porkVT
asked on
Local Logon Policy and Active Directory
I'm having problems with my active directory setup when creating new users. They aren't granted local logon rights. I have tried setting up a group policy for the organizational unit where the users are created, and defining the Log on Locally key, but i'm still not having any luck. Am I missing something or is there another way to go about this?
Gareth Gudger
Is there a domain GPO in place?
I am guessing that you are trying to allow users to log onto this server locally. By default when you create a user it is assigned to the users group. With only those permissions they will not have the right to log on locally to the server. THis is so that users can't log in and screw up your production server or gain access that they shouldn't have. If you want them to gain access you are on right track. Once you create the group policy for the OU you need to make sure that the GP is applied to a group that the users are in. In AD users and computers, right click the OU and click properties. Select the Group Policy Tab and then click on the group policy that you created. Click properties and select the security tab. Here you will see all of the groups that can edit the policy and the groups that the policy applies to. If you want this policy to apply to specific users then you need to define it here. Normally authenticated users is applied by default. Also, by default AD creates a domain default policy at the top of all the OUs. You can find this in AD users and computers by going to the properties of your domain name. That policy could be overriding your policy set lower. Any higher domain policy has rights over the ones below unless you set it to block policy inheritance. Usually if you check those higher policies and set them to not defined then the ones below that are set specifically will work ok. Also once you are done changing the group policies you need to refresh the policies if you don't want to wait for it to do it automatically. Go to a command prompt. Type: "secedit /refreshpolicy machine_policy" without the quotes and then hit enter. It should say that it has been initiated. Then also type "secedit /refreshpolicy user_policy" and hit enter. That should update the changes. I hope this helps some.
ASKER
thanks for the help. couple things in there I didn't have set up correctly, but i've done them and am still having problems.
I have an OU called Accounts, and in this OU, i have a group called Test Group. I created a user, "temp", in the accounts OU and assigned him to Test Group. I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group. Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy. I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.
I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.
Anything else i might be missing?
I have an OU called Accounts, and in this OU, i have a group called Test Group. I created a user, "temp", in the accounts OU and assigned him to Test Group. I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group. Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy. I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.
I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.
Anything else i might be missing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, that did it. Thanks again.