Re: Blocking accounts on local machine

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 06:48:09 -0700

The login and get recycled back to the login prompt is a
normal behavior when the login setup cannot run (script
errors, failure to access needed executables, etc.)

This sounds like the GPO(s) that apply to the machine have
Restricted Groups defined, particularly for the Users group
of the local machine. If this is so, keep in mind that use of
a Restricted Group definition is giving the exact membership
in the group (and optionally of what the group itself is a member).
It is not additive to anything, but a complete stand-on-its-own
statement of the membership. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Luke" <anonymous@discussions.microsoft.com> wrote in message
news:bda001c40817$807ef350$a101280a@phx.gbl...
> Hi Roger,
>
> Sorry, let me correct my question.  After we create a
> local account on a joined workstation, ran the secedit
> commands locally and restart the machine.  We tried to
> signon with the newly created local account, it accepts
> the uid and pswd and it prompts the typical loging status
> screen, then it shows 'saving user setting' and brings the
> screen right back to the alt-ctrl-del login prompt.
>
> So we signon to the machine w/local admin account and
> check the newly created local account's setting, we
> noticed the account does not belong to any groups.  The
> GPO has wiped out the group membership for that account.
> We tried to add back the groups but the problem reoccurs
> after reboot.  Not sure where (GPO) should I adjust to
> avoid this issue.  Thank you.
>
> regards,
> Luke
>
> >-----Original Message-----
> >Can you narrow this down.
> >When you log in to the joined machine with an admin
> >account and examine the security logs for messages from
> >attempts to log in with the previously defined local
> account
> >(assuming that you are auditing logon events) what is
> being
> >recorded ?  Anything?
> >What is the message that you recieved when attempting the
> >failed login ??
> >
> >There are a few things that might be applied from AD-based
> >GPO to control what accounts can use a machine.  However,
> >you also have said that the account seems to no longer
> exist.
> >If that is so, this is something that is not a capability
> of the GPO
> >policies.
> >
> >So, is the account gone, or just not able to log in?  If
> the last then
> >why (event log messages)?
> >
> >Examine the GPO's that apply to the machine for User
> Rights and
> >for Restricted Groups policies.
> >
> >-- 
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >"Luke" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:84da01c403fb$dbe55150$a501280a@phx.gbl...
> >> Hi all,
> >>
> >> When we rebuilt a workstation we create one local user
> >> account in addition to the built in administrator.
> >> However, after joining the machine to the domain with
> GPO
> >> applied, we noticed the account created locally can't be
> >> used, it won't accept the password and we only could use
> >> the built in admin instead.
> >>
> >> We also tried to remove the machine from domain but I
> >> guess the account we'd created has been resetted by the
> >> GPO.  Anyone know which policy should I look into to
> >> prevent the local machine accounts being resetted?
> Thank
> >> you.
> >>
> >> Luke
> >
> >
> >.
> >

Relevant Pages

  • Weakness introduced by denying remote logins on AIX, possibly others
    ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
    (Security-Basics)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: AD Security Groups break Authentication
    ... I can do a domain login using my own account & a couple others, but one specific account can't login. ... My ping testing showed that 1430 was the highest MTU setting that wouldn't result in fragmentation. ... As soon as the network engineers changed the MTU from the default of 1500 to 1400, all domain traffic stopped and they detected a ton of errors, so we restored the MTU to 1500. ...
    (microsoft.public.windows.server.active_directory)
  • Need example of working PAM.CONF file that enables ssh login using winbind and AD
    ... login into my system using ssh. ... (explicit because of pam_rhost_auth) ... # Default definitions for Authentication management ... cron account required ...
    (SunManagers)
  • Re: Prevent Users interactive login, but allow them to run batch j
    ... I added the user to "Deny Login Locally" ... and to "Login as Batch Job" ... GPO in which you set these, and if there was time for the ... Just how you effect it so that the account meets those depends on ...
    (microsoft.public.win2000.security)