After Swing Migration, Users are unable to log into Domain without Local Admin Rights

[ivan schlachter]

OK, I'm completely stumped.
We have a SBS 2003 environment. We recently performed a swing migration to upgrade our server (the hardware).
After the upgrade on Monday morning, users came into the office and users were unable to log into the domain from thier machines.
However, all of the Domain Admins were able to login fine.
A few users were able to log into the domain only because they had local admin rights to thier machines.
I gave eveyone local admin rights to thier machines and now everyone is logged in.
Obviously this is not the ideal environment.
I forsee utter chaos in our near future if we don't lock down our environment.

My questions are:
1. Why do we need local admin rights to login to the domain?
2. How can we change this so users with "user" rights can log in?
3. What could have changed during the swing migration?

Does anyone have any ideas?

 

[ivan schlachter]

If the user does not have local admin rights when attempting to log in, they will get this error,

"You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more infomation"

Before the migration any domain user was able to log onto any machine on the domain. Now they need local admin rights.

hmmm...

Thanks for responding and any help you can provide.

 

[RebateMonger]

Don't know why it changed.

Have you tried these local GP changes?

 

[bruceb]

See link here:

http://support.microsoft.com/?id=841188

Edit: Just saw post by RebateMonger .. the page he linked to may do the trick.

 

[ivan schlachter]

Thanks... The "Allow log on locally" GP looks like our issue. Presently Users and Domain Users are not included in the GP.

Couple questions:

First question:
Do I add Domain Users to the security settings to each particular machine's Local Group Policy Editor or do I add it to the server's Group Policy Object Editor?

Second question:
I am a Domain Admin and a local admin yet these security settings are greyed out. I'm unable to add or remove in this particular Group Policy. Is there a way around this? Registry?

hmmm, any idea?
I really appreciate this help.

 

[DrGreen2007]

Just to confirm, when you did the swing, the original GPO's were showing up on the tempDC in the GPO console?

They were showing up still when the oldSBS was purged?
They were showing up still when the newSBS was added?

(of course the old+new SBS has the same name and ip right?)

 

[RebateMonger]

Domain Group Policies override everything else. Change the Group Policy on the Domain Controller and do a GPUpdate on the desktops.

 

[ivan schlachter]

Thanks DrGreen2007 and RebateMonger,

The old and new SBS IP and name are the same.

I didn't even notice if this specific GP was showing up but most of them were.

I'm still having an issue with the security settings being greyed out in "Allow log on locally" . I'm unable to add or remove in this particular Group Policy. Is there a way around this? Registry?

 

[RebateMonger]

Create a NEW Group Policy on the SBS server and apply it to the client PCs. Be sure to either set the link to "Enforced" ( = no Override) or put it in the right order of linked GPOs so that it'll be the last Policy that gets applied that sets User logon properties.