[Active Directory] Account Access Issue Solved

Question

Hello,

When one of my users tries to log in to the PC off the Network, the connection is refused. Certain GPOs are applied, and I think that the problem comes from there.

Message received when trying to connect to a laptop (for example) that is not connected to the company's network:
"The system could not log in because the domain NOMDOM is not available."

PS: the domain administrator account works.

Thank you in advance,

Kinou

Configuration: Windows XP Firefox 2.0.0.11

funkter · Accepted Answer

Kinou, I see what you're talking about.

By default, when a user logs into the domain for the first time on a workstation, their credentials are cached locally.
If they shut down the PC, unplug the network cable, restart, and reconnect to the domain, it also works because the local credentials are consulted.

You need to edit with GPMC the policy called

Interactive logon: Number of previous logons to cache.
In your case, it should probably be set to 0.

It's located in local security policies -> security options

The corresponding registry key on the workstation is
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50 (10 by default)

florian91 · Answer

The PC is offline, so it's normal that it can't access your domain.

kinou592 · Answer

Florian, I doubt that the PC will connect to the domain, but at my previous company, you could still connect your laptop at home (for example) with the same account as the work one, meaning the domain account.

florian91 · Answer

thanks to the VPN, right?

kinou592 · Answer

No Florian.

Imagine your company gives you a new laptop. When you are in the office connected to the network, it works. Now you go home, you want to work to catch up, but you don't need the network since it's a local file. You log in with the same work account. The issue is that in my case, my users can't do that, so I had to create a local account for them. I can't even begin to tell you the mess. Just with Outlook!!!! Lol.

Do you understand my problem?

Quentin

florian91 · Answer

Is the local file you're talking about the roaming profile? It only works when you are on a network, and your users can go on any PC while always having their profiles.
But to access it from home, I think a VPN is necessary.

kinou592 · Answer

No, it’s not a mobile profile that I want to create.   A mobile profile is primarily used when you work in multiple positions. That’s not the case for me.

florian91 · Answer

Well, it's a VPN!!! I see that as a possible solution.

kinou592 · Answer

Florian  I think you haven't understood my problem.  I'm not looking to connect to networks outside the company, but just to be able to use the PC.  So for that, I need to be able to authenticate on my account, but right now it doesn't work.

florian91 · Answer

I don't think we understood each other.  Do you want your users to be able to connect to the company's domain from home?

kinou592 · Answer

No, I just want them to be able to use their account to authenticate at home.

florian91 · Answer

the account they have on Active Directory?

kinou592 · Answer

login: toto
password: tintin
domain: WORLD

if I am connected, ok it works

if I am not connected -> error message: "The system could not log on because the domain WORLD is not available."

Personally, I think it's due to a GPO.

Joe.lebarjo · Answer

If I understood your issue correctly... You want to use your phone without any connection to the AD domain...

On your computer, at the login screen, there is a box where your User ID and password are located...

Just click on Options... > And choose computername (This computer) instead of domainname (server)

Beware, your credentials will not work if they have not been configured beforehand on your LOCAL machine (and not AD)
By default on WinXP Pro, the account is Administrator (empty password)... and this is true for all PCs purchased with a pre-installed version, I believe.

In the worst-case scenario, you can search your favorite engine for "default credentials (yourversion)"

There you go, hoping to have clarified things for you

See you++

kinou592 · Answer

Yes, okay, it's going to work, but I don't want to create a local account on the PCs, and that's what's currently in place.

I want my PC to save the domain account password so that I can log in later even if it doesn't have access to the controller.

Joe.lebarjo · Answer

huuuuummm.... You want to log in to a computer that requires authentication from a server that doesn't exist (since your workstation is not connected to the local network)

That seems quite unlikely... Maybe a checkbox to validate on the AD account, but I don't have anything on hand to test it...

Ps: If you create a LOCAL account with the same credentials as the Network account, the computer will kindly remember your credentials. But apparently you don't want to create local accounts...

If you find something... let us know

Cheers++

kinou592 · Answer

The issue is resolved, but I still haven't found the real solution.

I removed the PC from the organizational unit where a GPO is applied and placed it in computers.
I ran a gpupdate /force to apply the new account policies.
I restarted the computer.

So the issue definitely comes from my GPO.

I will look for the GPO settings to modify later.

For now, I will leave it like this.

If someone is motivated... lol

Thank you

Kinou

kinou592 · Answer

Hello,  This may come from two GPOs,  Either this one (but I don't think so):  Action at logoff from the server Enabled Specifies how the system should respond when a network server becomes unavailable. Action: Work offline Never work offline = The server files are not available on the local computer Work offline = The server files are available on the local computer  Or this one  Interactive logon: number of previous logons performed using the cache (when no domain controller is available) 10 Logons Automatically enroll certificates Enabled Renew expired certificates, update pending certificates, and remove revoked certificates Disabled Update certificates that use certificate templates Disabled Allow users to encrypt data using EFS (Encrypting File System) Enabled Allow users to select new root certification authorities to approve Enabled Client computers can trust the following certificate stores Third-party root certification authorities and enterprise root certification authorities To perform certificate-based authentication for users and computers, the certification authorities must meet the following criteria Active Directory enrollment only Allow non-administrators to receive update notifications Disabled Allow immediate installation of automatic updates Enabled Automatic updates configuration Enabled Automatic update configuration: 4 - Download and schedule installation The following settings are not necessary and apply only if option 4 is selected. Scheduled installation day: 0 - Every day Scheduled installation time: 12:00 Automatic updates detection frequency Enabled Check for updates at the following interval (hours): 1 Do not display the 'Install updates and shut down' option in the Windows Shut Down dialog Disabled Do not modify the default 'Install updates and shut down' option in the Windows Shut Down dialog Disabled No scheduled restart for scheduled installations of automatic updates Enabled Specify the intranet location of the Microsoft Update service Enabled Configure the intranet update service for update detection: http://****** Configure the intranet statistics server: http://****** (for example: http://IntranetUpd01) DNS suffix search list Enabled DNS suffixes: ********** Action at logoff from the server Enabled Specifies how the system should respond when a network server becomes unavailable. Action: Work offline Never work offline = The server files are not available on the local computer Work offline = The server files are available on the local computer  thank you  Kinou

Frankoye · Answer

Activate offline files and bingo!

Frankoye · Answer

It's not complicated to fix your login problem outside of the network. You need to activate offline files in the workstation folder options, and bingo!

FoX'x · Answer

Hi Kinou  Are your domain user accounts stored on the local machines?  FoX'x

LoL · Answer

It’s not possible, are they doing it on purpose not to understand or what? -__-
Having the same problem right now, I was despairing of seeing someone who understands when I see the answers that are completely off the mark.
Thanks to funkter.

Lephoceen64 · Answer

Maybe we need to switch the profiles to "local profile" There's an option to check.... (I don't remember where, I stumbled upon it by chance today, while looking for something completely different...)

Mathieu Lamour · Answer

The local security strategy needs to be modified (Via GPO or directly)
Via GPO:
Computer configuration
Windows settings
Security settings
Local policies
User rights assignment
Security options
Policy "Allow local security logon"
Add the desired group without forgetting the commonly authorized accounts:

Account operators
Administrators
Backup operators
Print operators
Server operators

It should be better

Cautex · Answer

It can also come from the fact that the AD account has accents; I solved the problem by removing them.

[Active Directory] Account Access Issue

25 réponses

How to get the character µ on the android keyboard.

Texture issues in enshrouded

Access issue to my "contact me" profile

Windows spotlight is not working.

My tv turns off and then on again repeatedly?

Executable from a python file

Pay in 4 installments cdiscount

The alt gr key is not working on my keyboard.

Code 80072efe how to get windows update working again

Video in ".3gp" format