We have an odd problem that deals with how an user account is setup in Active Directory and its ability to access our Sharepoint site.When we have users in Active Directory who have no restrictions as to what workstations they can use, they have no problem accessing sharepoint.When we restrict in Active Directory a user to only be able to log on to certain workstations, they are no longer able to access sharepoint, instead they get an Error 500 Internal Server Error. This happens even if I add the sharepoint server to the list of workstations that they are allowed to log on to.For example, if I have UserA, and do a 'net user UserA /domain' , the field "Workstations Allowed:" says "All" and the user has no problems logging into Sharepoint.I now have RestrictedUserB, and do a 'net user RestrictedUserB /domain', the field "Workstations Allowed:" says "workstation1,workstation2,sharepoint" but the user is never able to actually log on to Sharepoint. Instead the get HTTP 500 Internal Server Error".If I change RestrictedUserBto allow it to log on to all workstations, then it is able to use Sharepoint.The problem is that we do not want to allow RestrictedUserB to be able to log on to all the workstations. We want them to be able to only allowed to use a specified set of workstations and sharepoint.What should the workstations allowed entry in Active Directory be set to in order to allow the users to log into Sharepoint as well as the specified set of workstations only?

Is this a single server SharePoint installation ? (and which SharePoint is it?) Does the browser being used matter?WSS FAQ sites: WSS 2.0: http://wssv2faq.mindsharp.com WSS 3.0 and MOSS 2007: http://wssv3faq.mindsharp.com Total list of WSS 3.0 and MOSS 2007 Books (including foreign language titles) http://wssv3faq.mindsharp.com/Lists/v3%20WSS%20FAQ/V%20Books.aspx

My bad, I had the server information in my original post before I re-wrote it.1. The Server is a single server, simply called Sharepoint, running MOSS 20072. In IE I get the HTTP 500 Internal Server Error, in Firefox I would get "The Local Security Authority cannot be contacted" error, with the restricted account.I apologize for leaving out the first part.

Does the single server also host the database? Sounds like it is trying to authenticate to something other than just the server. How does the email server handle things?SharePoint Developer | Administrator | Evangelist -- Twitter -- Blog - http://nextconnect.blogspot.com

Try removing the saved passwords in IE, this will make the user to enter their credentials again. This should solve their login problem.HTH!MCTS - MOSS 2007 Configuring, .NET 2.0 | SharePoint Architect | Evangelist | http://ramakrishnaraja.blogspot.com/

Hi, I agree with Mike Oryszak, if the database was not hosted on the same machine with SharePoint, please add the database server in the Log On To list. If your requirement is that restrict certain users from accessing certain machines, you could assign a Group Policy by using Deny log on locally (http://technet.microsoft.com/en-us/library/cc728210.aspx) Hope the information can be helpful. -lambertLambert Qin | Microsoft Online Support Engineer How to ask a question in the forum (http://support.microsoft.com/kb/555375) Posting is provided "AS IS" with no warranties, and confers no rights.

The sharepoint system uses a separate server for its SQL database. So what I did was setup the restricted accounts to have the following entries in its workstation list:Sharepoint, SQL, DomainController1, DomainController2, Workstation1, Workstation2This list includes the two workstations that the account is restricted to, as well as the sharepoint and its associated sql server, and the two domain controllers that are in the domain.They still get the http 500 internal server error when trying to use Sharepoint.While I understand the idea behind using a policy to deny logon locally for these restricted accounts, it seems like a backwards answer to me.We have multiple policies for a multitude of systems. It would take a good deal of time to go through and modify these policies to setup the 'deny logon locally' for the few accounts we want the restrictions set on. At the same time the deny logon locally will not prevent them logging on to other web resources, for example if we put up a second sharepoint site then the deny logon locally would not prevent them from using both sharepoint sites, when all we want to do is have the accounts restricted to the two workstations, and the one sharepoint site.I'd much rather have it figured out as to why setting the Workstation field in Active Directory to anything other than "All" prevents access to sharepoint.

Hi, Based on my research, the Integrated Windows Authentication passes information about the machine account that the browser is connecting from along with the user account. Both information is checked against logon restrictions. If either account is restricted, the user is denied access to the resource. A workaround is that manually add the NetBIOS names of all the computers from which the user may log on in the Log On To option. You must also add the NetBIOS names of the computers that are not part of the domain if necessary. For example, if userA browses SharePoint site on MachineA, and the SharePoint site is hosted in ServerA, then you should add MachineA and ServerA in the Log On To option. I suggest you to use Group Policy to restrict certain users from accessing certain machines. It is a flexible solution, especially if you have large number of users. Deny logon locally will not prevent them logging on to other web resources, however, the users will not get accessed to the SharePoint site until you grant them properly permissions. Hope the information can be helpful. -lambertLambert Qin | Microsoft Online Support Engineer How to ask a question in the forum (http://support.microsoft.com/kb/555375) Posting is provided "AS IS" with no warranties, and confers no rights.

That makes sense, since we do not use Integrated Windows Authentication for our Outlook Web Access (OWA) systems, they have to use the form based method.Thank you for the information.

I'm having the same issue with Outlook Web Access and I found this thread while doing a search for the following:"outlook web access is denied when user account is restricted to specific computers". We have a Windows server 2003 active directory environment and Exchange server 2003. I am trying to setup an e-mail account for a new sales representative who will only be accessing his e-mail through OWA. We do not want him to have the ability to log onto any of our workststions locally. I tried setting up his account using the "logon to" restrictions and adding the server that hosts Exchange to the list of computers he is authorized to logon to. However that does not work, when trying to access OWA weget the logon prompt followed by "page cannot be displayed" error" after entering the username and password. This happens as long as there are any restrictions listed. In order to get OWA to work for him I have to leave his account unrestricted. Can anyone help me resolve this situation?I realize this is a Share Point Thread but I could not find anything closely matching my issue in any other area. Any help would be greatly appreciated.Thanks in advance,Jean

Hi, Based on my research, the Integrated Windows Authentication passes information about the machine account that the browser is connecting from along with the user account. Both information is checked against logon restrictions. If either account is restricted, the user is denied access to the resource. A workaround is that manually add the NetBIOS names of all the computers from which the user may log on in the Log On To option. You must also add the NetBIOS names of the computers that are not part of the domain if necessary. For example, if userA browses SharePoint site on MachineA, and the SharePoint site is hosted in ServerA, then you should add MachineA and ServerA in the Log On To option. I suggest you to use Group Policy to restrict certain users from accessing certain machines. It is a flexible solution, especially if you have large number of users. Deny logon locally will not prevent them logging on to other web resources, however, the users will not get accessed to the SharePoint site until you grant them properly permissions. Hope the information can be helpful. -lambert Lambert Qin | Microsoft Online Support Engineer How to ask a question in the forum (http://support.microsoft.com/kb/555375) Posting is provided "AS IS" with no warranties, and confers no rights. hi how we can do this restriction with group policy??restriction on users only can logon to certaion computers(their own computers) could you please explain more.