specialguest
asked on
local policy of this system does not allow you to log on interactively
This is a new DC running SBS 2003. I can only log on as the administrator. All other attempts, including attempts by other Domain Admins are answered with the message: "The local policy of this system does not allow you to log on interactively"
I tried disabling the "Deny Logon Locally" group policy - no luck. What do I do next?
I tried disabling the "Deny Logon Locally" group policy - no luck. What do I do next?
You also need to check the "Allow log on locally" policy.
Confirm that the Security Groups and Users are listed.
Do this on the "Default Domain Controllers Policy", available via the Group Policy Objects snap-in in the mmc.
Afterwards run GPUPDATE, not secedit, as Microsoft changed it in 2003. (I guess in the SBS Edition as well ;-)
You can confirm your settings running rsop.msc (Start - run).
By the way: Your "other Domain Admins" are trying to log on "really locally" (physically in front of the DC unsing that keyboard) or via RDP from a different PC?
In the latter case you would have to change RDP permissions (system properties - remote - select remote users).
Markus
Confirm that the Security Groups and Users are listed.
Do this on the "Default Domain Controllers Policy", available via the Group Policy Objects snap-in in the mmc.
Afterwards run GPUPDATE, not secedit, as Microsoft changed it in 2003. (I guess in the SBS Edition as well ;-)
You can confirm your settings running rsop.msc (Start - run).
By the way: Your "other Domain Admins" are trying to log on "really locally" (physically in front of the DC unsing that keyboard) or via RDP from a different PC?
In the latter case you would have to change RDP permissions (system properties - remote - select remote users).
Markus
Try going to Local Security Policy -
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
And checking the interactive logon settings. Also as stated before DO NOT configure Deny log on locally and you could also NOT configure log on locally as well. Do this for the Local security policy and then also do the same thing for the Default Domain Controller Policy.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
And checking the interactive logon settings. Also as stated before DO NOT configure Deny log on locally and you could also NOT configure log on locally as well. Do this for the Local security policy and then also do the same thing for the Default Domain Controller Policy.
Local Security Policy is a subset of Default Domain Controller Policy - either one can be used.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you open Local Security Policy it displays the Local Security entires for the machine.
If you open Default Domain Controller Policy the Local Security entries are the same. The first snap in is focused on just the Local Security options.
If you open Default Domain Controller Policy the Local Security entries are the same. The first snap in is focused on just the Local Security options.
ASKER
Follow-up:
These ideas did not solve the problem.
To clarify (for MarkusKolbeck) - I am trying to log on physically to the DC as another person. I would like to be able to use this as a workstation (for various reasons).
Any other ideas about where to look and what might be limiting my ability to log on locally (interactively)?
These ideas did not solve the problem.
To clarify (for MarkusKolbeck) - I am trying to log on physically to the DC as another person. I would like to be able to use this as a workstation (for various reasons).
Any other ideas about where to look and what might be limiting my ability to log on locally (interactively)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
None of these comments solved my problem, but they helped point me in the right direction. After doing what they recommended, I also had to explicitly add the user rights in several places and I'm still not sure which of the changes I made were the critical ones. I guess I'll split the points - thanks for your help.
Open the Default Domain CONTROLLER policy (note "controller")
Under the Computer Config>Windows Settings>Security Settings>Local Policies>User Rights Assignment - in the Deny Logon Locally policy element remove all the groups shown except {servername}\ASP.NET (if it exists).
Close group policy.
From the command prompt:
secedit /refreshpolicy machine_policy /enforce
Advise.