IT Share NVP -ViettechgroupVN-Phuong Nguyen blog | Share make us stronger Knowledge is Sharing Viettechgroup- Sharing Make Us Stronger-Kiến thức CNTT là sự chia sẻ- NVP-Chia sẻ làm chúng ta mạnh hơ| ITShareNVP Channel | Phương Nguyễn | Phuong Nguyen Blog| Lưu trữ kiến thức chia sẽ kinh nghiệm CNTT | Phương Nguyễn

A User Account Restriction Is Preventing You From Logging On

0 719

Today we saw an issue after upgrading the forest level and domain level from 2008 to 2016 at a customer.

Soon after the upgrade admins started seeing problems when connecting with RDP to the domain management servers:

“A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.”

This is what it looked like:

After some googling we found out that this was related to the use of Protected Groups. Some features of Protected Groups only kick in when the domain level is Windows 2012 R2 or higher:

The easiest way to fix this is to use remote PowerShell, since this is not restricted.

Start by checking if your admin account is a member of the Protected Users group:

$Cred = Get-Credential
$Grp = Get-ADGroup -Identity "Protected Users" -Credential $Cred -Server dc01.e365m.local -Properties member
$Grp.member | fl

Assuming your account is in the list generated by the previous commands you can remove the membership using the Remove-AdGroupMember command:

Remove-ADGroupMember -Identity "Protected Users" -Members myAdmAccount -Credential $Cred -Server dc01.e365m.local

With your membership of the ProtectedUsers group removed you can again log in using RDP and use the GUI tools to make any additional changes to Protected Users

Good luck to you

Source reference:

Phuong nguyen

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More