Blah blah AD blah blah.

For some reason, I have a Windows XP SP3 workstation that refuses to let a particular domain admin account log on. The account can be used on multiple other workstations in this lab setting, and I've verified simple stuff like the account name/password being correct. The local machine doesn't have any error log info relating to this, nor does either of my DC's (both Server 2k3, not that I'd think that would matter).

The machine has been removed from the domain, object deleted, then re-joined to the domain and placed back in it's correct OU. Policies have been reapplied to it.

The account in question does not have any logon limitations, i.e. it's allowed to login on all machines on my domain. Other domain admin accounts can login on the machine without any problems. It seems to be limited to this one account.

So far Mr. Google is giving conflicting or unhelpful answers, so I thought I'd invoke the TWW Hive Mind. What say you?

10/12/2009 4:17:43 PM

turn on failure auditing for logon events (if it's not already on) and take a look at the failures in the security log of the DC it is authenticating to.

do you have any GPOs that might be interfering?

10/12/2009 4:34:34 PM

Caps lock is on.

10/12/2009 4:51:08 PM

Caps lock.

k seriously.. i'd log on with a local admin account, take it out of the domain and then add it back.

[Edited on October 12, 2009 at 4:54 PM. Reason : a]

10/12/2009 4:53:45 PM

^^ thanks

^ already did that, unfortunately. was one of the first things I thought of.

10/12/2009 4:56:00 PM

ok, so the issue ended up being WMI connections being disallowed by DCOM. so, um, nevermind.

10/12/2009 6:04:36 PM

so you weren't trying to log on interactively? that bit of information would have helped, haha

10/12/2009 6:30:19 PM

yeah, i thought about that later. lol. actually i had two problems... the first of which was that when i DID try to login interactively, i was using the wrong password.

but the dcom thing was what actually started me trying to figure out what was going on.

background: i'm testing out a new piece of inventory/status/helpdesk software called Spiceworks. it lets you do network scans of machines via WMI on Windows, SSH on Mac, SNMP for other stuff. WMI and DCOM are configured correctly on other machines (I inherited this domain), so I didn't have any reason to think that it was teh busted on this one computer.

10/12/2009 7:56:14 PM

yeah, spiceworks is pretty damn cool, i have to admit.

10/12/2009 9:41:34 PM

We, too, use spiceworks.

10/12/2009 10:07:56 PM

i wonder if there's an NCSU-centric group on there.

10/12/2009 10:33:09 PM