Active Directory Problems

FlowMotion
FlowMotion used Ask the Experts™
on
I'm gonna try and keep this brief.  I have two key problems that are keeping my network down.

I manage a small 10 machine lan used exclusively for educational purposes.  I was forced to recreate our system due to unforseen problems and lack of a good back-up (thank you previous network admin.).  I believed I had everything just as it was before but now i'm faced with a couple of complications.  I'm quite new to this whole network admin thing so forgive any improper terminology that I may use.  

I have active directory all set up, i have my policies in the proper places and i have the policies configured just as they were before our network went down.  I understand that without knowing my exact configuration it will be hard to advise me on a solution but hopefully you can help.  When i add a user to one of the groups i have created and attempt to logon to the account on a client, it feeds me some line about "local policies don't allow me to logon interactively"  any ideas? cause i sure dont have any.

Problem number two occurs when i assign my users a profile (i'm using roaming mandatory profiles).  When i enter the proper path to the profile, it uses the profile specified but negates the policies i have in place... Any ideas? i'm hurtin here..

Thanks in advance to whomever can offer a solution.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
SYMPTOMS
When you add a group, such as, Domain Users, Everyone, or Authenticated Users, to the "Deny Logon Locally" user right, users that are members of those groups can no longer log on to certain computers. When a user tries to log on to the computer, the user may receive the following error message:

The Local policy of this system does not permit you to log on interactively.
The administrator of your system may find this behavior to be unexpected.
CAUSE
This behavior may occur because the user (such as, the administrator, who is a member of a group that has been explicitly granted the "Logon Locally" user right) may also be a member of the preceding groups. Any of the preceding groups may deny users access to the computer in which case a policy that sets the denial of user rights takes precedence over a policy that enables user rights.
RESOLUTION
To work around this behavior, you can access the computer that is denying a user access by means of an administrative account situated on another client. Then you can use the Ntrights.exe program from the Microsoft Windows 2000 Resource Kit to remove the user from the "Deny Logon Locally" user right.

To perform this procedure, use the following (case-sensitive) syntax:
ntrights -m \\computer -u group or user to remove -r SeDenyInteractiveLogonRight
if you try to use the user account you created to logon to the domain controller, you can't do that. by default, DC won't allow users to login other then administrator.

It might also be due to your policy which deny logon locally. Check out GPEDIT.MSC for that policy
this should help you with your second problem, I had the same problem and this did the trick .

1. login with some user to one of your workstations and fix the local profile .... ( this will be the roaming mandatory profile ).
2. don't specify a UNC path in that users AD profile entery .
3. log off.
4. log in as an administrator to the same workstation and right click "my computer" then advanced and you should see "User Profiles" .... click settings .... ( this is on a xp machine ).
5. find the profile you crated in step 1 and click "copy to".
6. in the "copy profile to" enter the UNC path to where the roaming profile will be stored.
7. **THIS IS IMPORTANT** in the permitted to use click change and enter everyone, or every user that will need to use this profile ..... ( this is your problem ).
8. after the copying is completed change the ntuser.dat on the server to ntuser.man and your done .

now all you need to do is add the UNC path to every user that needs to get that profile.
hope this helps .
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Author

Commented:
nothin doin' fellas... if anything else comes to mind, please let me know.

Author

Commented:
i've resolved the two previous issues via my former network admin.  

I have a new problem, one that's a little less complicated and if anyone can resolve it, i'll still give em the points.  

When I try and add my clients to my newly configured domain, i get an error of this type:

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5513
Date:            9/2/2003
Time:            11:06:29 AM
User:            N/A
Computer:      SERVER
Description:
The computer PC28 tried to connect to the server \\SERVER using the trust relationship established by the CS domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.


This is what's in the event viewer (duh) and is not the message that's displayed on the client.  The msg displayed on the client is entirely too long and doesn't really help anyway.  this is apparently my last obsticle in deploying this network.  Someone please help!

Author

Commented:
thanks for trying to help peoples.. i'm just gonna submit this existing problem as a seperate question

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial