R
Robert F. O'Connor
We have been running several Sharepoint Team Services websites on a W2K
server in our domain (not a DC) for quite a while. We have been doing some
AD maintenance since a DC went down a week or so ago by bringing up a new DC
and demoting an old one. Something during that process has affected security
rights for both the ASPNET local user on our (also non-DC) web server and
for local users created on the Sharepoint web sites. We have worked around
the ASPNET issue for now.
The problem is that several active accounts on the Sharepoint sites have
become inactive and when new accounts are created, they are active for
little while and then become inactive also, all with a W3SVC Warning in
System events, Event ID 100: "The server was unable to logon the Windows NT
account 'foo/bar' due to the following error: Logon failure: the user has
not been granted the requested logon type at this computer."
In the machine's Local Security Policy plug-in, "Log on locally" for the
desired accounts is checked as a "Local Policy Setting", but are unchecked
as "Effective Policy Setting"s. The only "Deny Logon Locally" entry is for
the local machine's ASPNET account (which is also not effective). There are
no "Deny Logon Locally" entries in any of the domain servers. I can't add
anything to "Log on locally" on this machine that becomes effective.
I've run the "secedit /refreshpolicy MACHINE_POLICY" on this server, but
nothing changes this. Any ideas? Is there a way to "walk" the permissions
tree and see what is blocking this?
Thanks for any help.
-Robert F. O'Connor
(e-mail address removed)
server in our domain (not a DC) for quite a while. We have been doing some
AD maintenance since a DC went down a week or so ago by bringing up a new DC
and demoting an old one. Something during that process has affected security
rights for both the ASPNET local user on our (also non-DC) web server and
for local users created on the Sharepoint web sites. We have worked around
the ASPNET issue for now.
The problem is that several active accounts on the Sharepoint sites have
become inactive and when new accounts are created, they are active for
little while and then become inactive also, all with a W3SVC Warning in
System events, Event ID 100: "The server was unable to logon the Windows NT
account 'foo/bar' due to the following error: Logon failure: the user has
not been granted the requested logon type at this computer."
In the machine's Local Security Policy plug-in, "Log on locally" for the
desired accounts is checked as a "Local Policy Setting", but are unchecked
as "Effective Policy Setting"s. The only "Deny Logon Locally" entry is for
the local machine's ASPNET account (which is also not effective). There are
no "Deny Logon Locally" entries in any of the domain servers. I can't add
anything to "Log on locally" on this machine that becomes effective.
I've run the "secedit /refreshpolicy MACHINE_POLICY" on this server, but
nothing changes this. Any ideas? Is there a way to "walk" the permissions
tree and see what is blocking this?
Thanks for any help.
-Robert F. O'Connor
(e-mail address removed)