Solved

Local Logon Policy and Active Directory

Posted on 2004-03-29
5
362 Views
Last Modified: 2012-05-04
I'm having problems with my active directory setup when creating new users.  They aren't granted local logon rights.  I have tried setting up a group policy for the organizational unit where the users are created, and defining the Log on Locally key, but i'm still not having any luck.  Am I missing something or is there another way to go about this?
0
Comment
Question by:porkVT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10704649
Is there a domain GPO in place?
0
 
LVL 2

Expert Comment

by:sqwasi
ID: 10705058
I am guessing that you are trying to allow users to log onto this server locally.  By default when you create a user it is assigned to the users group.  With only those permissions they will not have the right to log on locally to the server.  THis is so that users can't log in and screw up your production server or gain access that they shouldn't have.  If you want them to gain access you are on right track.  Once you create the group policy for the OU you need to make sure that the GP is applied to a group that the users are in.  In AD users and computers, right click the OU and click properties.  Select the Group Policy Tab and then click on the group policy that you created.  Click properties and select the security tab.  Here you will see all of the groups that can edit the policy and the groups that the policy applies to. If you want this policy to apply to specific users then you need to define it here.  Normally authenticated users is applied by default.  Also, by default AD creates a domain default policy at the top of all the OUs.  You can find this in AD users and computers by going to the properties of your domain name.  That policy could be overriding your policy set lower.  Any higher domain policy has rights over the ones below unless you set it to block policy inheritance.  Usually if you check those higher policies and set them to not defined then the ones below that are set specifically will work ok.  Also once you are done changing the group policies you need to refresh the policies if you don't want to wait for it to do it automatically.  Go to a command prompt.  Type:  "secedit /refreshpolicy machine_policy"  without the quotes and then hit enter.  It should say that it has been initiated.  Then also type "secedit /refreshpolicy user_policy" and hit enter.  That should update the changes.  I hope this helps some.
0
 

Author Comment

by:porkVT
ID: 10705661
thanks for the help.  couple things in there I didn't have set up correctly, but i've done them and am still having problems.

I have an OU called Accounts, and in this OU, i have a group called Test Group.  I created a user, "temp", in the accounts OU and assigned him to Test Group.  I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group.  Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy.  I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.

I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.

Anything else i might be missing?
0
 
LVL 2

Accepted Solution

by:
sqwasi earned 125 total points
ID: 10705857
I just remembered where you are probably having the problem.  You are changing the setting in the wrong location.  If you wanted to grant "log on locally" rights onto all of the workstations in the domain then you would be changing the domain policy in the AD Users and computers.  However you want to change the security for the local domain controller.  Go to Start --> Programs --> Administrative Tools --> Domain Controller Security Policy.  In there is where you want to set the log on locally rights.  You can take them out of the settings in AD users and computers and set them in the "Domain Controller Security Policy".  That should work for you.
0
 

Author Comment

by:porkVT
ID: 10705955
Awesome, that did it.  Thanks again.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question