Domain Users receive "local Policy of this system does not allow you to log on Interactively"

Posted on 2006-03-31
Last Modified: 2010-04-11
Good evening everyone,

I've been working on group policies and somewhere I've messed up.
First I want to say that I've read through a few pages of current topics but nothing has helped so far.

What I've got is this: with the following OUs.  General Users, Information Systems, and Restricted Internet Access.  I've moved the majority of the users to General Users and given it a gpo named general users.  Same type thing for the IS OU and the Restricted Internet Access OU.  

I moved the users to the general users OU this morning.  Well sometime after lunch, some people tried to log back in [on a domain PC-not the domain controller] and received the above error.  If I add them to Domain Admins [which I did due to the nature of our work but of course I don't want to keep them as such]

I've looked at the deny logon locally and the allow logon in the Default Domain Controllers policy and they looked fine.  [Well domain users was not in the allow-I added it-and only one thing was in the deny {domain.SUPPORT_388945a0}

I'm sure I've left some fital info out so please ask questions...  Also I know very little about policies so please bear with me.

Question by:mbarnesseo
    LVL 1

    Author Comment

    Well thanks to the powers that be and my own stupidity I think it is fixed.  I would like to keep this open for the same amount of points.  I think - think I say- that I shouild of ran the secedit /refreshpolicy machine_policy /enforce.  [Doesn't changes in domain controller policy take awhile to trickle down?]

    Bonus question:

    I've been trying to use GPOs to limit internet access.  I've read a lot of the posts about the subject and decided the cheapest and easiest course of action for what I want is to use the 'fake' proxy server.  However, I do want them to get to a few sites that they use for work.  Unfortunately it seems that the exception list is limited to the number of characters or entries.  Is there a way to increase that or have the GPO look at a text file?

    I know... using an actual proxy server would be the best way... but this company will not spring for one.

    thanks again

    LVL 82

    Accepted Solution

    You could use a Proxy Auto Configuration (pac) script, which would return "direct" for any allowed site, and a fake proxy for everything else.
    Navigator Proxy Auto-Config File Format

    Maybe of interest, here's a site that offers a pac script that prevents downloads from ad servers:
    Bust Banner Ads with Proxy Auto Configuration
    LVL 4

    Assisted Solution

    LVL 1

    Author Comment

    Anyone else have any suggestions?  I want to reward points on Monday...



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now