"The local policy of this system does not permit you to logon interactivley"

Hi all,

I have an urgent problem.

"The local policy of this system does not permit you to logon interactivley"

Most if not all computers on my 2003 Domain controller are not allowing users to logon (the administrator can logon to any

client) The below SID numbers are showing in the local polices "Administrative Tools/Local Security Policy.  Expand Local

Policies and click on User Rights Assignment.  Double click on the 'Log on locally' right" instead of DOMAIN\GROUP as normal on

the XP clients. The buttons for adding etc are greyed and the SID's are also listed for example as *S-1-5-32-548

SID: S-1-5-32-548

Name: Account Operators

Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account

Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and

organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not

have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for

members of those groups.

"SID: S-1-5-32-549

Name: Server Operators

Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators

can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files;

format the hard disk of the computer; and shut down the computer.

"SID: S-1-5-32-550

Name: Print Operators

Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group.

Print Operators can manage printers and document queues.

The issue occured in two different aspects and i do beleive it was total foolishness on my part that caused this error.

Please Help ASAP.
Who is Participating?
SPOuedConnect With a Mentor Commented:
Default domain and Domain Controller policies cannot be deleted.
So, if you've deleted all other GPO, it means that the machines are only getting their setting through these remaining two GPOs.
My suggestion would be that you make sure that the default domain policy does not contain any entries in the "user rights assignment" and "security options" containers.
Now, in the default domain controller policy, make sure that everyone (or authenticated users) have the right "access this computer from the network" in the "user rights assignment"...
And try again...
What did you do exactly? did you check you Domain and Domain Controller GPO for user rights?
Make sure there is no setting preventing users to log on their local machines under the domain GPO...
CyberIDentityAuthor Commented:
Well i am not sure i did anything its i jsut cant say 100% i did not but let me explain what i think i did.

I was browsing thru the GPO's looking for anything that may be preventing some laptop users doing some other task and because i had to re do the GPO anyway because it was very messy

I backed up all the GPOs to a directory and then deleted the GPO's (omg i know) then i shut down the BDC to see if the PDC could serv and at this point everything went to crap.

I would love to get myself back to a neutral state, however i have removed all policy in the domain except for default domain policy & default domain controllers policy (which the server will not let me delete, so i have disabled instead.

is there anyway to remove all GPO and have the server recreate default ones?

it is worth noting that i have a system state backup less than 60 days old but ive never done one of those and would prefer to recover from this any other way i can.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

CyberIDentityAuthor Commented:
can you suggest any certain policy entries that would stop the users logging on that are not blazingly obvious.
CyberIDentityAuthor Commented:
I have tried re adding a problem workstation to the domain again however this has not helped.

A curious thing has occurred, i created a new standard user and could not logon, when i added them to the administrators group i could logon to the workstation. why cant i see what this means?
Also check which Group policy settings are being applied to the users by running GPOResult at a command line...
c:\>gpresult /user johndoe /v
Check also in the local GPO of each computer you're accessing...
If you have a spare server, make it a DC, then take it off the network and do the restore.  You now will have your original settings that can be applied to your domain without the loss of anything new that has changed since the last backup.  Once complete, do a dcpromo /forceremoval to make the computer a member server again, then put it back on the network and re-add it to the domain.
CyberIDentityAuthor Commented:
the problem is in the Default Domain controller Policy, where? i have no idea.

I have done a very long process of elimination and when ever the Default domain controller policy is linked to the DOMAIN it causes the SID's to show on the workstations and they deny logon, disable it (my mail server cries) but the users can logon.

While i can do the above suggestion and restore (i do not mind admitting it is a daunting thought) i think it is possible to recover by finding a setting that may be causing issue.

I have a question, whilst looking thru the DDCP i noticed what i thought was strange, and that is there are policy items that are ticked/configured but have no entries, that is no groups/users added to the item jsut a tick in the enable box is this normal?

CyberIDentityAuthor Commented:
that is to say that it is either defined or not configured not jsut ticked with no further groups or users added, right?
CyberIDentityAuthor Commented:
as i head to bed, and hope that the adding of the domain\domain users;users groups to the default domain policy for access this machine from the network and log on locally will allow users to logon in the morning. Even if this works, i dont understand a few things and still need to figure out why the SID's are showing in the local policy on the XP clients.

ocon827679Connect With a Mentor Commented:
I hope this isn't a dup - my connection dropped on my last submission.
The reason why you are seeing the SIDs is because the workstation cannot talk to AD to get the associacted user name.

Users do not need "access this computer from the network" for workstations unless you are sharing resources from the workstation.

I do not understand your reluctance to restore.  If you can restore to a domain controller that can be disconnected from the network (therefore no replication to other DCs) you can set the systems side-by-side and recreate your GPO's.   By the time you figure out all of those policies, you could have restored, gotten drunk, dealt with the hangover, and moved on to bigger and better things.  

If you really want to dig into this, then set up a test environment, transfer the mess, and take your time figuring out what affects what.

OK - I said this in the last post also - I'll shut up now!  :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.