• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

2003 DC "The local policy of this system does not permit you to logon interactivly."

Running a 2003 domain controller. When I try to remote desktop into it I get this error
"The local policy of this system does not permit you to logon interactivly."
Before this error never existed. I had opened up a question here
and tried this suggestion
located here
I made the change
computerconfiguration>Windows-Settings>local policies>assign of userrights>"Allow to logon via Terminalservices"
and now I cannot RD into this DC anymore, even after changing the setting back and rebooting.

Does anyone know why this happened and what I can do to fix the problem?
2 Solutions
In you group policy check "Logon Locally" and "Deny Logon Locally" under:

Windows settings>Security Settings>Local Policies>User Rights Assignment

Could just be a permissions issue.
DMS-XAuthor Commented:
Thanks for the reply nihlcat.

Ok I checked both the "logon Locally" and "deny Logon Locally"
"deny Logon Locally" is not defined and "logon Locally" does not exist.

I have noticed however that in AD I am missing the Builtin account called "remote desktop users"
This 2003 domain controller has been introduced into a 2000 DC enviorment. I still have the 2000 server running AD and in controll of the 5 FSMO roles.
So this might be normal considering the conditions in which the DC was built. Maybe someone might be able to take a look at a 2003 domain controller that has had its AD structure migrated from a 2000 DC.

DMS-XAuthor Commented:
oops "Allow logon locally" is probably what you meant and not "Logon Locally", my bad.
Yes it exists and it is set to not defined.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

you have to allow logon locally, do NOT set this in domain group policy, set it in domain cotroller group policy or just run gpedit.msc.

for example if you want to allow Andy to terminal into the domain controller, add his name to  "Allow to logon via Terminalservices" and "Allow logon locally"
DMS-XAuthor Commented:
I will give it a shot on Moday : )
DMS-XAuthor Commented:
Does anyone know what is going on?
Local policy does not apply to DC's

You should check all those settiings in Default Domain Controller Policy.

There is also no domain level "remote desktop users" policy.

Better way to check this is to run the RSOP - Resultant Set of Policy. Do this with rsop.msc on the 2003 server.

This will give a very clear picture of the status on the server, and where said polices are loaded from. It *should* be the Default Domain Controller Policy, but you never know.

DMS-XAuthor Commented:
>There is also no domain level "remote desktop users" policy.
Good to know that.

I managed to get it working by putting the builtin Administrators account in the default domain policy--->computer config.--->windows settings--->local policies--->user rights.....--->allow logon throught terminal services.

binary_1001010 and harleyjd thanks for your help!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now