Solved

Local Logon Policy and Active Directory

Posted on 2004-03-29
5
360 Views
Last Modified: 2012-05-04
I'm having problems with my active directory setup when creating new users.  They aren't granted local logon rights.  I have tried setting up a group policy for the organizational unit where the users are created, and defining the Log on Locally key, but i'm still not having any luck.  Am I missing something or is there another way to go about this?
0
Comment
Question by:porkVT
  • 2
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10704649
Is there a domain GPO in place?
0
 
LVL 2

Expert Comment

by:sqwasi
ID: 10705058
I am guessing that you are trying to allow users to log onto this server locally.  By default when you create a user it is assigned to the users group.  With only those permissions they will not have the right to log on locally to the server.  THis is so that users can't log in and screw up your production server or gain access that they shouldn't have.  If you want them to gain access you are on right track.  Once you create the group policy for the OU you need to make sure that the GP is applied to a group that the users are in.  In AD users and computers, right click the OU and click properties.  Select the Group Policy Tab and then click on the group policy that you created.  Click properties and select the security tab.  Here you will see all of the groups that can edit the policy and the groups that the policy applies to. If you want this policy to apply to specific users then you need to define it here.  Normally authenticated users is applied by default.  Also, by default AD creates a domain default policy at the top of all the OUs.  You can find this in AD users and computers by going to the properties of your domain name.  That policy could be overriding your policy set lower.  Any higher domain policy has rights over the ones below unless you set it to block policy inheritance.  Usually if you check those higher policies and set them to not defined then the ones below that are set specifically will work ok.  Also once you are done changing the group policies you need to refresh the policies if you don't want to wait for it to do it automatically.  Go to a command prompt.  Type:  "secedit /refreshpolicy machine_policy"  without the quotes and then hit enter.  It should say that it has been initiated.  Then also type "secedit /refreshpolicy user_policy" and hit enter.  That should update the changes.  I hope this helps some.
0
 

Author Comment

by:porkVT
ID: 10705661
thanks for the help.  couple things in there I didn't have set up correctly, but i've done them and am still having problems.

I have an OU called Accounts, and in this OU, i have a group called Test Group.  I created a user, "temp", in the accounts OU and assigned him to Test Group.  I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group.  Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy.  I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.

I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.

Anything else i might be missing?
0
 
LVL 2

Accepted Solution

by:
sqwasi earned 125 total points
ID: 10705857
I just remembered where you are probably having the problem.  You are changing the setting in the wrong location.  If you wanted to grant "log on locally" rights onto all of the workstations in the domain then you would be changing the domain policy in the AD Users and computers.  However you want to change the security for the local domain controller.  Go to Start --> Programs --> Administrative Tools --> Domain Controller Security Policy.  In there is where you want to set the log on locally rights.  You can take them out of the settings in AD users and computers and set them in the "Domain Controller Security Policy".  That should work for you.
0
 

Author Comment

by:porkVT
ID: 10705955
Awesome, that did it.  Thanks again.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can you expand C: in Windows 2000? 5 137
DNS server query - zone verus cache 5 195
VMware:  Latest Tools version for Windows 2000 Guest 3 263
Screen Mirroring 7 88
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question