0

We have nominative user and admin accounts. Admin accounts are in the "domain admins" group.

When some of us log onto some servers via RDP with the server's IP we get the error "A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.". It works when using the server's hostname.

No issue with the builtin Domain "Administrator" account and for several of our colleagues.

DNS forward and reverse are OK.

It's probably not a GPO since it works with the same login, from the same computer just by rdp-ing to the hostname.

Any help is appreciated !

Thanks in advance !

Kevin Dehlinger
  • 103
  • 3

2 Answers2

3

Possibly, the accounts which have the problem are members of the domain group "protected users". That group does not allow using NTLM for authentication and using the IP, NTLM is the only possible way, while using the name, kerberos is attempted. Verify the group members.

Bernd Schwanenmeister
  • 482
  • 2
  • 5
  • Yep, also could be some kind of NTLM blocking at the network level. Interestingly enough, Microsoft added the capability to map an IP address to a host (SPN) to enable using IP addresses in some scenarios for Kerberos. I wouldn't recommend it but it would work in this scenario if name resolution isn't an option. – Greg Askew Jun 17 '22 at 18:45
  • Thanks Bernd, this is the correct answer and helped me a lot ! – Kevin Dehlinger Jun 21 '22 at 12:26
-1

The error message can appear if the user account that you are using has no password set. Therefore, in order to fix the issue, you will have to set up a password and then see if it fixes the issue. In case it does, you will have to enter a password every time you want to sign-in.

Diana
  • 1