• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

Logging On

When I log off as administrator on my Dell Poweredge server running W2K and try to log on as a user, I get the message
"The local policy of this system does not permit you to logon interactively"

How do I get round this so that I can set up profiles?

Peter
0
Peter_Fabri
Asked:
Peter_Fabri
  • 4
  • 3
  • 3
  • +1
2 Solutions
 
jonpaulrCommented:
Your answer will vary depending on your server configuration, here are some steps:

#1 Make sure you haven't authorized one user to logon interactively to the server and added his name to the domain security policy for interactive logon. This will disable access for all other users including except for the listed user.

#2 If you're running active directory, try this:

When you attempt to log on to a domain or to the local computer, you receive:

The local policy of this system does not permit you to logon interactively.

This problem is the result of setting the Deny logon locally policy on your computer.

To properly setup this policy, create an organizational unit  (OU) for computers that you want to exclude from the Deny logon locally policy, and then grant the Log on locally policy to individuals or groups in the OU:

01. Open the Active Directory Users and Computers snap-in.

02. Right-click the domain name, press to New and Organizational Unit.

03. Name the OU and press OK.

04. Select the container that contains the computers you wish to move to the new OU.

05. Right-click the computers that you wish to move and press Move.

06. Select the new OU and press OK.

07. Right-click the new OU and press Properties.

08. Select the Group Policy tab.

09. Press New, type the GPO (Group Policy Object) name, and press Edit.

10. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

11. In the right-hand pane of the GPO dialog, right-click Log on locally and press Security.

12. Check the Define these policy settings box.

13. Press Add and Browse.

14. Select the users and/or groups that should be granted the Log on locally policy and press Add, OK, and OK. You can hold down the CTRL key to select multiple objects.

15. Press OK to close the Security Policy dialog.

#3 If that fails, follow these Microsoft steps: http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/localsec_troubleshoot.asp

0
 
Peter_FabriAuthor Commented:
Is moving a computer from the domain controller container ok to do (steps 04 and 05)? I don't have computers in any other container.

Peter
0
 
jonpaulrCommented:
My guess is that this would be used if you wanted to give rights to some and not others. I believe you can use the same OU you currently have.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Gareth GudgerCommented:
Users by default arent granted the right to log on to a server....only domain admins.
0
 
Gareth GudgerCommented:
To change this go to Start ==> Run ==> type gpedit.msc and click ok

Expand...

+ Computer Config
  + Windows Settings
    + Security Settings
      + Local Policies
        + User Rights Assignment

Double click "Log on Locally" and add the "Domain Users" group. Also check what groups are in the "Deny log on locally"

0
 
Gareth GudgerCommented:
Personally I wouldnt recommend letting users log on to the server themselves without good reason.
0
 
Peter_FabriAuthor Commented:
I have done what diggisaur has suggested, adding a select number of users, but I still get the message "The local policy of this system does not permit you to logon interactively". In a actual fact the group "users" was already there, which contain the users I want to log on to my server. Still no joy. Perhaps I need to go deeper or elsewhere in the security setting, but where?

Peter
0
 
mgrassCommented:
The directiions that diggisaur gave you should work...

1.  Go to 'Domain Controller Security Policy'
2.  Expand Security and Local Policies
3.  Select User Rights Assignments
4.  Find Log on Locally
5.  Right-click, select Security
6.  Add wanted users here.

If you tested it immediately after you added users you might have to wait 5 min for it to take effect.  You can bypass that by doing a

   secedit /refreshpolicy user_policy /enforce

from a command prompt.  
0
 
Gareth GudgerCommented:
LOL...he already tried that.
0
 
jonpaulrCommented:
There is obviously a conflicting entry someplace that is says "permission denied" over riding the permission "to".
0
 
Peter_FabriAuthor Commented:
An Active Directory manual I'm reading says to set standard roaming user profiles or mandatory user profiles, you set up a template, log off as administrator, log back on as that user and set the desk top appropriately. This is what I am trying to achieve. But if Windows 2000 server policy doesn't let you log on locally and following the advice above fails to achieve the desired result, then how would you set up these profiles?

Peter
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now