i've just re-built my win2k domain after a dc crash, & the "domain users" group is unable to
logon to any of my wkstns. they're getting eventid: 533 - your user acct is not configured
to allow you to use this computer, please find another.
so, i checked my domain security policy, under user rights assignment to see if the correct
setting was made. the following appears under the "logon locally" setting:
Administrators
NAME\Domain Admins
NAME\Domain Users
SYSTEM
SERVICE
(**NAME, being the domain name)
so, i checked their individual user accts under the "account" tab to make sure that the
default setting under the "logon to" button was still set to "all computers," which it was.
then i checked the individual wkstns to make sure that the domain policy was being applied.
both Domain Admins & Domain Users were found under each wkstn's "logon locally" setting
under their Local Security Policy. i then enabled NetBT on each of the wkstns, to see if
that would help, but it didn't.
in addtion to support.microsoft, & microsoft.com/technet searches, i've run a forum search &
found this post:
http://www.ntcompatible.com/vb/showthread.php?s=&threadid=18209&highlight=event+533
unfortunately, it did not shed any light on my situation, however, it seemed that his
problem was solved by manipulating this "logon locally" setting. however, the setting that
he said he switched seems to be correctly applied in my case.
i haven't applied any secuity templates, & the "logon locally" setting is one of only a few
domain user rights assignment policies that i've defined. IPSec is not running, nor are any
IIS or terminal services.
ONE VERY STRANGE THING: ALL users can logon to my sole DC. only the wkstns are giving me
this problem. i also checked for differences between my domain security policy, & my domain
controller security policy, & could find no glaring differences.
i'm tempted to "undefine" the "logon locally" user right assignment altogether, but would
like some security in the domain. PLEASE HELP.....
logon to any of my wkstns. they're getting eventid: 533 - your user acct is not configured
to allow you to use this computer, please find another.
so, i checked my domain security policy, under user rights assignment to see if the correct
setting was made. the following appears under the "logon locally" setting:
Administrators
NAME\Domain Admins
NAME\Domain Users
SYSTEM
SERVICE
(**NAME, being the domain name)
so, i checked their individual user accts under the "account" tab to make sure that the
default setting under the "logon to" button was still set to "all computers," which it was.
then i checked the individual wkstns to make sure that the domain policy was being applied.
both Domain Admins & Domain Users were found under each wkstn's "logon locally" setting
under their Local Security Policy. i then enabled NetBT on each of the wkstns, to see if
that would help, but it didn't.
in addtion to support.microsoft, & microsoft.com/technet searches, i've run a forum search &
found this post:
http://www.ntcompatible.com/vb/showthread.php?s=&threadid=18209&highlight=event+533
unfortunately, it did not shed any light on my situation, however, it seemed that his
problem was solved by manipulating this "logon locally" setting. however, the setting that
he said he switched seems to be correctly applied in my case.
i haven't applied any secuity templates, & the "logon locally" setting is one of only a few
domain user rights assignment policies that i've defined. IPSec is not running, nor are any
IIS or terminal services.
ONE VERY STRANGE THING: ALL users can logon to my sole DC. only the wkstns are giving me
this problem. i also checked for differences between my domain security policy, & my domain
controller security policy, & could find no glaring differences.
i'm tempted to "undefine" the "logon locally" user right assignment altogether, but would
like some security in the domain. PLEASE HELP.....