19

I have created an ASP.Net application which impersonates the user in order to create an AD group, and then launches a powershell process as the user (separately from the impersonation).

For some reason the group creation works fine and shows as success in the Event Viewer, but when it tries to run the PowerShell script, I get the following error:

The user has not been granted the requested logon type at this machine.

The following is the code I am using which is failing:

SecureString securePassword = new SecureString();
        foreach (char c in model.AdminPassword)
        {
            securePassword.AppendChar(c);
        }
        PSCredential psCredential = new PSCredential("CONTOSO\\" + User.Identity.Name, securePassword);

        ProcessStartInfo info = new ProcessStartInfo("c:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "c:\\PowershellScripts\\EnableDL.ps1 -dlName '" + model.Name + "'");
        info.UseShellExecute = false;
        info.RedirectStandardOutput = true;
        info.RedirectStandardError = true;
        info.RedirectStandardInput = true;
        info.CreateNoWindow = true;
        info.Domain = "CONTOSO.COM";
        info.UserName = User.Identity.Name;
        info.Password = securePassword;

Is there any way to bypass this error? I would rather not fiddle with the security policy on the server ideally, and this application needs to be used by around 30+ users.

Saintwolf
  • 699
  • 1
  • 6
  • 19
  • This means the ad account you are trying to use has the LogonWorkstations attribute set. That account can only log onto a specific number of computers. – Matt Aug 25 '14 at 00:35
  • What is the `PSCredential` you create used for? It doesn't look like it's referenced again. – Ann L. Aug 25 '14 at 00:37
  • Oops, that is redundant code now due to the changes in how I execute the code. – Saintwolf Aug 25 '14 at 01:32
  • The logon type when I do an impersonation is 9, but the logon type for the Process object is 2. Is there any way to programmatically change this? – Saintwolf Aug 25 '14 at 01:33
  • The detail steps mentioned at https://blog.devoworx.net/2016/01/04/the-user-has-not-been-granted-the-requested-logon-type-at-this-computer/ – Mohamed Jul 19 '17 at 12:15

2 Answers2

22

I have managed to fix this myself. You need to go to Start->Administrative Tools->Local Security Policy.

Navigate to Local Policies->User Rights Assignment->Allow Log On Locally, and add the usernames of the accounts/groups which require access.

Saintwolf
  • 699
  • 1
  • 6
  • 19
  • Hint for others having this problem: If *Local Security Policy* is not listed in the *Administrative Tools* one can also run `gpedit.msc` from the Start menu. If that doesn't work either, *Group Policy Management* is probably not installed on the system. – Alexander Tobias Bockstaller Mar 25 '15 at 15:24
  • i have added my app pool user to both 'access this computer from the network' and 'allow log on locally'. I still get the same error in the event log and the app pool crashes. I even tried adding 'everyone' to those policies. No joy... – Roger Sep 21 '15 at 20:54
  • Hey Roger, did you manage to fix your problem? If not, what does the event viewer say about the logon event? – Saintwolf Nov 24 '15 at 07:35
  • You may find that the Add User or Group and Remove buttons are greyed out, as I did. Marshall's answer on this thread: http://stackoverflow.com/q/9015245 helped me understand that the policy that I was trying to modify must be set up at the domain controller level, and cannot be modified locally. – Jason D. Feb 21 '17 at 17:07
  • 2
    The detail steps mentioned at https://blog.devoworx.net/2016/01/04/the-user-has-not-been-granted-the-requested-logon-type-at-this-computer/ – Mohamed Jul 19 '17 at 12:15
3

For me this didn't work. I also needed to remove Local User from the "Deny log on through Remote Desktop Services" policy. After that I ran gpupdate /force

Csaba
  • 340
  • 1
  • 3
  • 16