Os usuários do domínio do Windows 2008 não podem fazer logon mesmo que a Diretiva de Grupo Padrão permita logon local

1

Instalei o Windows 2008 Server Standard R2 e instalei o AD / DNS Server. Depois disso, não consigo fazer logon de um usuário local que eu criei.

"Você não pode fazer logon porque o método de logon que você está usando não é permitido neste computador"

Eu tentei excluir e recriar o usuário, mas não adiantou. Há muitos casos em que esse erro foi relatado na web, e tenho tentado todas as soluções sugeridas que posso encontrar e fazer nas últimas três horas.

Ainda posso fazer logon usando a conta de administrador que é o administrador do domínio. Uso do Gerenciamento de Diretiva de Grupo (Diretiva de domínio padrão - > Configuração do computador - > Políticas - > Configurações do Windows - > Configurações de segurança - > Políticas locais - > Atribuição de direitos do usuário). Eu habilitei "Permitir logon localmente" e adicionei "Usuários do domínio". Não funciona - até tentei "Everyone".

Veja algumas informações sobre o usuário.

User name                    joshua
Full Name                    joshua
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            3/12/2015 7:24:55 AM
Password expires             Never
Password changeable          3/13/2015 7:24:55 AM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   3/12/2015 9:06:45 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

Aqui está a saída gpresult:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/12/2015 at 8:46:39 AM


RSOP data for mydomain\administrator on WIN2K8SERVER : Logging Mode
------------------------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN2K8SERVER,OU=Domain Controllers,DC=mydomain,DC=local
    Last time Group Policy was applied: 3/12/2015 at 8:43:12 AM
    Group Policy was applied from:      win2k8server.mydomain.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        mydomain
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        WIN2K8SERVER$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        Denied RODC Password Replication Group
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MaxRenewAge
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            MaxServiceAge
                Computer Setting:  600

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            MaxClockSkew
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaxTicketAge
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            GPO: Default Domain Controllers Policy
                Policy:            MachineAccountPrivilege
                Computer Setting:  Authenticated Users

            GPO: Default Domain Controllers Policy
                Policy:            ChangeNotifyPrivilege
                Computer Setting:  Everyone
                                   LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators
                                   Authenticated Users
                                   Pre-Windows 2000 Compatible Access

            GPO: Default Domain Controllers Policy
                Policy:            IncreaseBasePriorityPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            TakeOwnershipPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            RestorePrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            DebugPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            SystemTimePrivilege
                Computer Setting:  LOCAL SERVICE
                                   Administrators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            SecurityPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            ShutdownPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            AuditPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE

            GPO: Default Domain Controllers Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Account Operators
                                   Server Operators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            CreatePagefilePrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            BatchLogonRight
                Computer Setting:  Administrators
                                   Backup Operators
                                   Performance Log Users

            GPO: Default Domain Controllers Policy
                Policy:            NetworkLogonRight
                Computer Setting:  Everyone
                                   Administrators
                                   Authenticated Users
                                   ENTERPRISE DOMAIN CONTROLLERS
                                   Pre-Windows 2000 Compatible Access

            GPO: Default Domain Controllers Policy
                Policy:            SystemProfilePrivilege
                Computer Setting:  Administrators
                                   NT SERVICE\WdiServiceHost

            GPO: Default Domain Controllers Policy
                Policy:            RemoteShutdownPrivilege
                Computer Setting:  Administrators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            BackupPrivilege
                Computer Setting:  Administrators
                                   Backup Operators
                                   Server Operators

            GPO: Default Domain Controllers Policy
                Policy:            EnableDelegationPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            UndockPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            SystemEnvironmentPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            LoadDriverPrivilege
                Computer Setting:  Administrators
                                   Print Operators

            GPO: Default Domain Controllers Policy
                Policy:            IncreaseQuotaPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE
                                   Administrators

            GPO: Default Domain Controllers Policy
                Policy:            ProfileSingleProcessPrivilege
                Computer Setting:  Administrators

            GPO: Default Domain Controllers Policy
                Policy:            AssignPrimaryTokenPrivilege
                Computer Setting:  LOCAL SERVICE
                                   NETWORK SERVICE

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            LSAAnonymousNameLookup
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            TicketValidateClient
                Computer Setting:  Enabled

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59013
                ValueName:         MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59043
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59044
                ValueName:         MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59058
                ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                Computer Setting:  1

            GPO: Default Domain Controllers Policy
                Policy:            @wsecedit.dll,-59018
                ValueName:         MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
                Computer Setting:  1

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=mydomain,DC=local
    Last time Group Policy was applied: 3/12/2015 at 8:44:25 AM
    Group Policy was applied from:      win2k8server.mydomain.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        mydomain
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Domain Admins
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Enable computer and user accounts to be trusted for delegation
        Increase a process working set
        Add workstations to domain

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
    
por Joshua Lim 12.03.2015 / 17:37

1 resposta

3

Não existe um usuário local em um controlador de domínio. Você deve usar sua conta de administrador de domínio para fazer logon e criar usuários do domínio.

Tenho certeza de que todas as contas locais devem ser migradas para o AD, mas, de qualquer forma, parece que algo deu errado.

Tente criar um novo usuário?

P.S. Se você ainda não editou a Política de Domínio, definitivamente não precisará fazer isso. Na verdade, você não precisa fazer nada para "consertar" isso e eu diria que, se isso é realmente um problema técnico real (ao invés de um erro) então eu apenas achatava a caixa e comece de novo porque a última coisa que você precisa é de um DC instável.

    
por 12.03.2015 / 17:53