Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 113645
  • Last Modified:

"local policy does not allow you to login interactively"

we're used to RDP'ing into workstations as the currently logged in users and do admin tasks as needed. then logging out and the user logging back in. recently we decided to switch all workstations' user permissions from local admin to user only. as we started doing this we've noticed that now when we attempt to RDP as the user to test any changes we made as an rdp'ed admin, we get the above mentioned error.

we have a domain with a few win2k advanced servers (one being the AD DC) as well as 2 2003 servers. all workstations are xp.

i have looked around a bit and found 2 hints pointing at domain policies so i did make the following changes on the AD server
1.
Active Directory Users and Computers
Right click your Domain (usually my-company.prv format)
Slide down to and chose Properties
Click the third tab "Group Policy"
Click the Default Domain Policy and hit "Edit" from the buttons below.
Go to Computer Configuration/Windows Settings/Security Settings/User Rights Assingments/ and add "Domain Users" and "Domain Admins" (We added user and administrator to blank list),  and any other group that needs to logon locally, which will enable those groups to logon.
2.
Administrative Tools>Domain Controller Security Policy>Security Settings>Local Policies>User Rights Assignment>Policy>Log on Locally>Add>Browse, click the appropriate group, and then click Add.  (added users to existing list)

unfortunately we still get the same error on the workstation when trying to RDP into them as a user after the previous rdp session was an admin

any further help or pointing in the proper direction would be greatly appreciated.
0
daya88
Asked:
daya88
  • 7
  • 6
  • 5
  • +1
1 Solution
 
msiceCommented:
On the local computers User Rights Assignment policy make sure the "local user accounts" not just the domain users accounts are allowed the Log on Interactively right.
0
 
daya88Author Commented:
that's a good point though i'd like to ensure i am understanding you correctly.

this is on the AD server i am assuming ? going through security policies? or domain policies? or did you mean on the workstations themselve?

Also, "local users" are the ones that are listed in the browse window without the domain.com/builtin or /user under the folder column? and if so would "everyone" work? or does that open up a whole other can of worms?

and thanks for responding!
0
 
msiceCommented:
I would try it with everyone on the local workstation as a test if it fixes the issue then further restrict and refine the AD polocys from there.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
trywaredkCommented:
Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
trywaredkCommented:
Windows XP Professional Local Computer policy - Logon rights and privileges.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnd_urs_xbqd.asp

0
 
trywaredkCommented:
Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
0
 
trywaredkCommented:
Error Message: The Local Policy of This System Does Not Permit You to Logon Interactively
http://support.microsoft.com/default.aspx?scid=kb;en-us;285793&Product=win2000
0
 
trywaredkCommented:
How to Reset User Rights in the Default Domain Controllers Group Policy Object
http://support.microsoft.com/?kbid=267553
0
 
daya88Author Commented:
after following your second post's link under logon rights i found this part here.

Allow logon through Terminal Services
(SeRemoteInteractiveLogonRight)
 Allows a user to log on to the computer by using a Remote Desktop connection.
Default setting: Administrators and Remote Desktop Users.

so i was trying to modify the default domain policy thinking its default settings are possibly causing my trouble when i realized the server does not even have this (SeRemoteInteractiveLogonRight) policy entry?! nor do i have a group called "remote desktop users" listed in my AD. again this is on an advanced 2000 server.
 
0
 
daya88Author Commented:
and btw i had run the secedit /refreshpolicy /machine_policy /enforce on the server and gpudate /force on the workstation, still no go:(

thanks for the suggestions though!
0
 
msiceCommented:
I thought you were trying to rdp into XP workstations? I must have missunderstood. If you are using 2K pro there is not RDP available.
0
 
daya88Author Commented:
no, you're correct, i am trying to rdp into xp workstations. i just followed all the hints and those were some of the commands i tried. and yes on one of them at least i got that that command was not valid, so if one of those is for 2k workstations then that would be why it didn;t work.

however even after running any and all of that i still get the same error once i try to log in remotely after i previously logged in remotely with a different account ( usually local user account following an admin login)
0
 
msiceCommented:
I believe the local user has to be an administrator, so I don't think "user permissions from local admin to user only" will work at all.
0
 
daya88Author Commented:
ok well if that is the case then that answers my question. so to clarify again:

this is not possible "by design"? only accounts that are admin accounts on a workstations can log in remotely (successively)? accounts with only user permissions on the local machine get the "cannot login interactively" when trying to login through an RDP session?
0
 
msiceCommented:
I have 2 users that use RDP from home and they are local admins on the XP clientand it works correctly. However not "by design"? I see this here http://windows.about.com/library/weekly/aa020526a.htm and have not tried it yet. Looks like to configure the local accounts you have to be a local administrator. Maybe try adding the user as a local admin then logon as that user then check allow remote access for the logged on user. I think that should work, so the user configuring things needs to be a local admin on the local console.  The link should help you, not the standard user security admin config that’s for sure.
0
 
msiceCommented:
Sorry this is the link I wanted to paste http://techrepublic.com.com/5100-6270-1040581.html?tag=viewfull
0
 
daya88Author Commented:
well but that is exactly what we're trying to get away from. we do not want the users on the workstations to be local admins. we're having problems with them installing their own software and such.

it comes down to secureing the network and workstations. however by doing so our tech support i.e vnc and or rdp is now hindered and we have ot log the current user off and log on as an admin to make the necessary changes. then when we try to test with the local user account we get the error. also we're talking 170 workstations here. we were hoping this was just a matter of a policy not set up correctly.

and btw thank you for continuing trying to help!
0
 
msiceCommented:
Yeah, unfortunately I have found you have to enable XP RDP for the user from the desktop. A helpful tip is that you can run any executable file in the computer by holding down the shift key and selecting Run As and then enter your admin credentials - will work with VNC and Remote Assistance.

Use the "Run As" Command with a Shortcut
Navigate to the shortcut item: click Start, point to Programs, and then locate the shortcut item in the Programs menu.
If the shortcut is not located in the Programs folder of the Start menu, navigate to the proper location of the shortcut.
Press SHIFT and hold while you right-click the shortcut item, and then click Run as.
Perform one of the following steps depending on which operating system you have:
Windows 2000: In Run As Other User, type the User name, Password, and Domain, and then click OK.
Windows XP: In Run As, click the option, the following user, type or select the User name, type the Password, and then click OK.
From http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q294676&
0
 
rkinningCommented:
Windows 2003
On a new install of Windows 2003 AD controller the Domain Controller Security Settings needed to be changed. Here is what I did.

Start Domain Controller Security Settings
Open User Rights Assignment
Open Allow Login Locally
Add 'Domain Users' and 'Authenticated Users' groups
Do the same for 'Access this computer from the network'

After this was set I was able to login with a user account.

Hope this helps.

0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 7
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now