Solved

Only Domain Admins can logon to domain computers interactively....help!

Posted on 2004-04-08
12
711 Views
Last Modified: 2013-12-04
I have read every topic there is about this.  I understand completely Windows security and how the Group Policy works.  I just can't seem to make domain users about to interactively logon to domain computers.  Actually, up until yesterday it was not a problem.  We have a problem with the server (Windows Server 2003 Enterprise Edition) and had to repair from the source disc.  After that I can't get domain users logged in unless I also make them members of the Domain Admins group on the server.  I have verify that there are no "Deny local logins" and that it has not persisted to the domain computers.  They SHOULD be able to log in...but can't.  I am so frustrated.  What can I do???
0
Comment
Question by:kjboughton
  • 5
  • 4
  • 3
12 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10789215
Have you also checked the "Log on Locally"'s as well as the Deny's?

Also as a test try rejoining one of the computers to the domain and then try logging in again.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10789861
Anything in the domain controllers eventlog about it?

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:kjboughton
ID: 10790787
Actually, just noticed that there is an event log entry stating that gpt.ini is missing for the expected location.  Next entry (also an error entry) states that group policy is being aborted.....how do I get this file back?  I don't mind having rebuild the entire group policy...I just need to get the network back to normal.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10791132
What are the actual event IDs themselves?
0
 

Author Comment

by:kjboughton
ID: 10795319
Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1058
Date:            04/09/04
Time:            2:38:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=bainet,DC=local. The file must be present at the location <\\bainet.local\sysvol\bainet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1030
Date:            04/09/04
Time:            2:38:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10795328
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:kjboughton
ID: 10795434
Still no help.  For some reason they have to be members of the Administrator group to logon interactively....
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10800500
What's in the eventlog of your domain controller (bainet.local) at

Date:          04/09/04
Time:          2:38:23 AM
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10800502
Maybe try to remove the computer from your domain (into workgroup), and the back again into the domain !
0
 

Author Comment

by:kjboughton
ID: 10802297
I don't know why...sounds like an MS bug...but this worked!  THANKS!
0
 

Author Comment

by:kjboughton
ID: 10802305
Also, I had to log on to the system as the local administrator and delete all cached roaming profiles before I could re-establish the correct roaming profile.  Once all of this was done everyone was once again allowed to log on to the system interactively.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10805396
:o) Glad I could help you - thank you for the points
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now