Anonymous_User Absent Member.
Absent Member.
7643 views

"You have attempted to login during a restricted login time"

Hi,

I have used ZCM 10.0.1 DLU policy for Windows XP SP2, but some time after
these users have been created locally (not volatile users), I get the
following message from Windows during login:

"Windows Security Message
You have attempted to login during a restricted login time.
Contact your System Administrator or try again later."

Login to eDirectory with the Novell Client is OK; it is the local created
Windows user that are denied login to Windows itself.
If I delete the local Windows user, and then login again - everything is
fine for a few boots....

Environment:
Client: Windows XP SP2 with all Windows Updates, ZEN Agent 10.0.1, Novell
Client 4.91 SP4 + latest nwgina1 patch.
Server: ZCM 10.0.1 on SLES 10 SP1 back end.

--
Any suggestions?

Regards,
Tor Harald




Labels (2)
0 Likes
48 Replies
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Tor,

not in an AD domain by any chance?

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

No - eDirectory 8.7.3.9 on OES Linux v1 🙂

Tor Harald


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Has novell been able to repliate this issue yet?

It seems to be spreading like wild fire.

And after fighting with it for weeks the only thing I know more is that it
happens on login. Becuase I created a bundle to set the restriction to
/time:all on logout, device boot and user login.

But from the point the client hit's enter on the novell client it gets set.

Typically happens after the user account has been created.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Matthew,

no, can't duplicate it yet - all the tests done by folks in this forum
show that it actually happens on logout (if you logout,t hen login as
say administrator, and do a "net user [myuser]" you can see the time's
changed - can you try that?

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

I am quite sure this happens at login from my testing.

With the machine sitting at the login prompt. I can remote desktop to the
pc and login as admin. Do a net user to see the time is all. Then the
user tries to login from the prompt and they get a time restriction.

I've also tested with a zenowrks bundle. Where, I run the
net user /time:all at boot and at user login and at user logout.

So, in my testing the bundle works in that if a user is locked out. I can
force the bundle to run. If I rdp into the box and check the restriction
it has been cleared. But as soon as they login they are time restricted
again.

I've also determined this to be user specific. So, if I go to a machine
where the user has this problem, I can login 30 to 40 times as another
user. But, after I delete the local problem user and thier profile
they will be able to login 2 maybe 3 times before the
restriction is set.

Furthermore, if that user goes to a new pc, the problem follows them. But
here's what I just figured out, if I rename the user in edirectory then
the user is fixed. I can then login to the same machine 20 times without
a problem. If I rename them back they are broken in 2 to 3 logins. I
orginally though maybe the user had some bad attirbutes or somthing but
then you would expect this issue even with a rename.

So, now I'm wondering if there is a way to clear the zenworks identity
store or cache for specific users. There has got to be somthing in the db
that is corrupt for these users. I looked through the sybase db but
couldn't really find a user table.



On Fri, 16 Nov 2007 08:23:26 +0000, Shaun Pond wrote:

> Matthew,
>
> no, can't duplicate it yet - all the tests done by folks in this forum
> show that it actually happens on logout (if you logout,t hen login as
> say administrator, and do a "net user [myuser]" you can see the time's
> changed - can you try that?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Matthew,

very interesting, so it appears we have this happening at login for
you, and logout for some others, there's not much stored for users,
'cos that's what it uses the user source for... So something specific
for those users - if you've got one where it still happens, is it
possible to take a packet trace of the LDAP traffic to the user source?

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Sure, I had already done several in teh testing below becuase everything I
could see made it look the same as good users. I'll have to save out a
copy.

The reason I ask about deleteing the user cache is becuase in my testing I
actually deleted the troubled user....created a new user with the same
name in a new container but left the user very plain....no rights, groups
or anything.

That new user had the same problem. But I noticed in the logs that zen
associated that user with the same GUID as the bad user. I guess it can't
tell the user is a new object and not the same object. So thats why I
wanted to try and clear that so the user would get a new guid and
potentially not have the issue.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Hi!

Did some more trouble shooting, and here is what i found:

1. Users created manually in the local SAM (in XP user manager) are never
experiencing this problem
2. As sooon as manually created users are touched by DLU, they will have
this problem (eg: logging in to eDir/Novell Client with the same username
that was created manually on XP).
3. All DLU created users are having this problem.

Logged event:
Event ID: 530 Type: Failure Audit
Description: Logon Failure: Reason: Account logon time restriction
violation

If the user restricted logon time is cleared with:
net user <username> /time:all
....the user can log in ONE time with DLU. The next login (DLU og workstation
only), logon time restrictions have been put back on again, and the user is
unable to log in again...

Conclusion: As I see it, this is caused by malfunctioning DLU code in ZCM
10.0.1.
One note: I have only tested this on Windows XP Pro SP2 Norwegian. English
localized XP may not experience the same problem....

Anyone else seen this or having a fix?
Is Novell aware of this problem? (It's been said in here that they are aware
of some DLU issues....)

Regards,
Tor Harald Lothe


"Tor Harald Lothe" <torharald@fake.com> skrev i melding
news:VhITi.18248$NG7.17392@kovat.provo.novell.com...
> Hi,
>
> I have used ZCM 10.0.1 DLU policy for Windows XP SP2, but some time after
> these users have been created locally (not volatile users), I get the
> following message from Windows during login:
>
> "Windows Security Message
> You have attempted to login during a restricted login time.
> Contact your System Administrator or try again later."
>
> Login to eDirectory with the Novell Client is OK; it is the local created
> Windows user that are denied login to Windows itself.
> If I delete the local Windows user, and then login again - everything is
> fine for a few boots....
>
> Environment:
> Client: Windows XP SP2 with all Windows Updates, ZEN Agent 10.0.1, Novell
> Client 4.91 SP4 + latest nwgina1 patch.
> Server: ZCM 10.0.1 on SLES 10 SP1 back end.
>
> --
> Any suggestions?
>
> Regards,
> Tor Harald
>
>
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Tor,

There is no bug logged for this at the moment - I will try to test this
- can you check what the hours are set to /before/ you run the net user
command? You can do
net user [username]
to find this out

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Allowed login times:
Sunday 1:00 AM - 2:00 AM
Sunday 3:00 AM - 7:00 AM
Sunday 8:00 AM - 10:00 AM
Sunday 2:00 PM - 3:00 PM
Monday 3:00 AM - 4:00 AM

I just wish my own working hours were like this 🙂


"Shaun Pond" <shaun@false.email> skrev i melding
news:VA.0000bf7b.00c44906@false.email...
> Tor,
>
> There is no bug logged for this at the moment - I will try to test this
> - can you check what the hours are set to /before/ you run the net user
> command? You can do
> net user [username]
> to find this out
>
> --
>
> Shaun Pond
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Tor,

does your policy have "manage existing user" checked?

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Yes - I do.

Tor Harald Lothe

"Shaun Pond" <shaun@false.email> skrev i melding
news:VA.0000bf83.014b7303@false.email...
> Tor,
>
> does your policy have "manage existing user" checked?
>
> --
>
> Shaun Pond
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Also, if I use volatile user, this is off course not a problem....
I also have a feeling that the login time restrictions is set by DLU code
BEFORE the user is logged in...

I'll dig some logs out for you if you want....

Regards,
Tor Harald Lothe


"Shaun Pond" <shaun@false.email> skrev i melding
news:VA.0000bf7b.00c44906@false.email...
> Tor,
>
> There is no bug logged for this at the moment - I will try to test this
> - can you check what the hours are set to /before/ you run the net user
> command? You can do
> net user [username]
> to find this out
>
> --
>
> Shaun Pond
>
>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "You have attempted to login during a restricted login time"

Tor,

> I'll dig some logs out for you if you want....
>

yes please - I'm just reinstalling my server (I was testing upgrading
from 10.0.0.0 and it got stuck so I'm reinstalling as 10.0.1.0 and that
takes a little while 🙂

--

Shaun Pond


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.