Logging On

Posted on 2004-04-24
Last Modified: 2010-04-11
When I log off as administrator on my Dell Poweredge server running W2K and try to log on as a user, I get the message
"The local policy of this system does not permit you to logon interactively"

How do I get round this so that I can set up profiles?

Question by:Peter_Fabri
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1

Assisted Solution

jonpaulr earned 200 total points
ID: 10906626
Your answer will vary depending on your server configuration, here are some steps:

#1 Make sure you haven't authorized one user to logon interactively to the server and added his name to the domain security policy for interactive logon. This will disable access for all other users including except for the listed user.

#2 If you're running active directory, try this:

When you attempt to log on to a domain or to the local computer, you receive:

The local policy of this system does not permit you to logon interactively.

This problem is the result of setting the Deny logon locally policy on your computer.

To properly setup this policy, create an organizational unit  (OU) for computers that you want to exclude from the Deny logon locally policy, and then grant the Log on locally policy to individuals or groups in the OU:

01. Open the Active Directory Users and Computers snap-in.

02. Right-click the domain name, press to New and Organizational Unit.

03. Name the OU and press OK.

04. Select the container that contains the computers you wish to move to the new OU.

05. Right-click the computers that you wish to move and press Move.

06. Select the new OU and press OK.

07. Right-click the new OU and press Properties.

08. Select the Group Policy tab.

09. Press New, type the GPO (Group Policy Object) name, and press Edit.

10. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

11. In the right-hand pane of the GPO dialog, right-click Log on locally and press Security.

12. Check the Define these policy settings box.

13. Press Add and Browse.

14. Select the users and/or groups that should be granted the Log on locally policy and press Add, OK, and OK. You can hold down the CTRL key to select multiple objects.

15. Press OK to close the Security Policy dialog.

#3 If that fails, follow these Microsoft steps:


Author Comment

ID: 10906794
Is moving a computer from the domain controller container ok to do (steps 04 and 05)? I don't have computers in any other container.


Expert Comment

ID: 10906818
My guess is that this would be used if you wanted to give rights to some and not others. I believe you can use the same OU you currently have.
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907735
Users by default arent granted the right to log on to a server....only domain admins.
LVL 31

Accepted Solution

Gareth Gudger earned 300 total points
ID: 10907741
To change this go to Start ==> Run ==> type gpedit.msc and click ok


+ Computer Config
  + Windows Settings
    + Security Settings
      + Local Policies
        + User Rights Assignment

Double click "Log on Locally" and add the "Domain Users" group. Also check what groups are in the "Deny log on locally"

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907742
Personally I wouldnt recommend letting users log on to the server themselves without good reason.

Author Comment

ID: 10911283
I have done what diggisaur has suggested, adding a select number of users, but I still get the message "The local policy of this system does not permit you to logon interactively". In a actual fact the group "users" was already there, which contain the users I want to log on to my server. Still no joy. Perhaps I need to go deeper or elsewhere in the security setting, but where?


Expert Comment

ID: 10912472
The directiions that diggisaur gave you should work...

1.  Go to 'Domain Controller Security Policy'
2.  Expand Security and Local Policies
3.  Select User Rights Assignments
4.  Find Log on Locally
5.  Right-click, select Security
6.  Add wanted users here.

If you tested it immediately after you added users you might have to wait 5 min for it to take effect.  You can bypass that by doing a

   secedit /refreshpolicy user_policy /enforce

from a command prompt.  
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10912702
LOL...he already tried that.

Expert Comment

ID: 10914179
There is obviously a conflicting entry someplace that is says "permission denied" over riding the permission "to".

Author Comment

ID: 10932751
An Active Directory manual I'm reading says to set standard roaming user profiles or mandatory user profiles, you set up a template, log off as administrator, log back on as that user and set the desk top appropriately. This is what I am trying to achieve. But if Windows 2000 server policy doesn't let you log on locally and following the advice above fails to achieve the desired result, then how would you set up these profiles?


Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question