Solved

Local Logon Policy and Active Directory

Posted on 2004-03-29
5
355 Views
Last Modified: 2012-05-04
I'm having problems with my active directory setup when creating new users.  They aren't granted local logon rights.  I have tried setting up a group policy for the organizational unit where the users are created, and defining the Log on Locally key, but i'm still not having any luck.  Am I missing something or is there another way to go about this?
0
Comment
Question by:porkVT
  • 2
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10704649
Is there a domain GPO in place?
0
 
LVL 2

Expert Comment

by:sqwasi
ID: 10705058
I am guessing that you are trying to allow users to log onto this server locally.  By default when you create a user it is assigned to the users group.  With only those permissions they will not have the right to log on locally to the server.  THis is so that users can't log in and screw up your production server or gain access that they shouldn't have.  If you want them to gain access you are on right track.  Once you create the group policy for the OU you need to make sure that the GP is applied to a group that the users are in.  In AD users and computers, right click the OU and click properties.  Select the Group Policy Tab and then click on the group policy that you created.  Click properties and select the security tab.  Here you will see all of the groups that can edit the policy and the groups that the policy applies to. If you want this policy to apply to specific users then you need to define it here.  Normally authenticated users is applied by default.  Also, by default AD creates a domain default policy at the top of all the OUs.  You can find this in AD users and computers by going to the properties of your domain name.  That policy could be overriding your policy set lower.  Any higher domain policy has rights over the ones below unless you set it to block policy inheritance.  Usually if you check those higher policies and set them to not defined then the ones below that are set specifically will work ok.  Also once you are done changing the group policies you need to refresh the policies if you don't want to wait for it to do it automatically.  Go to a command prompt.  Type:  "secedit /refreshpolicy machine_policy"  without the quotes and then hit enter.  It should say that it has been initiated.  Then also type "secedit /refreshpolicy user_policy" and hit enter.  That should update the changes.  I hope this helps some.
0
 

Author Comment

by:porkVT
ID: 10705661
thanks for the help.  couple things in there I didn't have set up correctly, but i've done them and am still having problems.

I have an OU called Accounts, and in this OU, i have a group called Test Group.  I created a user, "temp", in the accounts OU and assigned him to Test Group.  I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group.  Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy.  I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.

I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.

Anything else i might be missing?
0
 
LVL 2

Accepted Solution

by:
sqwasi earned 125 total points
ID: 10705857
I just remembered where you are probably having the problem.  You are changing the setting in the wrong location.  If you wanted to grant "log on locally" rights onto all of the workstations in the domain then you would be changing the domain policy in the AD Users and computers.  However you want to change the security for the local domain controller.  Go to Start --> Programs --> Administrative Tools --> Domain Controller Security Policy.  In there is where you want to set the log on locally rights.  You can take them out of the settings in AD users and computers and set them in the "Domain Controller Security Policy".  That should work for you.
0
 

Author Comment

by:porkVT
ID: 10705955
Awesome, that did it.  Thanks again.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now