Login/Register
The user has not been granted the requested logon type at this machine
Asked Answered
Solved c#asp.netpowershellwindows-server-2008
W

2

19

I have created an ASP.Net application which impersonates the user in order to create an AD group, and then launches a powershell process as the user (separately from the impersonation).

For some reason the group creation works fine and shows as success in the Event Viewer, but when it tries to run the PowerShell script, I get the following error:

The user has not been granted the requested logon type at this machine.

The following is the code I am using which is failing:

SecureString securePassword = new SecureString();
        foreach (char c in model.AdminPassword)
        {
            securePassword.AppendChar(c);
        }
        PSCredential psCredential = new PSCredential("CONTOSO\\" + User.Identity.Name, securePassword);

        ProcessStartInfo info = new ProcessStartInfo("c:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "c:\\PowershellScripts\\EnableDL.ps1 -dlName '" + model.Name + "'");
        info.UseShellExecute = false;
        info.RedirectStandardOutput = true;
        info.RedirectStandardError = true;
        info.RedirectStandardInput = true;
        info.CreateNoWindow = true;
        info.Domain = "CONTOSO.COM";
        info.UserName = User.Identity.Name;
        info.Password = securePassword;

Is there any way to bypass this error? I would rather not fiddle with the security policy on the server ideally, and this application needs to be used by around 30+ users.

Wallacewallach answered 25/8, 2014 at 0:33 Comment(5)
This means the ad account you are trying to use has the LogonWorkstations attribute set. That account can only log onto a specific number of computers.Stat
What is the PSCredential you create used for? It doesn't look like it's referenced again.Horrid
Oops, that is redundant code now due to the changes in how I execute the code.Wallacewallach
The logon type when I do an impersonation is 9, but the logon type for the Process object is 2. Is there any way to programmatically change this?Wallacewallach
The detail steps mentioned at blog.devoworx.net/2016/01/04/…Subjacent
W
24

I have managed to fix this myself. You need to go to Start->Administrative Tools->Local Security Policy.

Navigate to Local Policies->User Rights Assignment->Allow Log On Locally, and add the usernames of the accounts/groups which require access.

Wallacewallach answered 25/8, 2014 at 1:50 Comment(6)
Hint for others having this problem: If Local Security Policy is not listed in the Administrative Tools one can also run gpedit.msc from the Start menu. If that doesn't work either, Group Policy Management is probably not installed on the system.Davita
i have added my app pool user to both 'access this computer from the network' and 'allow log on locally'. I still get the same error in the event log and the app pool crashes. I even tried adding 'everyone' to those policies. No joy...Centime
Hey Roger, did you manage to fix your problem? If not, what does the event viewer say about the logon event?Wallacewallach
You may find that the Add User or Group and Remove buttons are greyed out, as I did. Marshall's answer on this thread: https://mcmap.net/q/246761/-scheduling-a-task-in-windows-server-2008-r2 helped me understand that the policy that I was trying to modify must be set up at the domain controller level, and cannot be modified locally.Melinite
The detail steps mentioned at blog.devoworx.net/2016/01/04/…Subjacent
Also important to ensure the username is not explicitly blocked in the "Deny log on locally" policy in the same areaAuric
R
3

For me this didn't work. I also needed to remove Local User from the "Deny log on through Remote Desktop Services" policy. After that I ran gpupdate /force

Remex answered 2/6, 2022 at 9:26 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.