Solved

"local policy does not allow you to login interactively"

Posted on 2004-04-22
21
113,588 Views
Last Modified: 2013-12-04
we're used to RDP'ing into workstations as the currently logged in users and do admin tasks as needed. then logging out and the user logging back in. recently we decided to switch all workstations' user permissions from local admin to user only. as we started doing this we've noticed that now when we attempt to RDP as the user to test any changes we made as an rdp'ed admin, we get the above mentioned error.

we have a domain with a few win2k advanced servers (one being the AD DC) as well as 2 2003 servers. all workstations are xp.

i have looked around a bit and found 2 hints pointing at domain policies so i did make the following changes on the AD server
1.
Active Directory Users and Computers
Right click your Domain (usually my-company.prv format)
Slide down to and chose Properties
Click the third tab "Group Policy"
Click the Default Domain Policy and hit "Edit" from the buttons below.
Go to Computer Configuration/Windows Settings/Security Settings/User Rights Assingments/ and add "Domain Users" and "Domain Admins" (We added user and administrator to blank list),  and any other group that needs to logon locally, which will enable those groups to logon.
2.
Administrative Tools>Domain Controller Security Policy>Security Settings>Local Policies>User Rights Assignment>Policy>Log on Locally>Add>Browse, click the appropriate group, and then click Add.  (added users to existing list)

unfortunately we still get the same error on the workstation when trying to RDP into them as a user after the previous rdp session was an admin

any further help or pointing in the proper direction would be greatly appreciated.
0
Comment
Question by:daya88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
  • +1
21 Comments
 
LVL 7

Expert Comment

by:msice
ID: 10891153
On the local computers User Rights Assignment policy make sure the "local user accounts" not just the domain users accounts are allowed the Log on Interactively right.
0
 

Author Comment

by:daya88
ID: 10891652
that's a good point though i'd like to ensure i am understanding you correctly.

this is on the AD server i am assuming ? going through security policies? or domain policies? or did you mean on the workstations themselve?

Also, "local users" are the ones that are listed in the browse window without the domain.com/builtin or /user under the folder column? and if so would "everyone" work? or does that open up a whole other can of worms?

and thanks for responding!
0
 
LVL 7

Expert Comment

by:msice
ID: 10891813
I would try it with everyone on the local workstation as a test if it fixes the issue then further restrict and refine the AD polocys from there.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10893019
Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10893031
Windows XP Professional Local Computer policy - Logon rights and privileges.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnd_urs_xbqd.asp

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10893035
Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10893052
Error Message: The Local Policy of This System Does Not Permit You to Logon Interactively
http://support.microsoft.com/default.aspx?scid=kb;en-us;285793&Product=win2000
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10893055
How to Reset User Rights in the Default Domain Controllers Group Policy Object
http://support.microsoft.com/?kbid=267553
0
 

Author Comment

by:daya88
ID: 10893307
after following your second post's link under logon rights i found this part here.

Allow logon through Terminal Services
(SeRemoteInteractiveLogonRight)
 Allows a user to log on to the computer by using a Remote Desktop connection.
Default setting: Administrators and Remote Desktop Users.

so i was trying to modify the default domain policy thinking its default settings are possibly causing my trouble when i realized the server does not even have this (SeRemoteInteractiveLogonRight) policy entry?! nor do i have a group called "remote desktop users" listed in my AD. again this is on an advanced 2000 server.
 
0
 

Author Comment

by:daya88
ID: 10893316
and btw i had run the secedit /refreshpolicy /machine_policy /enforce on the server and gpudate /force on the workstation, still no go:(

thanks for the suggestions though!
0
 
LVL 7

Expert Comment

by:msice
ID: 10893344
I thought you were trying to rdp into XP workstations? I must have missunderstood. If you are using 2K pro there is not RDP available.
0
 

Author Comment

by:daya88
ID: 10917790
no, you're correct, i am trying to rdp into xp workstations. i just followed all the hints and those were some of the commands i tried. and yes on one of them at least i got that that command was not valid, so if one of those is for 2k workstations then that would be why it didn;t work.

however even after running any and all of that i still get the same error once i try to log in remotely after i previously logged in remotely with a different account ( usually local user account following an admin login)
0
 
LVL 7

Expert Comment

by:msice
ID: 10919893
I believe the local user has to be an administrator, so I don't think "user permissions from local admin to user only" will work at all.
0
 

Author Comment

by:daya88
ID: 10920519
ok well if that is the case then that answers my question. so to clarify again:

this is not possible "by design"? only accounts that are admin accounts on a workstations can log in remotely (successively)? accounts with only user permissions on the local machine get the "cannot login interactively" when trying to login through an RDP session?
0
 
LVL 7

Expert Comment

by:msice
ID: 10920968
I have 2 users that use RDP from home and they are local admins on the XP clientand it works correctly. However not "by design"? I see this here http://windows.about.com/library/weekly/aa020526a.htm and have not tried it yet. Looks like to configure the local accounts you have to be a local administrator. Maybe try adding the user as a local admin then logon as that user then check allow remote access for the logged on user. I think that should work, so the user configuring things needs to be a local admin on the local console.  The link should help you, not the standard user security admin config that’s for sure.
0
 
LVL 7

Expert Comment

by:msice
ID: 10920987
Sorry this is the link I wanted to paste http://techrepublic.com.com/5100-6270-1040581.html?tag=viewfull
0
 

Author Comment

by:daya88
ID: 10921012
well but that is exactly what we're trying to get away from. we do not want the users on the workstations to be local admins. we're having problems with them installing their own software and such.

it comes down to secureing the network and workstations. however by doing so our tech support i.e vnc and or rdp is now hindered and we have ot log the current user off and log on as an admin to make the necessary changes. then when we try to test with the local user account we get the error. also we're talking 170 workstations here. we were hoping this was just a matter of a policy not set up correctly.

and btw thank you for continuing trying to help!
0
 
LVL 7

Accepted Solution

by:
msice earned 250 total points
ID: 10921154
Yeah, unfortunately I have found you have to enable XP RDP for the user from the desktop. A helpful tip is that you can run any executable file in the computer by holding down the shift key and selecting Run As and then enter your admin credentials - will work with VNC and Remote Assistance.

Use the "Run As" Command with a Shortcut
Navigate to the shortcut item: click Start, point to Programs, and then locate the shortcut item in the Programs menu.
If the shortcut is not located in the Programs folder of the Start menu, navigate to the proper location of the shortcut.
Press SHIFT and hold while you right-click the shortcut item, and then click Run as.
Perform one of the following steps depending on which operating system you have:
Windows 2000: In Run As Other User, type the User name, Password, and Domain, and then click OK.
Windows XP: In Run As, click the option, the following user, type or select the User name, type the Password, and then click OK.
From http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q294676&
0
 

Expert Comment

by:rkinning
ID: 20551013
Windows 2003
On a new install of Windows 2003 AD controller the Domain Controller Security Settings needed to be changed. Here is what I did.

Start Domain Controller Security Settings
Open User Rights Assignment
Open Allow Login Locally
Add 'Domain Users' and 'Authenticated Users' groups
Do the same for 'Access this computer from the network'

After this was set I was able to login with a user account.

Hope this helps.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 4 103
sample multiple choice  Security Awareness Test 10 553
Microsoft – Kerberos Configuration Manager. Delegation service account query 1 82
SCSM reports export 1 73
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question