[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Logging On

Posted on 2004-04-24
Medium Priority
Last Modified: 2010-04-11
When I log off as administrator on my Dell Poweredge server running W2K and try to log on as a user, I get the message
"The local policy of this system does not permit you to logon interactively"

How do I get round this so that I can set up profiles?

Question by:Peter_Fabri
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1

Assisted Solution

jonpaulr earned 400 total points
ID: 10906626
Your answer will vary depending on your server configuration, here are some steps:

#1 Make sure you haven't authorized one user to logon interactively to the server and added his name to the domain security policy for interactive logon. This will disable access for all other users including except for the listed user.

#2 If you're running active directory, try this:

When you attempt to log on to a domain or to the local computer, you receive:

The local policy of this system does not permit you to logon interactively.

This problem is the result of setting the Deny logon locally policy on your computer.

To properly setup this policy, create an organizational unit  (OU) for computers that you want to exclude from the Deny logon locally policy, and then grant the Log on locally policy to individuals or groups in the OU:

01. Open the Active Directory Users and Computers snap-in.

02. Right-click the domain name, press to New and Organizational Unit.

03. Name the OU and press OK.

04. Select the container that contains the computers you wish to move to the new OU.

05. Right-click the computers that you wish to move and press Move.

06. Select the new OU and press OK.

07. Right-click the new OU and press Properties.

08. Select the Group Policy tab.

09. Press New, type the GPO (Group Policy Object) name, and press Edit.

10. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

11. In the right-hand pane of the GPO dialog, right-click Log on locally and press Security.

12. Check the Define these policy settings box.

13. Press Add and Browse.

14. Select the users and/or groups that should be granted the Log on locally policy and press Add, OK, and OK. You can hold down the CTRL key to select multiple objects.

15. Press OK to close the Security Policy dialog.

#3 If that fails, follow these Microsoft steps: http://www.microsoft.com/resources/documentation/IIS/6/all/proddocs/en-us/Default.asp?url=/resources/documentation/IIS/6/all/proddocs/en-us/localsec_troubleshoot.asp


Author Comment

ID: 10906794
Is moving a computer from the domain controller container ok to do (steps 04 and 05)? I don't have computers in any other container.


Expert Comment

ID: 10906818
My guess is that this would be used if you wanted to give rights to some and not others. I believe you can use the same OU you currently have.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907735
Users by default arent granted the right to log on to a server....only domain admins.
LVL 31

Accepted Solution

Gareth Gudger earned 600 total points
ID: 10907741
To change this go to Start ==> Run ==> type gpedit.msc and click ok


+ Computer Config
  + Windows Settings
    + Security Settings
      + Local Policies
        + User Rights Assignment

Double click "Log on Locally" and add the "Domain Users" group. Also check what groups are in the "Deny log on locally"

LVL 31

Expert Comment

by:Gareth Gudger
ID: 10907742
Personally I wouldnt recommend letting users log on to the server themselves without good reason.

Author Comment

ID: 10911283
I have done what diggisaur has suggested, adding a select number of users, but I still get the message "The local policy of this system does not permit you to logon interactively". In a actual fact the group "users" was already there, which contain the users I want to log on to my server. Still no joy. Perhaps I need to go deeper or elsewhere in the security setting, but where?


Expert Comment

ID: 10912472
The directiions that diggisaur gave you should work...

1.  Go to 'Domain Controller Security Policy'
2.  Expand Security and Local Policies
3.  Select User Rights Assignments
4.  Find Log on Locally
5.  Right-click, select Security
6.  Add wanted users here.

If you tested it immediately after you added users you might have to wait 5 min for it to take effect.  You can bypass that by doing a

   secedit /refreshpolicy user_policy /enforce

from a command prompt.  
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10912702
LOL...he already tried that.

Expert Comment

ID: 10914179
There is obviously a conflicting entry someplace that is says "permission denied" over riding the permission "to".

Author Comment

ID: 10932751
An Active Directory manual I'm reading says to set standard roaming user profiles or mandatory user profiles, you set up a template, log off as administrator, log back on as that user and set the desk top appropriately. This is what I am trying to achieve. But if Windows 2000 server policy doesn't let you log on locally and following the advice above fails to achieve the desired result, then how would you set up these profiles?


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question