Monthly Archives: September 2015

Unable to Login Locally

Posted on by
Reply

I received the following error message when trying to login to the console of a server this morning:

login_error

For future search engine purposes, here’s the text:

You cannot log on because the logon method you are using is not allowed on this computer.  Please see your network administrator for more information.

Aside from the usual frustration caused by this message (I am the network administrator), this server is a domain controller and I wondered if I would be able to logon at all.

Fortunately, remote desktop still worked correctly for logon.  Looking at the event logs, I saw the following for the failed login:

error_logLogon Type 2 is Interactive, or a console logon.  The error is indicating that this account somehow didn’t have permission to logon interactively to this computer.

There are a few places to look for this in Group Policy:  All of the policies that apply computer settings to this computer.  In this environment, the only two policies that applied to the machine were the defaults:  Default Domain Policy and Default Domain Controllers Policy.

In both cases, the items to look at are:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Allow Logon Locally

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment->Deny Logon Locally

Here’s what those options looked like in Default Domain Policy:

default_domainThe options were actually configured in Default Domain Controllers policy:

allow_logon_locallydeny_logon_locallyBased on the groups listed in the Allowed section, Administrator should be able to logon locally.  I wasn’t sure whether Administrator was in any of those groups, but I checked its group memberships with the following:

group_membershipsNothing in there.  However, the net use command used in this way won’t show you nested groups.  To find those use dsquery piped to dsget (info on this is all over the web.  I certainly won’t claim to be the first person to come up with this idea):

dsquery user -name “Administrator” | dsget user -memberof -expand

Here are the results:

expanded_group_membersOne of the groups stood out here:  Remote Operators.  It looks suspiciously like SBS Remote Operators from the policy denying local logons.

In fact, here’s the property sheet for the Remote Operators group:

remote_operatorsThat explained it. Administrator was simply denied permission to logon based on a group membership leftover from SBS.  Since this network no longer has SBS, I opted to simply remove that group from the Deny Logon locally option and refresh group policy. After that I was able to logon to the console.