Domain Administrator cannot logon to SBS 2003 LOCALLY

Discussion in 'Security Software' started by Matthew, Jan 24, 2006.

  1. Matthew

    Matthew Guest

    Hi, I have a serious error with one of my servers. It is a SBS Server 2003
    running a domain, dns, dhcp and AD. Up until late last year I have not had
    any issues with this, no new software or hardware has been added either in
    the past 6 months.
    I noticed that the daily backups were failing so I tried to logon to the
    server locally as domain administrator, and the server poped up a message
    'The user has not been granted the requested logon type at this machine' ! So
    I tried to remote desktop in to the server and to my susprise I logged on
    successfully as domain administrator. I have got veritas backup exec 10
    installed and the services run as domain/Administrator, backup exec was
    reporting that backups could not be run using this account as login access
    was not granted for the domain\administator !!!!

    So I started to look at the event viewer, and found this log from when I
    tried to logon locally:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 534
    Date: 24/01/2006
    Time: 09:31:58
    User: NT AUTHORITY\SYSTEM
    Computer: CMI-SERVER
    Description:
    Logon Failure:
    Reason: The user has not been granted the requested
    logon type at this machine
    User Name: Administrator
    Domain: CMI
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: CMI-SERVER
    Caller User Name: CMI-SERVER$
    Caller Domain: cmi
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 4168
    Transited Services: -
    Source Network Address: -
    Source Port: -

    Any help on this matter would a god send, as I have been searching all over
    the place for the event error 534 and cannot find anyone with a simular
    problem.

    I have check the local security policy and everything looks in order.

    Kind Regards
    Matt
     
    Matthew, Jan 24, 2006
    #1
    1. Advertisements

  2. Well, in group policy there is a section named User Rights, and some of
    these control login privileges. In this case the two that deal with local
    login (one granting and one denying) are involved.
    You need to either
    - locate which GPO is setting this value so that Domain Admins do not
    have a local login grant and adjust so they do
    or
    - locate a dominating GPO applied to the Domain Controllers OU and
    set in it, if it is not already there (i.e. prior case) the grant of the
    user
    right to log in locally so that the needed groups and only the need
    groups are allowed.
    The User Rights section is in the Computer / Security settings / Local
    policy branch.

    The bigger question is whether the change is only a symptom of worse
    circumstances. That is, something actively made the change, unless you
    can figure out a someone that did.

    I have concern when you mentioned Veritas Backup. At least twise in
    the past half year a machine unshielded from untrusted networks will
    have been compromised even if the owner was installing Veritas patches
    and updates on the day they were released (i.e. the releases were
    reactive to active exploitations for their product's flaws).
     
    Roger Abell [MVP], Jan 24, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.