We help IT Professionals succeed at work.

Local Logon Policy and Active Directory

porkVT
porkVT asked
on
Medium Priority
382 Views
Last Modified: 2012-05-04
I'm having problems with my active directory setup when creating new users.  They aren't granted local logon rights.  I have tried setting up a group policy for the organizational unit where the users are created, and defining the Log on Locally key, but i'm still not having any luck.  Am I missing something or is there another way to go about this?
Comment
Watch Question

Gareth GudgerSolution Architect
CERTIFIED EXPERT
Most Valuable Expert 2014
Top Expert 2014

Commented:
Is there a domain GPO in place?

Commented:
I am guessing that you are trying to allow users to log onto this server locally.  By default when you create a user it is assigned to the users group.  With only those permissions they will not have the right to log on locally to the server.  THis is so that users can't log in and screw up your production server or gain access that they shouldn't have.  If you want them to gain access you are on right track.  Once you create the group policy for the OU you need to make sure that the GP is applied to a group that the users are in.  In AD users and computers, right click the OU and click properties.  Select the Group Policy Tab and then click on the group policy that you created.  Click properties and select the security tab.  Here you will see all of the groups that can edit the policy and the groups that the policy applies to. If you want this policy to apply to specific users then you need to define it here.  Normally authenticated users is applied by default.  Also, by default AD creates a domain default policy at the top of all the OUs.  You can find this in AD users and computers by going to the properties of your domain name.  That policy could be overriding your policy set lower.  Any higher domain policy has rights over the ones below unless you set it to block policy inheritance.  Usually if you check those higher policies and set them to not defined then the ones below that are set specifically will work ok.  Also once you are done changing the group policies you need to refresh the policies if you don't want to wait for it to do it automatically.  Go to a command prompt.  Type:  "secedit /refreshpolicy machine_policy"  without the quotes and then hit enter.  It should say that it has been initiated.  Then also type "secedit /refreshpolicy user_policy" and hit enter.  That should update the changes.  I hope this helps some.

Author

Commented:
thanks for the help.  couple things in there I didn't have set up correctly, but i've done them and am still having problems.

I have an OU called Accounts, and in this OU, i have a group called Test Group.  I created a user, "temp", in the accounts OU and assigned him to Test Group.  I then set a group policy for the Accounts OU, in which i defined the "Log on Locally" key for Test Group.  Next i added Test Group under the security tab of the GP and selected Allow next to Apply Group Policy.  I ran the 2 secedit commands successfully, but I am still not able to log onto the server locally.

I checked my default group policy, and the "log on locally" key is not defined, so it shouldn't be causing inheritance problems.

Anything else i might be missing?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Awesome, that did it.  Thanks again.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.