restricting logon to specific workstation

[Ryan]

I have a strange problem. I have a user account that I
restrict to logging on to one particular workstation. All
has worked fine until we replaced the workstation with a
new system. The system has the same name, and therefore
the account should still be able to logon to that machine.
It doesn't however. It gives an error message stating that
it cannot logon to the selected computer. After changing
the AD option to let it logon to everything, it still will
not logon to any workstation.

Any thoughts? Some type of SID issue?

Thanks
Ryan

 

[David Brandt [MSFT]]

When you say "it still will not logon to any workstation" do you mean that
the user is now not able to logon from any wks?
Haven't seen that before, but when the new box was brought in with the same
name, it will have a different sid and that could be the problem. Re-add
the new box back in there again and after all dc/s have the setting again
see if that works, and run secedit to refresh policies or reboot it.
Don't know how many dc/s you have but just wanted to be sure that all have
the same thing so she isn't getting validated by one that still has old
info.


--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[David Pharr [MSFT]]

How was the old account removed - did you unjoin the machine from the
domain to remove its computer account from AD then replace the machine with
a new system that you joined to the domain with the same name or did you
simply unplug the previous machine and replace it with a machine with the
same name? If you did the latter the secure channel connection it has
with the PDC Emulator will be broken and you need to reset it.

Try resetting the machine's computer account per the following article:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

If that doesn't work, what's the EXACT error message the user receives when
attempting to logon? Search for the text of the exact error in the
knowledge base and if that doesn't provide you with an article provide that
error in a later message.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "Ryan" <[email protected]>
| Sender: "Ryan" <[email protected]>
| Subject: restricting logon to specific workstation
| Date: Wed, 21 Jan 2004 06:15:25 -0800
| Lines: 14
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcPgKQO7BpZ5UhFTQ9y+3LVmHinV2Q==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:63671
| NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| I have a strange problem. I have a user account that I
| restrict to logging on to one particular workstation. All
| has worked fine until we replaced the workstation with a
| new system. The system has the same name, and therefore
| the account should still be able to logon to that machine.
| It doesn't however. It gives an error message stating that
| it cannot logon to the selected computer. After changing
| the AD option to let it logon to everything, it still will
| not logon to any workstation.
|
| Any thoughts? Some type of SID issue?
|
| Thanks
| Ryan
|