How to verify why user group membership is failing

M

Marlon Brown

User1 is a member of a AccessServerGroup and attempts to logon to an
application server and is getting message 'your account does not permit you
to logon interactively'. User1 used to be able to logon to that server
accordingly few months ago.

Then I make a copy of of "User1" account. I attempt to login to the same
server and that's successful.

I attempted to remove/readd User1 to AccessServerGroup, but that didn't fix
the problem.

How can I troubleshoot this and see if User1 is getting the group membership
accordingly from AccessServerGroup ? Any tool that let me see on the
respective servers who is actually getting the group membership from
AccessServerGroup. Logged on as a domain admin on the respective Application
server,
I do a

net group "AccessServerGroup"

and User1 is listed as a member of the AccessServerGroup.

Please let me know.
 
H

Herb Martin

Marlon Brown said:
User1 is a member of a AccessServerGroup and attempts to logon to an
application server and is getting message 'your account does not permit you
to logon interactively'. User1 used to be able to logon to that server
accordingly few months ago.

Then I make a copy of of "User1" account. I attempt to login to the same
server and that's successful.

I attempted to remove/readd User1 to AccessServerGroup, but that didn't fix
the problem.
Click to expand...

The User would have to LOGON (anew) for such changes to take
effect.
How can I troubleshoot this and see if User1 is getting the group membership
accordingly from AccessServerGroup ?
Click to expand...

Logon him on and use something like "ShowGrps" or "IfMember" from the Reskit
(much of the Reskit can be downloaded from MS website) to get the actual,
current list.

Any tool that let me see on the
respective servers who is actually getting the group membership from
AccessServerGroup. Logged on as a domain admin on the respective Application
server,
I do a

net group "AccessServerGroup"

and User1 is listed as a member of the AccessServerGroup.
Click to expand...
 
P

ptwilliams

On top of Herb's suggestion, there's also whoami /groups if you're running
XP, or if there's an XP box you can copy it from...

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
Marlon Brown said:
User1 is a member of a AccessServerGroup and attempts to logon to an
application server and is getting message 'your account does not permit you
to logon interactively'. User1 used to be able to logon to that server
accordingly few months ago.

Then I make a copy of of "User1" account. I attempt to login to the same
server and that's successful.

I attempted to remove/readd User1 to AccessServerGroup, but that didn't fix
the problem.
Click to expand...

The User would have to LOGON (anew) for such changes to take
effect.
How can I troubleshoot this and see if User1 is getting the group membership
accordingly from AccessServerGroup ?
Click to expand...

Logon him on and use something like "ShowGrps" or "IfMember" from the Reskit
(much of the Reskit can be downloaded from MS website) to get the actual,
current list.

Any tool that let me see on the
respective servers who is actually getting the group membership from
AccessServerGroup. Logged on as a domain admin on the respective Application
server,
I do a

net group "AccessServerGroup"

and User1 is listed as a member of the AccessServerGroup.
Click to expand...
 
G

Glenn L

This error "'your account does not permit you
to logon interactively'" is very similiar to the error you get when you do
not have the user right "allow logon locally"
Or if logging on through terminal services "allow logon through terminal
services" user right.
Is this application server a Citrix server?

Since you made a copy of the account, that copy would have all the same
domain group memberships as the original, and yet it could logon.

This makes me think of 2 possibilities...al-be-it long shots
User1 was specifically added to the "deny logon locally" user right
User1 is a member of the local server guests group.

If this is a citrix server, then perhaps that error is Citrix specific.
 
M

Marlon Brown

It is a Citrix server.
The Local\Users group has rights to logon locally.
MyDomain\Domain Users is a member of the local Users group. User1 is a
member of Domain Users.
Terminal Services let "everyone" logon as I guest. I've created a tririval
domain user account and I was able to logon via TS to the Server just fine.

I thought about the 'deny logon locally' right, but that setting was blank;
nobody is denied access there.

Since I am logging on directly via TS, I can't understand how Citrix can be
playing a role on this... but apparently that is what is happening...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Strange behavior:unique user getting message cannot logon interactively;added user to local group an 1
Disable that User get kicked when he tries to login again from different Machine 1
New XP computer unable to log in to server 1
Policies doesn't apply to my users and computers 2
Enable a button based on logon User Group 2
Inconsistent Link Between WinXP Client and Server2003 2
deploying package through group policy 1
Under what conditions does new group membership take effect? 10

Top