mbarnesseo
asked on
Domain Users receive "local Policy of this system does not allow you to log on Interactively"
Good evening everyone,
I've been working on group policies and somewhere I've messed up.
First I want to say that I've read through a few pages of current topics but nothing has helped so far.
What I've got is this:
domain.com with the following OUs. General Users, Information Systems, and Restricted Internet Access. I've moved the majority of the users to General Users and given it a gpo named general users. Same type thing for the IS OU and the Restricted Internet Access OU.
I moved the users to the general users OU this morning. Well sometime after lunch, some people tried to log back in [on a domain PC-not the domain controller] and received the above error. If I add them to Domain Admins [which I did due to the nature of our work but of course I don't want to keep them as such]
I've looked at the deny logon locally and the allow logon in the Default Domain Controllers policy and they looked fine. [Well domain users was not in the allow-I added it-and only one thing was in the deny {domain.SUPPORT_388945a0}
I'm sure I've left some fital info out so please ask questions... Also I know very little about policies so please bear with me.
Mike
I've been working on group policies and somewhere I've messed up.
First I want to say that I've read through a few pages of current topics but nothing has helped so far.
What I've got is this:
domain.com with the following OUs. General Users, Information Systems, and Restricted Internet Access. I've moved the majority of the users to General Users and given it a gpo named general users. Same type thing for the IS OU and the Restricted Internet Access OU.
I moved the users to the general users OU this morning. Well sometime after lunch, some people tried to log back in [on a domain PC-not the domain controller] and received the above error. If I add them to Domain Admins [which I did due to the nature of our work but of course I don't want to keep them as such]
I've looked at the deny logon locally and the allow logon in the Default Domain Controllers policy and they looked fine. [Well domain users was not in the allow-I added it-and only one thing was in the deny {domain.SUPPORT_388945a0}
I'm sure I've left some fital info out so please ask questions... Also I know very little about policies so please bear with me.
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Anyone else have any suggestions? I want to reward points on Monday...
Thanks
Mike
Thanks
Mike
ASKER
Bonus question:
I've been trying to use GPOs to limit internet access. I've read a lot of the posts about the subject and decided the cheapest and easiest course of action for what I want is to use the 'fake' proxy server. However, I do want them to get to a few sites that they use for work. Unfortunately it seems that the exception list is limited to the number of characters or entries. Is there a way to increase that or have the GPO look at a text file?
I know... using an actual proxy server would be the best way... but this company will not spring for one.
thanks again
Mike