Solved

Interactive Logon not Allowed windows 2003 ADS

Posted on 2007-11-29
11
3,355 Views
Last Modified: 2013-12-04
Please read question carefully first !!!

1. I have a Domain Controller DC1 up and running
2. I created a user 'Aditya' in 'Manager' OU. (He is Member of Domain Users)
3. No GPO is applied on the OU Manager
4. One client PC1 is joined to domain.
5. I can normally logon to domain through PC1 using UID: Aditya (Physically sitting on the client PC1)
6. Now, I am on PC2 in the same network which is not joined to domain, Here I RDP to PC1 where I select UID: Aditya and enter password and Choose Domain DC1 (instead of 'PC1 this computer')
7. This time I can't logon it says "The local policy of this system does not permit you to logon interactively"
8. Then I changed such as Aditya = Member of Domain Administrators + Domain Users and then I can logon correctly using the same way described in step 6
9. I have also done these steps http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q247/9/89.ASP&NoWebContent=1#appliesto
and disabled Smartcard use for logon.
Where I am missing....
0
Comment
Question by:sunilcomputer
11 Comments
 
LVL 21

Accepted Solution

by:
from_exp earned 100 total points
ID: 20373358
it looks like you should configure pc1 remote access to allow domain user Aditya logon via remote desktop
properties of my computer - remote - select remote users
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20373366
So you have a user ID that can log onto the workstation when sitting in front of the console, but not when attempting to RDP, correct?  Confirm that the user in question is a member of the Remote Desktop Users group on the PC or been granted equivalend rights, as discussed here: http://support.microsoft.com/kb/289289
0
 
LVL 5

Assisted Solution

by:balmasri
balmasri earned 50 total points
ID: 20373459
check the following:
Aditya is added to users allowed to use remote desktop on the remote tab
add Aditya to the Local Group on PC1 Remote desktop users
Check the group policy object which linked to the OU where PC1 is resides on and add the account Aditya to the following items [ it's better to add remote desktop users group ]:
allow logon through terminal services.
allow logon locally.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 7

Author Comment

by:sunilcomputer
ID: 20373506
from_exp:
The user Aditya is a user on the domain DC1 not on PC1 and hence can't be added to RDP users on PC1 and there is also no group exists "Domain Users" on PC1. In your situation shall I need to add all of my hundreds of users to all the systems joined to domain.
Another thing while on the when domain I set Aditya = Domain Administrator it lets me log in perfectly through PC1 using RDP.

LauraEHunterMVP:
1. I have full Admin Rights on the Workstation PC1 and can easily RDP PC1(Local Machine) as well
2. I have a domain user Aditya which can logon to DC1 sitting physically on the workstation PC1
3. But when the user Aditya sits on another system PC2 (which is not joined to domain) he RDP to PC1 using following credentials:
Username: Aditya
Password: 141741x
Domain: DC1
then the message comes up.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20373613
if PC1 is a member of a domain, you CAN add domain userAditya  to local remote desktop users group.
0
 
LVL 3

Assisted Solution

by:dbarker2
dbarker2 earned 50 total points
ID: 20374178
You must on PC1 either add Aditya to the Remote desktop user group or the Local Administrator group.
0
 
LVL 7

Author Comment

by:sunilcomputer
ID: 20380962
I added Aditya to RDP Users on DC1
Then it started allowing Aditya to logon to DC1. Working scenario is following:
Aditya is sitting on PC2
He RDP to PC1 using Followinf Credentials:
Username: Aditya
Password: 141741x
Domain: DC1
Now another error message comes up that ......you are not allowed to logon to this session.
Another problem this way is once the user Aditya is a member of RDP Users on the domain he can directly RDP to DC1 without using PC1.

My Requirement is:
I need to logon Aditya on PC1 using his domain account (Physically sitting on PC1).
I need to logon Aditya on PC1 using his domain account (Physically sitting on PC2) where all the GPOs will be applied on the PC1\Aditya. (As I use do using VNC applications)
The user Aditya may be out of Network on a wan link. Aditya has the admin password of PC1
Router is properly configured & he can RDP to PC1 with no probs.
Aditya should never be able to RDP to DC1 directly he should only be able to logon to PC1.

Regards
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20381056
you should add user Aditya  to the local remote desktop users group on PC1, not on the DC
0
 
LVL 7

Author Comment

by:sunilcomputer
ID: 20381097
Domain users are not listed in PC1 to be added in RDP Users.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20381162
wrong.
start-control panel-administrative tools- computer management-local users and groups-groups-remote desktop users-add-advanced-find now.
you'll get the list of ALL users and groups available in the domain
you should be logged in to the pc1 with administrative rights to do that
0
 
LVL 7

Author Closing Comment

by:sunilcomputer
ID: 31411649
I discovered It was a DNS Issue. Finally I added the user to RDP group in PC1 and it worked.
Thanks you all.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NTP time source for DC 3 53
Password change / expire 4 41
DNS problems and now some PC can't connect to \\servername 14 46
Group Policy - Setting deafult Home Page 3 26
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question