Logging On

Posted on 2004-04-24
Medium Priority
Last Modified: 2010-04-11
When I log off as administrator on my Dell Poweredge server running W2K and try to log on as a user, I get the message
"The local policy of this system does not permit you to logon interactively"

How do I get round this so that I can set up profiles?

Question by:Peter_Fabri
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1

Assisted Solution

jonpaulr earned 400 total points
ID: 10906626
Your answer will vary depending on your server configuration, here are some steps:

#1 Make sure you haven't authorized one user to logon interactively to the server and added his name to the domain security policy for interactive logon. This will disable access for all other users including except for the listed user.

#2 If you're running active directory, try this:

When you attempt to log on to a domain or to the local computer, you receive:

The local policy of this system does not permit you to logon interactively.

This problem is the result of setting the Deny logon locally policy on your computer.

To properly setup this policy, create an organizational unit  (OU) for computers that you want to exclude from the Deny logon locally policy, and then grant the Log on locally policy to individuals or groups in the OU:

01. Open the Active Directory Users and Computers snap-in.

02. Right-click the domain name, press to New and Organizational Unit.

03. Name the OU and press OK.

04. Select the container that contains the computers you wish to move to the new OU.

05. Right-click the computers that you wish to move and press Move.

06. Select the new OU and press OK.

07. Right-click the new OU and press Properties.

08. Select the Group Policy tab.

09. Press New, type the GPO (Group Policy Object) name, and press Edit.

10. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

11. In the right-hand pane of the GPO dialog, right-click Log on locally and press Security.

12. Check the Define these policy settings box.

13. Press Add and Browse.

14. Select the users and/or groups that should be granted the Log on locally policy and press Add, OK, and OK. You can hold down the CTRL key to select multiple objects.

15. Press OK to close the Security Policy dialog.

#3 If that fails, follow these Microsoft steps: http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/localsec_troubleshoot.asp


Author Comment

ID: 10906794
Is moving a computer from the domain controller container ok to do (steps 04 and 05)? I don't have computers in any other container.


Expert Comment

ID: 10906818
My guess is that this would be used if you wanted to give rights to some and not others. I believe you can use the same OU you currently have.
7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907735
Users by default arent granted the right to log on to a server....only domain admins.
LVL 31

Accepted Solution

Gareth Gudger earned 600 total points
ID: 10907741
To change this go to Start ==> Run ==> type gpedit.msc and click ok


+ Computer Config
  + Windows Settings
    + Security Settings
      + Local Policies
        + User Rights Assignment

Double click "Log on Locally" and add the "Domain Users" group. Also check what groups are in the "Deny log on locally"

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907742
Personally I wouldnt recommend letting users log on to the server themselves without good reason.

Author Comment

ID: 10911283
I have done what diggisaur has suggested, adding a select number of users, but I still get the message "The local policy of this system does not permit you to logon interactively". In a actual fact the group "users" was already there, which contain the users I want to log on to my server. Still no joy. Perhaps I need to go deeper or elsewhere in the security setting, but where?


Expert Comment

ID: 10912472
The directiions that diggisaur gave you should work...

1.  Go to 'Domain Controller Security Policy'
2.  Expand Security and Local Policies
3.  Select User Rights Assignments
4.  Find Log on Locally
5.  Right-click, select Security
6.  Add wanted users here.

If you tested it immediately after you added users you might have to wait 5 min for it to take effect.  You can bypass that by doing a

   secedit /refreshpolicy user_policy /enforce

from a command prompt.  
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10912702
LOL...he already tried that.

Expert Comment

ID: 10914179
There is obviously a conflicting entry someplace that is says "permission denied" over riding the permission "to".

Author Comment

ID: 10932751
An Active Directory manual I'm reading says to set standard roaming user profiles or mandatory user profiles, you set up a template, log off as administrator, log back on as that user and set the desk top appropriately. This is what I am trying to achieve. But if Windows 2000 server policy doesn't let you log on locally and following the advice above fails to achieve the desired result, then how would you set up these profiles?


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question