Feb 03, 2009 09:25 pm Sweet, I'm not the only one then that gets driven nuts by idiot's.
Sorry to hear the frustration. Been there, done that.
Got no suggestion's though as the situation has not risen exactly like that one.
It's official....NOW I hate Active Directory:
Posted on Feb 03, 2009 09:12 pm
J-bot
Byte-Mixer
Member Since: Dec 04, 2007
So, here we are at work, moseying along just fine. Then I find out the network admin I work with, suddenly can't log into his local account. He gets the infamous "Local Policy does not permit you to logon interactively" So, I got back to my own comp to try and dig up some info, and make sure I'm still able to log into my old local account. Of course, I get the -inverse- problem. I can log in to my local computer just fine, but when I go back to log back into the Active Directory account on my machine...I get the same message.
And so, 4 hours of troubleshooting pass, and I'm no close to any answers, and the other guy we work with was already gone for the night. Though, we did call him at home for some suggestions, which...didn't work. Yeah, I'm gonna have to talk to him in the morning, because my Active Directory account holds the current inventory and expenses for the Lab I work with.
FUN!
Meh, this was just a generic rant, and I like to bash MS when I get a chance ;)
It is likely, that it's just something that is really simple, and as f'd up as the AD structure is (someone not related to our IT dept. set up the structure) we may just not be seeing the problem....or the forest for the trees....pun intended.
-Jim
[ Back to Top ]
Feb 03, 2009 09:25 pm Sweet, I'm not the only one then that gets driven nuts by idiot's.
Sorry to hear the frustration. Been there, done that.
Got no suggestion's though as the situation has not risen exactly like that one.
Feb 03, 2009 10:05 pm Just think of it as being 'totally secure' :)
What solutions have you tried?
and as a last resort... Is this something that could be mounted in a linux box and have root just ignore any sense of permission to get critical files? ...atleast while you're locked out...
Feb 04, 2009 01:48 am Yeah, I think I have an ubuntu live CD around somewhere, if I can find it. Else, I'll download and burn another one. Problem is, though, if something happened system-wide, and nobody can access their accounts...well, let's just say KABOOM!
Edit/
Oh, right, as to what we've tried, basically going through the active directory manager, and trying to find anything that looks off in the users security settings and policies. But there weren't any deny by defaults, and it didn't look like anything was being overridden. The network guy tried adding his account into another group to force it to log in, and it almost worked. Except just as it logged in, and indicated loading settings, it blinked back, and instantly logged back out. After which point, I left, since it was already 2:30hr past my normal quitting time, and I'd pretty much exhausted my end of things.
/Edit
But yeah, I can use a linux disc and mount the hard drive to grab everything under my account. I'm kinda saving that for last resort. I'm hoping the resident MS guru will have some idea to what's happening. I don't work with Active Directory myself, and the network admin the "linux brat" was kinda pushed into working with AD.
I swear that acronym is just 2 letters short of being something lethal.
I'm sure we'll figure something out. I just hope it's us two, and not the whole building that has the problem.
-J
P.S. what do you get when you mix Active Directory with Information Systems? yeah....
Feb 04, 2009 08:20 am I'm not familiar with AD myselfs but it looks like the problem is related to this:
support.microsoft.com/kb/841188
Not really a user permission but a nested group permission.
Feb 04, 2009 08:24 am I am just now starting to work with AD, luckily my company is very small and permissions are pretty open, so I can learn in a relatively stable, growing environment to learn as it grows.
That said, stories like this scare me.
Feb 04, 2009 12:46 pm Well, a little good news: Got mine working. Apparently there was a change in the group policy over on the other side elsewhere in campus. The guys who actually administer the exchange servers.
Problem with mine was, even though the account existed, when we migrated over from the old account, my username was never added into the group, so I didn't have the proper status to log in. I was having problems yesterday, because my old account was switched to limited/user status, so I couldn't control or fix anything.
Luckily, the MS guru still had his account from when he set up for the migration, so he could get in, and add me to the proper group. Worked like a charm. However, he did not grant me admin status, so I'll have to get the network guy to give that back to me, since I kinda need it for some of the work I do with him.
Network guy was a slightly different situation since it involved his local account, not AD. So, i'll have to get with him later today to see if he managed to get it resolved or not. The resolution should be similar though.
In retrospect, I truly, and verily miss working on the linux prototype e-mail server we were getting going before the switch over. We were very close to having it production-ready. We put a lot of time into that little guy, and we could have put it up against any email server on campus and not so much as blink. Even had some nice client-side visuals using squirrelmail and WebCalendar, which I had implemented. -sigh- but I guess it's all water under the bridge now. The people above us wanted the whole groupware experience. I miss the good old days. :P
-J
Feb 04, 2009 02:40 pm heh, maybe that should be 'group WHERE?'
I remember lotus notes at EDS. Man, did I not like that system.
Barely used it at all, even though it was the company default. I used it for email, and that was pretty much it.
Feb 04, 2009 02:42 pm Lotus...argh, they still used that in a place I worked a couple years back...jeezuz, what a nightmare of an application...
Feb 04, 2009 04:23 pm All's well that ends well, OR: -Always- check the Advanced tab.
So he has his problem fixed now, and our logic from last night was spot on. It's just he was literally one click away from correcting his problem. He was reluctant to check the advanced tab under the security policy section, for fear of having to correlate weird strings of characters. However, all he had to do was check the advanced tab to actually add himself. Well, chalk it up for future reference I guess.
I'm almost tempted to get some sort of MSAD certification after this in case I have to work with it in the future..... ..... naaaaah, I'll be fine with a CCNA, which I'm currently studying for.
-J
Feb 04, 2009 05:34 pm Quote:
That said, stories like this scare me.
As well it should. I have nightmares about some issues we have had with it.
|
Related Forum Topics: |
If you would like to participate in the forum discussions, feel free to register for your free membership.