The statement was in the scenario of my clients wanting a proof of concept completed, not in the scenario of the proverbial hitting the fan.
I will now go of and check through the list you just sent. Regards Mark -----Original Message----- From: "joe" <[EMAIL PROTECTED]> Date: Wed, 18 May 2005 15:12:54 To:<[email protected]> Subject: RE: [ActiveDir] Unable to log you on because if an account restriction The questions I thought of 1. Are the GCs responding to queries on the GC ports? 2. Do you have replication errors on any domain controllers? Have you verified replication is actually working by dropping a rock in the pond and making sure the ripples hit all DCs (i.e. something new you create goes everywhere)? 3. Create a new user, verify it replicates properly. Once done, does it work? 4. Can you authentiate users for non-interactive logon sessions, i.e. through net use /user or runas or credential based ldap queries? What about if you use IP addresses for the connections instead of names? 5. Is there anything of interest in the network sniffs when doing the auth? Specifically look at the admin interactive logon versus the user interactive logon, where does it break down. Ditto for methods from #4 as well. Just as an aside, I find this statement "I have restored many forests in DR situations and never experienced this issue beforer." to be quite scary. :o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 18, 2005 2:37 PM To: [email protected] Subject: Re: [ActiveDir] Unable to log you on because if an account restriction I get it when logging on directly to the DC; member server and workstation Additionally I get the same message if I try to logon to the DC using the administrator account from another domain. Mark -----Original Message----- From: "Al Mulnick" <[EMAIL PROTECTED]> Date: Wed, 18 May 2005 13:06:15 To:<[email protected]> Subject: RE: [ActiveDir] Unable to log you on because if an account restriction Are you trying to logon to the domain controller directly? Do you get the same result when logging on with a workstation that's a member of the newly restored domain properly? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 18, 2005 12:31 PM To: [email protected] Subject: Re: [ActiveDir] Unable to log you on because if an account restriction I have already done that, And no joy. Regards Mark -----Original Message----- From: "Rick Kingslan" <[EMAIL PROTECTED]> Date: Wed, 18 May 2005 09:36:02 To:<[email protected]> Subject: RE: [ActiveDir] Unable to log you on because if an account restriction Mark, This may be a bit bizarre, but are you certain that when you restored the DCs that the passwords of the accounts went with them? I'm not certain why this might have occurred, but remember that there is an account restriction that would apply that REQUIRES a password for all principals. And, at the moment I'm not sure that it applies to the Administrator account but I would think that it does. You are using the administrator acount and a password, yes? So, what I'd suggest is to go in as the Admin, and reset the password of a another user and have that user try and log in. Let us know how that works. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, May 18, 2005 6:15 AM To: [email protected] Subject: [ActiveDir] Unable to log you on because if an account restriction Dear all, I have just performed a disaster recovery of our Windows Server 2003 forest and I am now receiving the message "Unable to log you on because if an account restriction" when I try to logon with any account apart from the administrator account. I have a two domain forest X.com and child.x.com When the DC's were first restored and were not communicating with Each other I could logon using any account, now that the DC's are talking and replicating I cannot, now only the administrator account works. I have ensured the GPO's are set correctly, I can see nothing obvious in the event logs so now it's time to ask my peers if they have experienced any such issues. I have restored many forests in DR situations and never experienced this issue beforer. Thanks in advance. Mark List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
