Cant logon interactively

I have a windows 2003 server setup and I am trying to login remotely using remote desktop. When I try to login as a normal user I get the message "the local policy of this system does not permit you to logon interactively" there are no problems logging in as administrator. I tried going into the local policy as admin and changing the "allow logon locally" right to allow the group "users" but this did not help. One thing I found curious was that when trying to "add users or groups" to the right, i click locations and all i see is the local computer, I cannot select any domain users or groups. This problem also occurs when setting access right to local files, I can only add users or groups from the local machine as opposed to domain users or groups. I need to be able to logon remotely and change file permissions so that domain users can access local files. Thanks for the help.
techdoc6Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
OK then logon to as any domain user, or logon to different client. We will need some policy results, before we can troubleshoot original problem.
0
 
Toni UranjekConsultant/TrainerCommented:
Is this server meber server or stand alone server?

Users should be members of "Remote Desktop Users" first.

Windows 2003 Server has new setting in "User rights assignment":
"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" which can be used to avoid your problem.
0
 
techdoc6Author Commented:
This is a standalone server with two windows XP Clients. The users in question are in the remote desktop users group. I am a little unclear on whether i should be working with the local policy on the clients or the group policy on the server. the error message refers to the local policy of this system.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Toni UranjekConsultant/TrainerCommented:
You should change policy on server.
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
Check the Access this computer from network policy, add the user account to that..

run a gpupdate on the client, then RDP...

BTW: there is a new RDP client out as well, might wanna try that as well..
0
 
techdoc6Author Commented:
policies are set as follows
access this computer from the network: everyone, authenticated users...
logon locally: individual users
logon through terminal services: remote desktop users, individual users

for the logon rights I listed the users individually as well as allowing remote desktop users for terminal services, this might be a little redundant but neither one seems to be working. I should probably remove everyone from the access right, but ill tighten up the security once i can login.

another bizzare quirk is that the user I am trying to logon as is a member of the domain administrators group, but is not an admin on the local machine. I can RDP into the client machine using the local administrator account, but I get the error message when trying to logon as the user who is a member of the domain administrators group. i guess the local admin isn't subject to the domain controllers security policy since its not part of the domain?

I haven't tried the gpupdate on the client machine but I will when I get a chance later today.
0
 
Toni UranjekConsultant/TrainerCommented:
OK, I might misunderstood something, but if your server is stand alone and NOT member of your domain then consequently domain admins can not access this server.
0
 
techdoc6Author Commented:
Its a domain controller, but it is the only server in the network.
0
 
Toni UranjekConsultant/TrainerCommented:
OK, your server is DC Windows 2003, and you want to access this server from XP with RDP?

1. On your domain controller add appropriate user accounts in "Remote Desktop Users" group
2. Go to Domain Controller Security Settings and change "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" setting, add appropriate user account.
3. Go to command prompt and use "gpupdate /force" or wait for at least 5 minutes.
4 Go to XP client and try to connect to DC.

If not succesfull, post error message here.

0
 
techdoc6Author Commented:
sorry let me clarify, I want to logon to one of the clients with RDP. I can RDP into the server just fine, but when i try to RDP to the client it says I cannot logon interactively.
0
 
Toni UranjekConsultant/TrainerCommented:
And your XP client is domain member, and you want to access XP as which account?
0
 
techdoc6Author Commented:
the users are all members of "remote desktop users" and are listed under "Allow logon through Terminal Services" I did a "gpupdate /force"on both the client and the server, no luck.
0
 
techdoc6Author Commented:
i am using one of the user accounts listed under "remote desktop users" in the server local policy.
0
 
Toni UranjekConsultant/TrainerCommented:
We need to clarify few things. Are you trying to RDP into XP which is domain member?
0
 
techdoc6Author Commented:
yes
0
 
Toni UranjekConsultant/TrainerCommented:
OK. Then go to XP machine and add proper user account to "Remote Desktop Users" group - nothing else, because "Remotete Desktop Users" has access through policy defined by default.
What is error now, when you try to connect to XP?
0
 
techdoc6Author Commented:
still the same message

"the local policy of this system does not permit you to logon interactively"

the user was a member of the "administrators group" instead of "Remote desktop users" i think they are both granted remote logon. I changed it to "Remote desktop users" but the error message stayed the same.
0
 
Toni UranjekConsultant/TrainerCommented:
Please run this command on your XP computer "gpresult /v > gpolog.txt" and paste contents of gpolog.txt here, I would like to check wheter if other than policies are in effect.

0
 
Toni UranjekConsultant/TrainerCommented:
And you wouldn't try to connect to XP with user account which has blank password? ;)
0
 
techdoc6Author Commented:
hmm,

for some reason it wont let me run that command, it outputs the following message and the output file is blank.

INFO: The user "domainname\administrator" does not have RSOP data.
0
 
Toni UranjekConsultant/TrainerCommented:
Can you logon to XP as domain admin?
0
 
Toni UranjekConsultant/TrainerCommented:
Let me rephrase: Can you logon LOCALLY to XP as domain admin?
0
 
techdoc6Author Commented:
yea, there are no problems logging into the client computer with the domain administrator account
0
 
Toni UranjekConsultant/TrainerCommented:
And after you log in "gpresult" gives you that error!?
0
 
techdoc6Author Commented:
yea, when i rdp login to the domain admin account on the xp client computer and go to the command prompt and type "gpresult /v > gpolog.txt" i get the error "INFO: The user "domainname\administrator" does not have RSOP data."
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
your Domain Admin account , is it called/named Administrator?
0
 
techdoc6Author Commented:
I can rdp login with the administrator credentials but I cant rdp login with a normal user. Locally all logins work fine
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
create a test user account..

Add that user to the Remote Desktop group that exists in Active Directory.

On the server that you are trying to access, run a gpupdate from the command prompt..

Now trying to make an RDP connection, and logon with the test user account created.

Post the results..
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
forget the above, i forgot its a stand anlone server..
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
simply add the account as a member of the Administrators group on the XP client machine.
0
 
techdoc6Author Commented:
I wish I could edit...there is a domain controller and two clients, I am trying to rdp into the clients with the normal user account.
0
 
techdoc6Author Commented:
i tried adding the account to the local administrators group on the client, still wont let me rdp. Im not sure if the local policy the error message refers to is the policy of the client or the server.
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
Local Policies -> User Rights Assignments -> Logon through terminal services policy on the XP Client , add Administrators and Domain Admins to the policy.


Also check

Local Policies -> User Rights Assignments -> Deny Logon Locally
and
Local Policies -> User Rights Assignments -> Deny logon throught Terminal Services
0
 
Seelan NaidooConnect With a Mentor Microsoft Systems AdminCommented:
Also check

Local Policies -> User Rights Assignments -> Logon Locally
0
 
techdoc6Author Commented:

Local Policy on client is set to:
"Allow Logon through terminal services": "Remote Desktop Users", "COMPUTERNAME/USERNAME", "administrators"
"Deny Logon Locally": blank
"Deny Logon Through Terminal Services": blank
"Logon Locally": "Users", "COMPUTERNAME/USERNAME", "administrators", "Guest"

I tried to add domain admins to "allow Logon through terminal services" but it wouldn't let me. It said "name not found" I tried setting the "location" to the domain but the only available option is COMPUTERNAME. It seems strange to me that i wouldn't be able to select the domain from the locations list, any ideas why the domain isn't available here? This server does not function as a "Terminal server" I am just trying to use RDP to loginto the clients, does rdp run ontop of terminal server? just curious bc im not using termainal server to serve applications or anything.

0
 
techdoc6Author Commented:
I just logged in locally (the computer not the domain) and realized something. I think the problem may be that there is a local account on the computer named the same thing as the domain account I am trying to use, I think the local policy settings were effecting the local account as opposed to the domain account. the problem is, I cant add the domain account to any groups, I also cant change any permissions regarding the domain account because the computer cannot find the domain account when i go into the add window (ie to add the user to a policy) I think I need to find out why I cannot select the domain from the "locations" section of the add window. If I could add domain objects, i could probably add the correct user to the policy and rdp in, but how can I add the domain user to the appropriate policies?
0
 
techdoc6Author Commented:
I think what it comes down to is the domain objects, therfore I have reposted a question under the title "domain objects" in the os section
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.