Solved

local policy of this system does not allow you to log on interactively

Posted on 2004-04-14
10
572 Views
Last Modified: 2010-04-19
This is a new DC running SBS 2003.  I can only log on as the administrator.  All other attempts, including attempts by other Domain Admins are answered with the message: "The local policy of this system does not allow you to log on interactively"

I tried disabling the "Deny Logon Locally" group policy - no luck.  What do I do next?
0
Comment
Question by:specialguest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 10824525
Log in as Admin.
Open the Default Domain CONTROLLER policy (note "controller")
Under the Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment - in the Deny Logon Locally policy element remove all the groups shown except {servername}\ASP.NET (if it exists).
Close group policy.

From the command prompt:

secedit /refreshpolicy machine_policy /enforce

Advise.


0
 
LVL 5

Expert Comment

by:MarkusKolbeck
ID: 10827113
You also need to check the "Allow log on locally" policy.
Confirm that the Security Groups and Users are listed.
Do this on the "Default Domain Controllers Policy", available via the Group Policy Objects snap-in in the mmc.

Afterwards run GPUPDATE, not secedit, as Microsoft changed it in 2003. (I guess in the SBS Edition as well ;-)

You can confirm your settings running rsop.msc (Start - run).

By the way: Your "other Domain Admins" are trying to log on "really locally" (physically in front of the DC unsing that keyboard) or via RDP from a different PC?
In the latter case you would have to change RDP permissions (system properties - remote - select remote users).

Markus
0
 
LVL 1

Expert Comment

by:dspent
ID: 10827868
Try going to Local Security Policy -

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

And checking the interactive logon settings. Also as stated before DO NOT configure Deny log on locally and you could also NOT configure log on locally as well.  Do this  for the Local security policy and then also do the same thing for the Default Domain Controller Policy.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Expert Comment

by:Netman66
ID: 10827972
Local Security Policy is a subset of Default Domain Controller Policy - either one can be used.
0
 
LVL 5

Assisted Solution

by:MarkusKolbeck
MarkusKolbeck earned 250 total points
ID: 10828242
Netman66:
No, its not ;-)
The "Local Security Policy" is part of the local Group Policy individual to each W2K, XP and W2K3 System.
This one will be overwritten by the Domain Policies, if configured.

It won't help much if he makes changes there but only in the "Default Domain Controllers Policy".

Configuring both Policies would be a waste of time and time is precious ;-)

Agree?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 10833175
If you open Local Security Policy it displays the Local Security entires for the machine.

If you open Default Domain Controller Policy the Local Security entries are the same.  The first snap in is focused on just the Local Security options.

0
 

Author Comment

by:specialguest
ID: 10845009
Follow-up:

These ideas did not solve the problem.

To clarify (for MarkusKolbeck) - I am trying to log on physically to the DC as another person.  I would like to be able to use this as a workstation (for various reasons).

Any other ideas about where to look and what might be limiting my ability to log on locally (interactively)?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 10847230
By default all but built-in Admin accounts and Domain Admin (type) accounts are not allowed to log into the console.

You will need to manually add the user or group of users to the "Allow logon locally" group policy element.

It can be found here:

Default Domain Controller Policy>Local Policies>User Rights Assignment>Allow logon locally.

0
 

Author Comment

by:specialguest
ID: 11095034
None of these comments solved my problem, but they helped point me in the right direction.  After doing what they recommended, I also had to explicitly add the user rights in several places and I'm still not sure which of the changes I made were the critical ones.  I guess I'll split the points - thanks for your help.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question