Solved

Group policy went wrong

Posted on 2007-11-14
16
409 Views
Last Modified: 2010-03-17
At a client of ours they started getting login errors saying that a local policy restricts them from logging in locally. This all started after two things happened. Firstly I installed WSUS on a dedicated server and setup group policy so that the clients download their updates directly from that server (nothing special) and I did this a million times on a bunch of clients and I never have any problems with it. Secondly I created a security policy hash rule to block all windows games. Again nothing special. Any speculation regarding this will be helpful. If your guys need a full list of all the policies and what I set it to then let me know!
0
Comment
Question by:technolutions
16 Comments
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Denying logon locally is another Group policy all its own.

This KB article may help:
http://support.microsoft.com/kb/247989
0
 

Author Comment

by:technolutions
Comment Utility
Okay, if my group policy isn't the culprit then what could be? BTW, if I give them local admin rights then they can login.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
> Secondly I created a security policy hash rule to block all windows games

Did you set a default rule of "Allowed", and then specifically disallowed the games in question?  Or did you set a default rule of "Disallowed", which would only allow users to run the applications that you specify?  I'm willing to bet it's the latter, which would mean that you've restricted users' ability to run system executables like lsass.exe and svchost.exe, which would prevent users from logging on.
0
 

Author Comment

by:technolutions
Comment Utility
Good guess but unfortunately not. I double checked and its set to unrestricted. I'm only guessing that this is related to GPO's because thats all that changed since that started happening. Any other ideas?
0
 
LVL 9

Expert Comment

by:bigjimbo813
Comment Utility
Click Start - Run - CMD -  in the command line box run gpresult > gpresult.txt

this will give you all of your settings on a computer and you can start troubleshooting from there

Heres a good write up i found when looking for the gpresult switches.
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

Word of advice would be when you create a new GPO (such as for WSUS) make a separate one for each rule. This way if something gets hosed, you can blow away the newest one and not have to worry about screwing up existing GPO's
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
"BTW, if I give them local admin rights then they can login."

Do you mean if you enter them in Control Pannel>>Users and computers, they are able to log in. If that is the case, somehow, it does seem they are not a member of the domain.

When you login as a domain member computer, it goes to AD and authenticates who has login rights. As a stand alone client in a workgroup, then they rely upon the "Users and Computers" list of authorised users. Since this is a personal computer, have you made it a domain computer. If so, you may have to rejoin the domain.
0
 
LVL 2

Expert Comment

by:kobebe
Comment Utility
setting "deny logon locally" via group policy objects don't override local setting.
if you got that setting locally on their computers as well open up local security policy on the client and you'll see 2 columns, one of them would be "local settings" and the other "effective settings" (not sure of the exact terms, but it should be like that)
in any case, if a user wants to logon a certain station, he should be in both columns (or disable this security setting on the local computer)
0
 

Author Comment

by:technolutions
Comment Utility
ChiefIT:That's when I add them via users in control panel locally yes.
kobebe:Checked that as well, all perfect.

I'm starting to think that this is not related to group policy anymore but what could it possibly be?!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
OK:

Since you are beginning to believe this is not a Policy setting, lets try something off the beaten path. It may be cached credentials on the client computer.

Do you have any access, as an administrator, to that computer?

If so, go to control pannel>>users and computers>>advanced button   click on saved passwords, and remove all saved passwords.

Domain policy will override local policy only if this computer is a domain computer.

With that said, since the error says "a local policy is preventing log on locally". That still sounds like a Group Policy Object. But, this sounds like a policy located on the client computer, not the domain controller.

The client machines have limitted server capabilities. You can look at group policy on the local machine in a similar way than the server. If you can log on to the client machine as an administrator. You can fix this by following these instructions:

Click on the start button, and select Run:
Type in MMC and press the enter button:
Select Add/Remove Snapin
Click add
select Local Policy icon and click apply

You can use the above server link to navigate to the "logon locally" policy object.

Just make sure it permits logon locally. I can't see why the logon locally policy object would be on the client. I am setting at home on my server and can't confirm the existance of the Logon Locally Policy object.

If you can not log on to the machine, and have no access at all,  let us know. There are local password resets that we can provide you.
0
 

Author Comment

by:technolutions
Comment Utility
Great brainwave but there is only one problem, this is happening on all the client computers. Thats around 50 of them. I'm considering to disable all the group policy's but thats not really an option on this network. I looked through all of them and I still can't find anything wrong with them.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This is almost certainly a default domain policy or a group policy set to all clients. You will find these policies on your domain controller. The policy you are looking for is the logon locally policy.

I would check the default domain policy first. Do you have member servers that you log on locally to? If not, you are logging on using domain credentials and forgo the default domain policy.

To check the client computer policy, check the client computer OU for policy objects attached to that OU.

***NOTE: The USERS and COMPUTERS folders in active directory are not OU (organizational Unit) folders. Instead, they are CN (control Name) folders. To administer a policy object on Users and Computers, another OU folder would have to have been created. So, if you have all of your users and computers in the default folder Group Policy will not work. Bottom line is, if your users and computers are in the original Users and Computers folder, then you have a default domain policy that is preventing you from logging on locally. ***

0
 

Author Comment

by:technolutions
Comment Utility
Sounds like you may be on to something. I found the policy that you were talking about and I want to check with you first before making any major changes. I have the following user groups listed in the log on locally group policy.

Account Operators
Administrators
Backup Operators
Domain\IUSR_DCNAME
Domain\IUSR_ExchangeSVRNAME
Print Operators
Server Operators

What should this be and wouldn't this apply to servers as well?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
You definately hit the spot!!!

Frist off:
There are two possible answers to your above question:
1) A default domain policy will effect all clients and servers that are on the domain.
2) A group policy object will effect the OU, (organizational Unit), that the policy is applied to.

NOW, DOES ANYONE ELSE WANT TO BUT IN??

Since this is a domain policy, and not a group policy, the list of folks you provided will be the only ones capable of logging on locally. But, we have to ask, what sense do these groups make? This policy gives domain users and domain exchange users the right to logon locally. It also is using AD administrators, AD account operators, AD backup operators, AD print operators, and AD server operators the ability to log on locally. These are active directory groups, not client groups. So, when you are trying to log on locally, you are using domain credentials to be granted permissions of the policy to log on locally. HMMMM, I don't think anyone can logon locally?? Do you follow where I am going with this?

Account Operators
Administrators
Backup Operators
Domain\IUSR_DCNAME
Domain\IUSR_ExchangeSVRNAME
Print Operators
Server Operators






0
 

Author Comment

by:technolutions
Comment Utility
I see where your saying and it makes perfect sense. Well done! But before we close this one off, what group should I add there? Best practice wise. Also, note that the default domain policy is not enforced but it is linked to my other GPO if that matters. I'll accept your solution on your next reply.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
That's the question of the day and is also where I was hoping someone else would butt in and provide their input.

I am thinking the Everyone group.

Truthfully, this policy shouldn't exist. Requiring domain permissions to surpass the GPO and be granted the ability to log on locally is counteractive. The logon locally policy should be a computer based policy, not a domain user policy. And you should have to specify individual computers not users that can log on locally.

Example: Either you can log on locally or you are denied on that particular computer.  

I am not at my domain. So, maybe someone can navigate to that policy and tell you what the default settings are for that policy object.

I hope this helps
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
OK,:

The KB article I posted on the orignial reply to this post should help.

http://support.microsoft.com/kb/247989

It explains what groups should be on that policy.
You may need to put TSinternetuser group along with Authenticated users, or Users, or Everyone, or other groups that depend on the type of logging on you wish to do. So, I believe I was right in assuming the Everyone group will work for the Group Policy Object.

I hope this helps.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now