When "Checking Password" on a Windows AD account you receive the following error: Show Gathering the check details for managed_accountaccount on AD-DC... Checking the password for managed_accountaccount on AD-DC(Windows System) using winad... Error: Win32::OLE(0.1601) error 0x8007052e: "Logon failure: unknown user name or bad password" in METHOD/PROPERTYGET "OpenDsObject" - Logon failure: unknown user name or bad password. The stored password for managed_accountaccount DOES NOT MATCH the managed_account system! Processed the password check for managed_account on AD-DC in 0.640625 seconds or Gathering the check details for managed_account on dc.yourdomain.com... Checking the password for managed_account on dc.yourdomain.com(Windows System) using winad... Checking account object, connecting as yourdomain.com\administrator... Done (0X8007052E) Logon failure: unknown user name or bad password. The stored password for managed_account DOES NOT MATCH the managed_account system! [MM/DD/YYYY HH:MM:SS] Processed the password check for managed_account on dc.yourdomain.com in 6.7246094 seconds You are able to reset the password on the account using the functional account. "Current Status" shows "Test Result: Mismatch" for the Password Check Results. When checking the Security Event logs on the DC (Domain Controller.), you may see a Event 4625 "An account to log on" with the following failure information. "Failure Information: Logon Types are logged in the Logon Type field of logon events for every successful and failed logon. These events appear in the Windows event log and help in analyzing the various logon types. The following logon types are supported in the Windows environment which is a total of nine different types of logons. Kindly refer to some other guides I have written: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to uninstall your current version of MBAM and run setup
again, how to clear, enable or disable TPM in Windows via the BIOS or UEFI, how to enable Bitlocker Pre-Boot Authentication via the
Group Policy, and BitLocker Drive Encryption architecture and implementation types on Windows Possible causeThis can happen if the desktop policy titled Access this computer from the network has been modified from the default values and that the users and groups listed in this policy no longer contain the user or group entries for the particular user logging on. This normally won’t happen as the default values for this policy include “Users” and “Everyone” access groups. Possible SolutionTo resolve this issue, edit the Access this computer from the network local policy on the desktop to restore the “Users” access group or add one or more user and group values to provide the required access.
right-click on Access this computer from the network>Properties>Add Users or Groups, add everyone if not added before. Alternatively this can be configured using Group Policy.These configuration settings are found under Computer Configuration > Windows Settings> Security Settings > Local Policies > User Rights Assignment.
Administrative Tools>Local Security Settings>Local Policies>User Rights Assignment, right-click on Access this computer from the network>Properties>Add Users or Groups, add everyone if not added before. What could be the error?This issue can occur if the user does not have the appropriate console logon rights. It is a domain controller, and there are admin policy restrictions on the server. The user account was a regular account and as such could not run the application. I switched to a different server to reproduce this and was able to perform the operation which failed previously. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session. How to fix logon failure the user has not been granted the requested logon type at this computer?To resolve this issue, edit the Access this computer from the network local policy on the desktop to restore the "Users" access group or add one or more user and group values to provide the required access. Alternatively this can be configured using Group Policy.
What has not been granted the requested logon type?To solve “The user has not been granted the requested logon type at this computer” error, you should make sure that the login user and all groups that belong to are allowed to log on locally to this computer.
What is logon failure?A user sees the error “Logon failure: the user has not been granted the requested logon type at this computer” when attempting to log in through Duo Authentication for Windows Logon (RDP). Alternatively, a user may see the error "To sign in remotely, you need the right to sign in through Remote Desktop Services.
What is Advapi logon process?The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.
|