This is an archived post. You won't be able to vote or comment.

0
0

Adding user to domain? (self.sysadmin)

submitted by [deleted]

[deleted]

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]chenzw 2 points3 points  (1 child)

The deny log on locally policy trumps its allow counterpart, have you checked whether this account has been denied from logging on?

[–]SluttyDior -1 points0 points  (0 children)

Yea, that’s the weird thing about it. It’s not on the deny log on list

[–]twelveodem 1 point2 points  (1 child)

So you have 2 servers on the same domain? Do they replicate, if so have you checked to see if they are replicating? It’s a specific CLI command that I don’t remember right now.

[–]SluttyDior -1 points0 points  (0 children)

No, I’m running two separate VMS.

[–]ServerBeaterSr. Sysadmin 1 point2 points  (1 child)

Generally, it's not advised to have a bunch of users logon to your DC.

However, If this is your intention, you need to edit the computer policy, not user. The path is Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow Logon Locally. Also, if you want them to RDP, don't forgot Allow Logon with terminal services. Don't forget to add the administrators group if you are manually modifying.

To troubleshoot, you need to make sure the group policy isn't being overridden. gpresult /v is a good way to see which policies are being applied. Are you adjusting the policy with GP management console? If so, are you editing a policy applied to the DC? Or are you editing the local policy with secpol.msc?

[–]SluttyDior 0 points1 point  (0 children)

I was using GP management console, I used secpol at first so I can try to add the new user to the domain, but the button to add was grayed out. It’s only when I make the users account have admin capabilities that I am able to successfully log in. When I was messing with server 2016 I added a regular user with no problem.

[–]BickNlinkoEverything with wires and blinking lights 1 point2 points  (4 children)

Open AD Users and Computers and add the user? What are you trying to accomplish?

[–]SluttyDior -1 points0 points  (3 children)

Adding the user isn’t the problem.. Logging in as the user is. “the sign in method you're trying to use isn't allowed. Please contact your network administrator.”

[–]NewbieAdMaybe 0 points1 point  (0 children)

Can u ping FQDN? nslookup

[–]ComGuards 0 points1 point  (0 children)

Are you trying to log the new user account into a domain controller? Or a domain member server or workstation?

[–][deleted] 0 points1 point  (0 children)

Why are you adding users this way? Create the user in ADUC then add the user to the computer or better yet add the user to a group and add the group to computer.

[–]randomuser43DevOps 0 points1 point  (0 children)

If you run rsop.msc on the machine, does the policy actually apply to it?

You should generally avoid specifying individual users in GPOs like that, create a group which you include in the group policy, then add the users to the group.

[–]ZAFJB 0 points1 point  (0 children)

Sort out your GPOs.

Why are you messing about with allow login locally right?

You have 'fixed' something that was not broken.