We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Domain Users receive "local Policy of this system does not allow you to log on Interactively"

mbarnesseo asked
Medium Priority
Last Modified: 2010-04-11
Good evening everyone,

I've been working on group policies and somewhere I've messed up.
First I want to say that I've read through a few pages of current topics but nothing has helped so far.

What I've got is this:
domain.com with the following OUs.  General Users, Information Systems, and Restricted Internet Access.  I've moved the majority of the users to General Users and given it a gpo named general users.  Same type thing for the IS OU and the Restricted Internet Access OU.  

I moved the users to the general users OU this morning.  Well sometime after lunch, some people tried to log back in [on a domain PC-not the domain controller] and received the above error.  If I add them to Domain Admins [which I did due to the nature of our work but of course I don't want to keep them as such]

I've looked at the deny logon locally and the allow logon in the Default Domain Controllers policy and they looked fine.  [Well domain users was not in the allow-I added it-and only one thing was in the deny {domain.SUPPORT_388945a0}

I'm sure I've left some fital info out so please ask questions...  Also I know very little about policies so please bear with me.

Watch Question


Well thanks to the powers that be and my own stupidity I think it is fixed.  I would like to keep this open for the same amount of points.  I think - think I say- that I shouild of ran the secedit /refreshpolicy machine_policy /enforce.  [Doesn't changes in domain controller policy take awhile to trickle down?]

Bonus question:

I've been trying to use GPOs to limit internet access.  I've read a lot of the posts about the subject and decided the cheapest and easiest course of action for what I want is to use the 'fake' proxy server.  However, I do want them to get to a few sites that they use for work.  Unfortunately it seems that the exception list is limited to the number of characters or entries.  Is there a way to increase that or have the GPO look at a text file?

I know... using an actual proxy server would be the best way... but this company will not spring for one.

thanks again

Most Valuable Expert 2019
Most Valuable Expert 2018
You could use a Proxy Auto Configuration (pac) script, which would return "direct" for any allowed site, and a fake proxy for everything else.
Navigator Proxy Auto-Config File Format

Maybe of interest, here's a site that offers a pac script that prevents downloads from ad servers:
Bust Banner Ads with Proxy Auto Configuration

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Anyone else have any suggestions?  I want to reward points on Monday...


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.