New users can't logon to the domain

[Bruno_A]

Just now, dalekphalm said:

It definitely sounds like the computers are not joined to the correct Domain. They are probably joined to the School's primary domain, not the Lab domain. As everyone above me mentioned, go to System Properties and verify which domain the computer is connected to.

 

Generally speaking, a single computer can only be joined to a single domain. The only way around that is to setup a Trust Relationship between the two domains. You can create a one-way trust (Domain User A can log into both Domain A and Domain B, but Domain User B can only log into Domain B), or a two-way trust (Domain Users of either domain can log into both).

I'll do that tomorrow, but as I said, the users were created on that domain (ictlab.int) as well as my user, and I'm sure my computer was connected to that domain because I could log in, but again, I have admin previleges. This is a pain in the ass.

[dalekphalm]

Just now, bruny06 said:

I'll do that tomorrow, but as I said, the users were created on that domain (ictlab.int) as well as my user, and I'm sure my computer was connected to that domain because I could log in, but again, I have admin previleges. This is a pain in the ass.

Users are totally separate from the computer itself.

 

You can create as many users as you want, but if the computer you're attempting the Logon on isn't a member of the domain, you will be unable to login.

[Bruno_A]

Just now, dalekphalm said:

Users are totally separate from the computer itself.

 

You can create as many users as you want, but if the computer you're attempting the Logon on isn't a member of the domain, you will be unable to login.

Yeah, I understand that, but those machines were indeed connected to the ICT Lab domain (ictlab.int). It actually says  "connect to: ICTLab" under the user and password boxes.  

[dalekphalm]

1 minute ago, bruny06 said:

Yeah, I understand that, but those machines were indeed connected to the ICT Lab domain (ictlab.int). It actually says  "connect to: ICTLab" under the user and password boxes.  

Okay - totally forget about what it says under the Password box. If you type: "ICTLab\Testuser" into the username field, it'll say Connect to: ICTLab even if the computer is brand new and has never ever connected to that domain.

 

You need to verify that info by opening system properties on the computer that cannot login.

 

It may well be joined, but you need to verify that the correct way.

[Bruno_A]

13 minutes ago, dalekphalm said:

Okay - totally forget about what it says under the Password box. If you type: "ICTLab\Testuser" into the username field, it'll say Connect to: ICTLab even if the computer is brand new and has never ever connected to that domain.

 

You need to verify that info by opening system properties on the computer that cannot login.

 

It may well be joined, but you need to verify that the correct way.

I will do that on Monday (I said I would tomorrow, but I don't have college on Fridays) and then let you know. Thanks a lot for your help!

[dalekphalm]

6 minutes ago, bruny06 said:

I will do that on Monday (I said I would tomorrow, but I don't have college on Fridays) and then let you know. Thanks a lot for your help!

No problem - let us know how it goes.

[Bruno_A]

On 11/2/2017 at 10:52 PM, dalekphalm said:

No problem - let us know how it goes.

Just tried ICTLAB\0000TestU, ICTLAB\TESTUSER, ictlab.int\0000TestU and nothing...

[dalekphalm]

1 minute ago, bruny06 said:

Just tried ICTLAB\0000TestU, ICTLAB\TESTUSER, ictlab.int\0000TestU and nothing...

Okay so at this point you need to log in as a local user, and check system properties to see which Domain these computers are connected to.

[Bruno_A]

1 hour ago, dalekphalm said:

Okay so at this point you need to log in as a local user, and check system properties to see which Domain these computers are connected to.

Just checked in the Windows 10 Settings app. It says it is connected to ICTLAB.

[dalekphalm]

34 minutes ago, bruny06 said:

Just checked in the Windows 10 Settings app. It says it is connected to ICTLAB.

Good - so we've eliminated another domain as the issue.

 

Frankly, at this point, it seems like a permission issue with your various domain user accounts and/or domain user groups.

[Bruno_A]

Just now, dalekphalm said:

Good - so we've eliminated another domain as the issue.

 

Frankly, at this point, it seems like a permission issue with your various domain user accounts and/or domain user groups.

Any idea how I set permissions to groups?

[dalekphalm]

6 minutes ago, bruny06 said:

Any idea how I set permissions to groups?

Try logging into the DC, opening "Active Directory Users and Computers", navigating to your test user, right click and go to "Properties".

 

Then, go to the "Account" tab. Click on "Log On To...", and see what it says.

 

There are two options, "All Computers", or "The following computers".

 

If "All Computers" is set, then they should have permission to log onto any computer joined to that Domain. If the other option is set, there will be a whitelist of allowed computers. You could try changing to the first option, or adding more Computer Names to the list.

 

@leadeater might have additional insight into places you could check for permissions issues.

[Bruno_A]

1 minute ago, dalekphalm said:

Try logging into the DC, opening "Active Directory Users and Computers", navigating to your test user, right click and go to "Properties".

 

Then, go to the "Account" tab. Click on "Log On To...", and see what it says.

 

There are two options, "All Computers", or "The following computers".

 

If "All Computers" is set, then they should have permission to log onto any computer joined to that Domain. If the other option is set, there will be a whitelist of allowed computers. You could try changing to the first option, or adding more Computer Names to the list.

 

@leadeater might have additional insight into places you could check for permissions issues.

God damnit. "All Computers" is selected.

[dalekphalm]

49 minutes ago, bruny06 said:

God damnit. "All Computers" is selected.

"All Computers" is a good thing - well... I guess it's bad, because it means it's not an easy fix

 

I'd check the system clock on the computers and compare them to the DC. The time should be the same (A time mis-match can cause authentication issues).

 

Though honestly I'm just shooting in the dark at this point.

 

Have you asked your IT instructor? Seems like the domain might be fucked.

[Bruno_A]

45 minutes ago, dalekphalm said:

"All Computers" is a good thing - well... I guess it's bad, because it means it's not an easy fix

 

I'd check the system clock on the computers and compare them to the DC. The time should be the same (A time mis-match can cause authentication issues).

 

Though honestly I'm just shooting in the dark at this point.

 

Have you asked your IT instructor? Seems like the domain might be fucked.

My tutor is constantly checking up on me, which is great, as he is obviously very knowledgeable in that matter. Today he suggested restarting the whole server, which might work, or not...But anyway, I guess this whole thing is a challenge, which is why I'm actually enjoying it and is important for me.

[Levisallanon]

Is there a firewall in the system which could prevent the DC to communicate with the Client.
If you log in with a local account are you able to ping the DC from a Client?
I'd sugest removing the client from the domain and try to rejoin to make sure everything works okay here.

[bcguru9384]

all windows computers are default a part of workgroup(named workgroup)

can you push a xml update to your users to change workgroup to lab name thru netsh type add/import xml

[leadeater]

5 hours ago, bruny06 said:

My tutor is constantly checking up on me, which is great, as he is obviously very knowledgeable in that matter. Today he suggested restarting the whole server, which might work, or not...But anyway, I guess this whole thing is a challenge, which is why I'm actually enjoying it and is important for me.

Log on to the computer and run in cmd (as admin) "gpresult /h c:\gpo.htm then copy the html here so we can look at what is applying to computer and what may be preventing login. If you don't want to publish that sort of information in public you can PM me instead with it.

 

It sounds like there is a policy set controlling which users are allowed to log on locally, this is set in GPO and not on the user account properties.

 

Quote

1. Open Group Policy Editor.
2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
3. Click on User Rights Assignment

4.Edit "Allow log on locally"

 

Quote

1. Open Group Policy Editor.
2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
3. Click on User Rights Assignment

4. Edit "Deny log on locally"

 

That error screenshot you posted is what you get when one of the above policies is set.