your account is configured to prevent you from using this computer

[Toli]

I've run accross an interesting problem. I have my son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member of
a group that's affected by that policy. I do have him in
the user's group, which can log on locally. It seems that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks

 

[Roger Abell]

If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

 

[Guest]

I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli

 

[Steven L Umbach]

Go into Computer Management/Event Viewer/security log and clear [right click/clear
all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve

 

[Guest]

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log and clear [right click/clear
all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve

I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli

.

 

[Steven L Umbach]

OK. Come to think of it the crash on audit fail should show a BSOD also. As Roger
mentioned if you have auditing enabled for account logon events and logon events,
then there should be a failed logon attempt with event ID 681 error codes or logon
event ids from 529 through 539 that should help pinpoint the problem. I would also
use " net user username" for that account to see if anything looks wrong there. ---
Steve

http://is-it-true.org/nt/atips/atips155.shtml
http://www.jsiinc.com/SUBG/TIP3200/rh3207.htm

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log and clear [right click/clear
all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve

I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli
-----Original Message-----
If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
I've run accross an interesting problem. I have my
son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member
of
a group that's affected by that policy. I do have him
in
the user's group, which can log on locally. It seems
that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks


.

.

 

[Curtis Clay III [MSFT]]

Hello,
Confirm that your son's account is not a member of any other groups on the
workstation. LIke Guest.
Also Add your so to the administrators group to test to see if he is able
to logon then.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

I've done both and have been able to log on with my son's
account after I made him a member of the administrators
group. I did check as well to verify he isn't a member of
the guest's group.

thanks

 

[Roger Abell]

That domain behavior results from groups listed in the
log on locally and log on over the network user rights
(XP introduced the two deny versions of these, which
are not used in a default domain joining).

You have verified that Users group is grant the log on
locally user right, that the account is in Users, and that
there is no group in the Deny local logon user right that
has as a member the account.

If in the Auditing policies you have login events being
audited for success and failure, it is totally bizarre that
you are not receiving any events in an otherwise functioning
security event log.

What are the NTFS settings on the account's profile ?
Does the account have Full control of its own profile ?
(above does not align with message reported, but . . .)

Is there a registry.pol file in the folder
system32\GroupPolicy\User ?


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log and clear [right click/clear
all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve

I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli
-----Original Message-----
If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
I've run accross an interesting problem. I have my
son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member
of
a group that's affected by that policy. I do have him
in
the user's group, which can log on locally. It seems
that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks


.

.

 

[Guest]

You'd asked if I had a registry.pol file. Yes, I do. I
did manage to clear the security file and limit my
auditing to only logon based events, both success and
failure. There was an entry for what I'm describing. It
was event ID 533. Which is idicative of a network
setting...

-----Original Message-----
That domain behavior results from groups listed in the
log on locally and log on over the network user rights
(XP introduced the two deny versions of these, which
are not used in a default domain joining).

You have verified that Users group is grant the log on
locally user right, that the account is in Users, and that
there is no group in the Deny local logon user right that
has as a member the account.

If in the Auditing policies you have login events being
audited for success and failure, it is totally bizarre that
you are not receiving any events in an otherwise functioning
security event log.

What are the NTFS settings on the account's profile ?
Does the account have Full control of its own profile ?
(above does not align with message reported, but . . .)

Is there a registry.pol file in the folder
system32\GroupPolicy\User ?


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log

and
clear [right click/clear

all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve



I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli
-----Original Message-----
If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
I've run accross an interesting problem. I have my
son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member
of
a group that's affected by that policy. I do have him
in
the user's group, which can log on locally. It seems
that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks


.



.

.

 

[Steven L Umbach]

OK. I am wondering if this computer has ever been a member of a domain and
if it was then it may still think it is a member of a domain if it is not
shown as being a member of a workgroup. At this point I would try two
things. First I would use the secedit command to reset security settings to
default defined levels as described in KB link - reboot when done. If that
does not help I would do an upgrade installation by using the install cdrom
while the OS is running and select "upgrade" installation [be sure to
disable antivirus first]. Make sure you are using a firewall as you will
have to reinstall service pack and critical updates if you do that, but your
data and applications should work normal. Another alternative is if you have
a system restore point before all this started happening that you could try
to use.. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/default.aspx?kbid=315341

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log and clear [right click/clear
all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve

I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli
-----Original Message-----
If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
I've run accross an interesting problem. I have my
son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member
of
a group that's affected by that policy. I do have him
in
the user's group, which can log on locally. It seems
that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks


.

.

 

[Toli]

I finally got a response from Microsoft. They think it
might be one of their recent updates that caused this.
They suggested that I role back my system using system
restore to a date when all was working fine.

My PC has never been part of a domain.

thanks for your help Steve...

-----Original Message-----
OK. I am wondering if this computer has ever been a member of a domain and
if it was then it may still think it is a member of a domain if it is not
shown as being a member of a workgroup. At this point I would try two
things. First I would use the secedit command to reset security settings to
default defined levels as described in KB link - reboot when done. If that
does not help I would do an upgrade installation by using the install cdrom
while the OS is running and select "upgrade" installation [be sure to
disable antivirus first]. Make sure you are using a firewall as you will
have to reinstall service pack and critical updates if you do that, but your
data and applications should work normal. Another alternative is if you have
a system restore point before all this started happening that you could try
to use.. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN- US;313222
http://support.microsoft.com/default.aspx?kbid=315341

I did verify that the security log is configured
correctly. I have tried verifying that with using an
incorrect password and I did come up with an event on the
security log.

This problem is behavior consistant with a domain
evironment where a user is allow to log onto only specific
PCs. Thus the rub, I'm a standalone PC. :-(

-----Original Message-----
Go into Computer Management/Event Viewer/security log

and
clear [right click/clear

all events] it to see if it helps. If it does then set your security log to overwrite
events as needed. --- Steve



I did try to recreate the account with the same
memeberships and even tried to create other new accounts,
all with the same result. I do have logging enabled. That
was interesting as well, the security log isn't showing
anything. Since my son isn't being allowed to log on,
it's not coming up with an error such as a wrong password.

Any idea what the deal is?

Toli
-----Original Message-----
If you define a new limited account (one with group
memberships equal to those of your son's problem
account) does it show any login issues ?

You seem to have covered the bases as far as user rights
are concerned.
What is showing in the security event log (assuming you
have event logging enabled) ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
I've run accross an interesting problem. I have my
son's
account that's getting the following popup at log on.

"your account is configured to prevent you from using
this computer"

I'm on a stand alone pc. I dont have him in the "deny
logon locally" on security policy, nor is he a member
of
a group that's affected by that policy. I do have him
in
the user's group, which can log on locally. It seems
that
only members of the local adminstrators group can log
onto this PC. He was able to log on recently, and I
haven't messed with the local group policy.

Any ideas?

Thanks


.



.

.

 

[Guest]

http://support.microsoft.com/default.aspx?kbid=285665