Fixing “The user has not been granted the requested logon type at this computer” for SharePoint 2013 AutoSPInstaller

We are deploying SharePoint 2013 using the AutoSPInstaller PowerShell scripts in our Development environment and were getting the following issue:

Start-Process : This command cannot be run due to the error: Logon failure: the user has not been granted the requested logon at this computer.

We are using service accounts to manage security for our SharePoint 2013 applications and services, and the configuration for AutoSPInstaller includes which service accounts are applied to the various SharePoint components.

You can test a particular service account using the following PowerShell script:

Start-Process -FilePath cmd.exe -ArgumentList "/C" -LoadUserProfile -NoNewWindow -Credential Get-Credential

which will prompt you for the account credentials you want to test and then try and create a command prompt with the users profile.

The issue we found was as follows:
1. The Local Security Policy setting for Allow Log On Locally included Administrators, Users and Backup Operators. The service accounts are members of the Users group which should have allowed the required permissions.
2. The Local Security Policy setting for Deny log on locally was set to a specific security group, of which the service account was a member.

The Deny log on locally setting overrides the Allow log on locally setting. Once we removed the service account from the Deny log on locally setting, the AutoSPInstaller process worked perfectly!

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: