Link to home
Start Free TrialLog in
Avatar of dashman
dashman

asked on

Problem logging into Windows 2000 domain from Win2K professional workstation

I have a windows 2000 server set up as the domain controller running AD. I have 7 workstations running windows 98se and three workstations running windows 2000 professional. I have no problem logging into the doamin from any of the windows 98 workstations, but cannot log into the domain from the windows 2000 prof workstations unless the user has administrative rights on the server. If the user logs into the local workstation he can then see the server and I can map drives and access the internet through the firewall and router. However, if that same user tries to log into the domain, I get the error "the local policy of this system does not permit you to logon interactively". I have searched everywhere for an answer and cannot find a solution. I have checked in the domain controller security policy and the domain security policy and there are no entries that "deny logon locally" and I have added this user in "allow logon locally" and this does not solve the problem. I really do not think that I am trying to logon locally, just log into the domain. What is really baffeling me is that the problem is limited to the windows 2000 prof machines and not the windows 98 ones. I could use some help.
Avatar of dew_associates
dew_associates
Flag of United States of America image

Hi Dashman,

This shouldn't be difficult.

1. Connect to the problem computer with a Net use x: \\ProblemComputerName\C$ <Password> /u:Administrator

2. Navigate to the %SystemRoot%\Security\Database folder.

3. Rename Secedit.sdb to Secedit.old_sdb.

4. Copy an operational Secedit.sdb from a Windows 2000 platform of the same edition (Server to Server or Professional to Professional).

5. Shutdown and restart the problem computer.

NOTE: NTRights can be used to add the Log On Locally right remotely.

Or, log on to another client with Domain Admin rights and use Ntrights to remove the deny right:

ntrights -m \\computer -u <group or user to remove> -r SeDenyInteractiveLogonRight

Dennis
Avatar of dashman
dashman

ASKER

Do I do these steps on the workstation(s) that cannot log onto the domain controller or on the domain controller?
I saw this as one possible solution but in an attempt to understand the problem I cannot figure out why the win98 machines are not having the same problem.
Has a computer security account been established? Only the Win NT (and above) systems require this. Win 98 doesn't. Since I don't have AD runninng here I cannot do any more that point you to your AD system, computer management.
ASKER CERTIFIED SOLUTION
Avatar of MPimentel
MPimentel

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can do this either by logging into computers able to see th network and/or logon as long as they can be pinged and reached. Otherwise, do it locally.
Hi Dashman,
Did you checked on the Domain Conroller security policy under user rights and assignment; ACCESS THIS COMPUTER FROM THE NETWORK,if you have given right to authenticated users or to everyones group?