Re: Logging in interactively

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 03:18:15 GMT

By default users can logon to all domain computers except domain
controllers. When you check the Local Security Policy be sure to look at the
effective setting for a user right. The deny logon locally user right will
override the allow logon locally user right so be sure to check that which
by default does not have any entries. For domain controllers, the Domain
Controller Security Policy would have to be modified as those user rights
are defined there and will override Local Security Policy for domain
controllers. If you want to allow logon access to one domain controller, it
would have to be moved to an OU within the domain controller container and a
GPO configured for that OU to have logon locally configured to your needs.
All other Domain Controller Security Policy would still apply to the OU in
the domain controller container. --- Steve

"marco" <marco@discussions.microsoft.com> wrote in message
news:E4AC5B84-0AFA-438B-8062-EE3986751330@microsoft.com...
>I just setup a windows 2000 server network. After installing AD, I created
> the necessary accounts. These accounts only belong to the 'Domain Users'
> group. When I test these accounts and the scripts on different PC's
> (Which
> have been added to the domain), I receive the message "The local policy
> prevents this account from logging in interactively). I checked the local
> policy settings as well as the domain policy settings and everything seems
> fine. And I missing something? Please help!
>
> Mark

Relevant Pages

  • Re: Windows 2000 users accounts get locked out
    ... > These failed logons ... >>account logon events enabled in Domain Security Policy ... > and Domain Controller ...
    (microsoft.public.win2000.security)
  • Re: Windows 2000 users accounts get locked out
    ... be "Domain Security Policy" in a default installation - it will NOT work if you do it ... Have you found any failed logon event ID's on any domain computer? ... Have you had a chance to run netdiag and dcdiag on the domain controller and netdiag ...
    (microsoft.public.win2000.security)
  • Re: IIS FTP Logon
    ... > I have installed my W2k Server as domain controler with Active> Directory. ... and I found out that I have to add them to Logon> Locally. ... > Administrative Tools> Local Security Policy and i have added the> ftpusers group to logon locally, as user_a, and b are member of that> group. ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to find out what computer a user logged in on.
    ... > For a domain your best bet is to enable auditing of logon events in Domain ... > Controller Security Policy and for domain computers enable auditing of logon ... > events in Domain Security Policy. ... If you have at least one Windows 2003 domain controller you ...
    (microsoft.public.win2000.security)
  • Re: logon interactively
    ... Check the user right for logon locally on the computer where you can not ... logon via Local Security Policy to and make sure that the ... For domain controllers, check Domain ... Controller Security Policy. ...
    (microsoft.public.windows.server.security)