Re: Logging in interactively

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 04:20:08 GMT

Are those the local or effective settings?? They need to show as the
effective settings. Also make sure that there are no entries in effective
settings for deny logon locally. If it still does not work, try adding
everyone to the logon locally user right. If the computers are in the
default domain container, modify the Domain Security Policy so that
users/administrators/everyone are in the logon locally user right and add
just the guest account to deny logon locally. Then run " secedit
/refreshpolicy machine_policy enforce " on the domain controller and reboot
a domain workstation to see if that helps. In Active Directory Users and
Computers, look in the domain container by right clicking the domain name
and select Group Policy. If there is more than one GPO present, the one at
the top of the list takes precedence and you should check all of them to see
if they are configured to restrict user rights. In a default installation
only the default domain policy is present. If the computers are not in the
default container you will also need to check any Group Policy Objects in
the Organizational Unit they are in. Since apparently you can logon , you
can use the gpresult support tool to see what computer policies are applied
to the computer and the last time the policy was applied. The support tools
are on the install cd in the support/tools folder where you need to run the
setup program there to install the set of support tools. I would also run
netdiag on one of your domain computers to see if any problems are reported
such as dc discovery, dns, kerberos, trust/secure channel. Review the link
below on Active Directory DNS to make sure your dns is set up correctly for
the domain. If it is not, problems can ensue such as changes to domain Group
Policy not propagating properly to domain computers and user.--- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

"marco" <marco@discussions.microsoft.com> wrote in message
news:55C151E0-0CBC-48BC-8DCB-B36142BCB636@microsoft.com...
> This is happening on windows 2000 workstation clients machines....i did
> check
> the local security policy on each client workstation and the 'users' group
> (of which domain users are of a part of) are one of several groups allowed
> to
> log in locally. Is there another policy i'm overlooking?
>
> "Steven L Umbach" wrote:
>
>> By default users can logon to all domain computers except domain
>> controllers. When you check the Local Security Policy be sure to look at
>> the
>> effective setting for a user right. The deny logon locally user right
>> will
>> override the allow logon locally user right so be sure to check that
>> which
>> by default does not have any entries. For domain controllers, the Domain
>> Controller Security Policy would have to be modified as those user rights
>> are defined there and will override Local Security Policy for domain
>> controllers. If you want to allow logon access to one domain controller,
>> it
>> would have to be moved to an OU within the domain controller container
>> and a
>> GPO configured for that OU to have logon locally configured to your
>> needs.
>> All other Domain Controller Security Policy would still apply to the OU
>> in
>> the domain controller container. --- Steve
>>
>>
>> "marco" <marco@discussions.microsoft.com> wrote in message
>> news:E4AC5B84-0AFA-438B-8062-EE3986751330@microsoft.com...
>> >I just setup a windows 2000 server network. After installing AD, I
>> >created
>> > the necessary accounts. These accounts only belong to the 'Domain
>> > Users'
>> > group. When I test these accounts and the scripts on different PC's
>> > (Which
>> > have been added to the domain), I receive the message "The local policy
>> > prevents this account from logging in interactively). I checked the
>> > local
>> > policy settings as well as the domain policy settings and everything
>> > seems
>> > fine. And I missing something? Please help!
>> >
>> > Mark
>>
>>
>>

Relevant Pages

  • Re: Local policy does not allow interactive login
    ... I am not sure what the exact problem is but if the server you took offline was a ... you are in native mode as shown in Active Directory Users and Computers. ... fsmo domain controller as their preferred dns server in tcp/ip properties as shown by ... The fact that you can not access Domain Security Policy may be due to the fact that ...
    (microsoft.public.win2000.group_policy)
  • Re: logon interactively
    ... Configuring that user right for Domain Controller Security Policy only ... affect most computers other than those in the domain controller container. ...
    (microsoft.public.win2000.security)
  • Re: Add Workstation Right
    ... >That right is configured in the Domain Controller ... Security Policy - it will be ... >the appropriated AD container to give a user/group ... permissions to add computers ...
    (microsoft.public.win2000.security)
  • Re: Domain users unable to change password
    ... As I indicated, if the user logs onto the domain using an ICA or RDP client, ... I did notice that the Security Policy Setting for "Additional restrictions ... > Check their user accounts in AD Users and Computer to make sure that they ... > 2003 domain controller try running the Resultant Set of Policy mmc snapin ...
    (microsoft.public.windows.group_policy)
  • Re: issue accessing an AD server
    ... You can reset local security settings to default defined levels as described ... However on a domain controller, ... Security Policy will override user rights assignments. ... > restore the server from tape. ...
    (microsoft.public.win2000.security)