Solved

Cant logon interactively

Posted on 2006-11-29
37
352 Views
Last Modified: 2010-04-18
I have a windows 2003 server setup and I am trying to login remotely using remote desktop. When I try to login as a normal user I get the message "the local policy of this system does not permit you to logon interactively" there are no problems logging in as administrator. I tried going into the local policy as admin and changing the "allow logon locally" right to allow the group "users" but this did not help. One thing I found curious was that when trying to "add users or groups" to the right, i click locations and all i see is the local computer, I cannot select any domain users or groups. This problem also occurs when setting access right to local files, I can only add users or groups from the local machine as opposed to domain users or groups. I need to be able to logon remotely and change file permissions so that domain users can access local files. Thanks for the help.
0
Comment
Question by:techdoc6
  • 17
  • 13
  • 7
37 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035374
Is this server meber server or stand alone server?

Users should be members of "Remote Desktop Users" first.

Windows 2003 Server has new setting in "User rights assignment":
"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" which can be used to avoid your problem.
0
 

Author Comment

by:techdoc6
ID: 18038981
This is a standalone server with two windows XP Clients. The users in question are in the remote desktop users group. I am a little unclear on whether i should be working with the local policy on the clients or the group policy on the server. the error message refers to the local policy of this system.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18039116
You should change policy on server.
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18039349
Check the Access this computer from network policy, add the user account to that..

run a gpupdate on the client, then RDP...

BTW: there is a new RDP client out as well, might wanna try that as well..
0
 

Author Comment

by:techdoc6
ID: 18039967
policies are set as follows
access this computer from the network: everyone, authenticated users...
logon locally: individual users
logon through terminal services: remote desktop users, individual users

for the logon rights I listed the users individually as well as allowing remote desktop users for terminal services, this might be a little redundant but neither one seems to be working. I should probably remove everyone from the access right, but ill tighten up the security once i can login.

another bizzare quirk is that the user I am trying to logon as is a member of the domain administrators group, but is not an admin on the local machine. I can RDP into the client machine using the local administrator account, but I get the error message when trying to logon as the user who is a member of the domain administrators group. i guess the local admin isn't subject to the domain controllers security policy since its not part of the domain?

I haven't tried the gpupdate on the client machine but I will when I get a chance later today.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18040059
OK, I might misunderstood something, but if your server is stand alone and NOT member of your domain then consequently domain admins can not access this server.
0
 

Author Comment

by:techdoc6
ID: 18040407
Its a domain controller, but it is the only server in the network.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18043366
OK, your server is DC Windows 2003, and you want to access this server from XP with RDP?

1. On your domain controller add appropriate user accounts in "Remote Desktop Users" group
2. Go to Domain Controller Security Settings and change "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Terminal Services" setting, add appropriate user account.
3. Go to command prompt and use "gpupdate /force" or wait for at least 5 minutes.
4 Go to XP client and try to connect to DC.

If not succesfull, post error message here.

0
 

Author Comment

by:techdoc6
ID: 18043376
sorry let me clarify, I want to logon to one of the clients with RDP. I can RDP into the server just fine, but when i try to RDP to the client it says I cannot logon interactively.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18043407
And your XP client is domain member, and you want to access XP as which account?
0
 

Author Comment

by:techdoc6
ID: 18043412
the users are all members of "remote desktop users" and are listed under "Allow logon through Terminal Services" I did a "gpupdate /force"on both the client and the server, no luck.
0
 

Author Comment

by:techdoc6
ID: 18043425
i am using one of the user accounts listed under "remote desktop users" in the server local policy.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18043434
We need to clarify few things. Are you trying to RDP into XP which is domain member?
0
 

Author Comment

by:techdoc6
ID: 18043437
yes
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18043462
OK. Then go to XP machine and add proper user account to "Remote Desktop Users" group - nothing else, because "Remotete Desktop Users" has access through policy defined by default.
What is error now, when you try to connect to XP?
0
 

Author Comment

by:techdoc6
ID: 18043710
still the same message

"the local policy of this system does not permit you to logon interactively"

the user was a member of the "administrators group" instead of "Remote desktop users" i think they are both granted remote logon. I changed it to "Remote desktop users" but the error message stayed the same.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18044209
Please run this command on your XP computer "gpresult /v > gpolog.txt" and paste contents of gpolog.txt here, I would like to check wheter if other than policies are in effect.

0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18044389
And you wouldn't try to connect to XP with user account which has blank password? ;)
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:techdoc6
ID: 18052235
hmm,

for some reason it wont let me run that command, it outputs the following message and the output file is blank.

INFO: The user "domainname\administrator" does not have RSOP data.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18052255
Can you logon to XP as domain admin?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18052262
Let me rephrase: Can you logon LOCALLY to XP as domain admin?
0
 

Author Comment

by:techdoc6
ID: 18052291
yea, there are no problems logging into the client computer with the domain administrator account
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18052307
And after you log in "gpresult" gives you that error!?
0
 

Author Comment

by:techdoc6
ID: 18052334
yea, when i rdp login to the domain admin account on the xp client computer and go to the command prompt and type "gpresult /v > gpolog.txt" i get the error "INFO: The user "domainname\administrator" does not have RSOP data."
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 300 total points
ID: 18052356
OK then logon to as any domain user, or logon to different client. We will need some policy results, before we can troubleshoot original problem.
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18054435
your Domain Admin account , is it called/named Administrator?
0
 

Author Comment

by:techdoc6
ID: 18054458
I can rdp login with the administrator credentials but I cant rdp login with a normal user. Locally all logins work fine
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18054466
create a test user account..

Add that user to the Remote Desktop group that exists in Active Directory.

On the server that you are trying to access, run a gpupdate from the command prompt..

Now trying to make an RDP connection, and logon with the test user account created.

Post the results..
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18054476
forget the above, i forgot its a stand anlone server..
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18054496
simply add the account as a member of the Administrators group on the XP client machine.
0
 

Author Comment

by:techdoc6
ID: 18054514
I wish I could edit...there is a domain controller and two clients, I am trying to rdp into the clients with the normal user account.
0
 

Author Comment

by:techdoc6
ID: 18054574
i tried adding the account to the local administrators group on the client, still wont let me rdp. Im not sure if the local policy the error message refers to is the policy of the client or the server.
0
 
LVL 10

Expert Comment

by:SeanUK777
ID: 18054647
Local Policies -> User Rights Assignments -> Logon through terminal services policy on the XP Client , add Administrators and Domain Admins to the policy.


Also check

Local Policies -> User Rights Assignments -> Deny Logon Locally
and
Local Policies -> User Rights Assignments -> Deny logon throught Terminal Services
0
 
LVL 10

Assisted Solution

by:SeanUK777
SeanUK777 earned 200 total points
ID: 18054655
Also check

Local Policies -> User Rights Assignments -> Logon Locally
0
 

Author Comment

by:techdoc6
ID: 18056356

Local Policy on client is set to:
"Allow Logon through terminal services": "Remote Desktop Users", "COMPUTERNAME/USERNAME", "administrators"
"Deny Logon Locally": blank
"Deny Logon Through Terminal Services": blank
"Logon Locally": "Users", "COMPUTERNAME/USERNAME", "administrators", "Guest"

I tried to add domain admins to "allow Logon through terminal services" but it wouldn't let me. It said "name not found" I tried setting the "location" to the domain but the only available option is COMPUTERNAME. It seems strange to me that i wouldn't be able to select the domain from the locations list, any ideas why the domain isn't available here? This server does not function as a "Terminal server" I am just trying to use RDP to loginto the clients, does rdp run ontop of terminal server? just curious bc im not using termainal server to serve applications or anything.

0
 

Author Comment

by:techdoc6
ID: 18056443
I just logged in locally (the computer not the domain) and realized something. I think the problem may be that there is a local account on the computer named the same thing as the domain account I am trying to use, I think the local policy settings were effecting the local account as opposed to the domain account. the problem is, I cant add the domain account to any groups, I also cant change any permissions regarding the domain account because the computer cannot find the domain account when i go into the add window (ie to add the user to a policy) I think I need to find out why I cannot select the domain from the "locations" section of the add window. If I could add domain objects, i could probably add the correct user to the policy and rdp in, but how can I add the domain user to the appropriate policies?
0
 

Author Comment

by:techdoc6
ID: 18056923
I think what it comes down to is the domain objects, therfore I have reposted a question under the title "domain objects" in the os section
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now