP12.phx.gbl... > On top of Herb's suggestion, there's also whoami /groups if you're running > XP, or if there's an XP box you can copy it from... > > -- > > Paul Williams > > http://www.msresource.net > http://forums.msresource.net > ______________________________________ > "Herb Martin" <news@LearnQuick.com> wrote in message > news:OgDc2z5tEHA.3788@TK2MSFTNGP09.phx.gbl... > "Marlon Brown" <marlon_brown@hotmail.com> wrote in message > news:uJeLFu5tEHA.820@TK2MSFTNGP12.phx.gbl... > > User1 is a member of a AccessServerGroup and attempts to logon to an > > application server and is getting message 'your account does not permit > you > > to logon interactively'. User1 used to be able to logon to that server > > accordingly few months ago. > > > > Then I make a copy of of "User1" account. I attempt to login to the same > > server and that's successful. > > > > I attempted to remove/readd User1 to AccessServerGroup, but that didn't > fix > > the problem. > > The User would have to LOGON (anew) for such changes to take > effect. > > > How can I troubleshoot this and see if User1 is getting the group > membership > > accordingly from AccessServerGroup ? > > Logon him on and use something like "ShowGrps" or "IfMember" from the Reskit > (much of the Reskit can be downloaded from MS website) to get the actual, > current list. > > > > Any tool that let me see on the > > respective servers who is actually getting the group membership from > > AccessServerGroup. Logged on as a domain admin on the respective > Application > > server, > > I do a > > > > net group "AccessServerGroup" > > > > and User1 is listed as a member of the AccessServerGroup. > > > > > -- > Herb Martin > > > > Please let me know. > > > > > > >
- Next message: Frank Szita [MSFT]: "Re: New Domain"
- Previous message: Glenn L: "Re: SID Resolution Across Trusted Domains"
- In reply to: ptwilliams: "Re: How to verify why user group membership is failing"
- Next in thread: Marlon Brown: "Re: How to verify why user group membership is failing"
- Reply: Marlon Brown: "Re: How to verify why user group membership is failing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
