Solved

"local policy does not allow you to login interactively"

Posted on 2004-04-22
21
113,539 Views
Last Modified: 2013-12-04
we're used to RDP'ing into workstations as the currently logged in users and do admin tasks as needed. then logging out and the user logging back in. recently we decided to switch all workstations' user permissions from local admin to user only. as we started doing this we've noticed that now when we attempt to RDP as the user to test any changes we made as an rdp'ed admin, we get the above mentioned error.

we have a domain with a few win2k advanced servers (one being the AD DC) as well as 2 2003 servers. all workstations are xp.

i have looked around a bit and found 2 hints pointing at domain policies so i did make the following changes on the AD server
1.
Active Directory Users and Computers
Right click your Domain (usually my-company.prv format)
Slide down to and chose Properties
Click the third tab "Group Policy"
Click the Default Domain Policy and hit "Edit" from the buttons below.
Go to Computer Configuration/Windows Settings/Security Settings/User Rights Assingments/ and add "Domain Users" and "Domain Admins" (We added user and administrator to blank list),  and any other group that needs to logon locally, which will enable those groups to logon.
2.
Administrative Tools>Domain Controller Security Policy>Security Settings>Local Policies>User Rights Assignment>Policy>Log on Locally>Add>Browse, click the appropriate group, and then click Add.  (added users to existing list)

unfortunately we still get the same error on the workstation when trying to RDP into them as a user after the previous rdp session was an admin

any further help or pointing in the proper direction would be greatly appreciated.
0
Comment
Question by:daya88
  • 7
  • 6
  • 5
  • +1
21 Comments
 
LVL 7

Expert Comment

by:msice
Comment Utility
On the local computers User Rights Assignment policy make sure the "local user accounts" not just the domain users accounts are allowed the Log on Interactively right.
0
 

Author Comment

by:daya88
Comment Utility
that's a good point though i'd like to ensure i am understanding you correctly.

this is on the AD server i am assuming ? going through security policies? or domain policies? or did you mean on the workstations themselve?

Also, "local users" are the ones that are listed in the browse window without the domain.com/builtin or /user under the folder column? and if so would "everyone" work? or does that open up a whole other can of worms?

and thanks for responding!
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
I would try it with everyone on the local workstation as a test if it fixes the issue then further restrict and refine the AD polocys from there.
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Windows XP Professional Local Computer policy - Logon rights and privileges.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnd_urs_xbqd.asp

0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
Error Message: The Local Policy of This System Does Not Permit You to Logon Interactively
http://support.microsoft.com/default.aspx?scid=kb;en-us;285793&Product=win2000
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
How to Reset User Rights in the Default Domain Controllers Group Policy Object
http://support.microsoft.com/?kbid=267553
0
 

Author Comment

by:daya88
Comment Utility
after following your second post's link under logon rights i found this part here.

Allow logon through Terminal Services
(SeRemoteInteractiveLogonRight)
 Allows a user to log on to the computer by using a Remote Desktop connection.
Default setting: Administrators and Remote Desktop Users.

so i was trying to modify the default domain policy thinking its default settings are possibly causing my trouble when i realized the server does not even have this (SeRemoteInteractiveLogonRight) policy entry?! nor do i have a group called "remote desktop users" listed in my AD. again this is on an advanced 2000 server.
 
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:daya88
Comment Utility
and btw i had run the secedit /refreshpolicy /machine_policy /enforce on the server and gpudate /force on the workstation, still no go:(

thanks for the suggestions though!
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
I thought you were trying to rdp into XP workstations? I must have missunderstood. If you are using 2K pro there is not RDP available.
0
 

Author Comment

by:daya88
Comment Utility
no, you're correct, i am trying to rdp into xp workstations. i just followed all the hints and those were some of the commands i tried. and yes on one of them at least i got that that command was not valid, so if one of those is for 2k workstations then that would be why it didn;t work.

however even after running any and all of that i still get the same error once i try to log in remotely after i previously logged in remotely with a different account ( usually local user account following an admin login)
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
I believe the local user has to be an administrator, so I don't think "user permissions from local admin to user only" will work at all.
0
 

Author Comment

by:daya88
Comment Utility
ok well if that is the case then that answers my question. so to clarify again:

this is not possible "by design"? only accounts that are admin accounts on a workstations can log in remotely (successively)? accounts with only user permissions on the local machine get the "cannot login interactively" when trying to login through an RDP session?
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
I have 2 users that use RDP from home and they are local admins on the XP clientand it works correctly. However not "by design"? I see this here http://windows.about.com/library/weekly/aa020526a.htm and have not tried it yet. Looks like to configure the local accounts you have to be a local administrator. Maybe try adding the user as a local admin then logon as that user then check allow remote access for the logged on user. I think that should work, so the user configuring things needs to be a local admin on the local console.  The link should help you, not the standard user security admin config that’s for sure.
0
 
LVL 7

Expert Comment

by:msice
Comment Utility
Sorry this is the link I wanted to paste http://techrepublic.com.com/5100-6270-1040581.html?tag=viewfull
0
 

Author Comment

by:daya88
Comment Utility
well but that is exactly what we're trying to get away from. we do not want the users on the workstations to be local admins. we're having problems with them installing their own software and such.

it comes down to secureing the network and workstations. however by doing so our tech support i.e vnc and or rdp is now hindered and we have ot log the current user off and log on as an admin to make the necessary changes. then when we try to test with the local user account we get the error. also we're talking 170 workstations here. we were hoping this was just a matter of a policy not set up correctly.

and btw thank you for continuing trying to help!
0
 
LVL 7

Accepted Solution

by:
msice earned 250 total points
Comment Utility
Yeah, unfortunately I have found you have to enable XP RDP for the user from the desktop. A helpful tip is that you can run any executable file in the computer by holding down the shift key and selecting Run As and then enter your admin credentials - will work with VNC and Remote Assistance.

Use the "Run As" Command with a Shortcut
Navigate to the shortcut item: click Start, point to Programs, and then locate the shortcut item in the Programs menu.
If the shortcut is not located in the Programs folder of the Start menu, navigate to the proper location of the shortcut.
Press SHIFT and hold while you right-click the shortcut item, and then click Run as.
Perform one of the following steps depending on which operating system you have:
Windows 2000: In Run As Other User, type the User name, Password, and Domain, and then click OK.
Windows XP: In Run As, click the option, the following user, type or select the User name, type the Password, and then click OK.
From http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q294676&
0
 

Expert Comment

by:rkinning
Comment Utility
Windows 2003
On a new install of Windows 2003 AD controller the Domain Controller Security Settings needed to be changed. Here is what I did.

Start Domain Controller Security Settings
Open User Rights Assignment
Open Allow Login Locally
Add 'Domain Users' and 'Authenticated Users' groups
Do the same for 'Access this computer from the network'

After this was set I was able to login with a user account.

Hope this helps.

0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now