security policy
I have recently changed the network in one of our offices from a workgroup to a domain. I have installed an HP server running Windows Server 2003 R2.
Prior to the change I could dial in remotely and log on to any PC as user, having previously added that user to the remote desktop users. Now when I connect I can only log on as administrator. If I try to log on as the local user the above error message appears.
I understand that the default security policy for Server 2003 is different to 2000 ( which is what we have at our other office and no probs there).
I have tried adding the user to the remote desktop group in the domain but this has made no difference. I have also checked to see which users are listed in 'deny local logon'.
I would welcome any suggestion as to how to get over this security issue as I must be able to log on as local user as well as administrator
Prior to the change I could dial in remotely and log on to any PC as user, having previously added that user to the remote desktop users. Now when I connect I can only log on as administrator. If I try to log on as the local user the above error message appears.
I understand that the default security policy for Server 2003 is different to 2000 ( which is what we have at our other office and no probs there).
I have tried adding the user to the remote desktop group in the domain but this has made no difference. I have also checked to see which users are listed in 'deny local logon'.
I would welcome any suggestion as to how to get over this security issue as I must be able to log on as local user as well as administrator
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have achieved a partial solution to this problem, I have added users to the Remote Desktop Users Group but have also had to add individual users to the 'Allow logon locally'. This was because none of them were able to log on their domain accounts, they were getting the same error message as I was logging onto as remote user. That problem has now gone but users cannot now logon to their PC's locally ie not the domain.
I am attaching the gpo.txt file as suggested by toniur:, hoping it will yield some clues.
I guess I also need to learn a lot more about Server 2003.
gpo.txt
I am attaching the gpo.txt file as suggested by toniur:, hoping it will yield some clues.
I guess I also need to learn a lot more about Server 2003.
gpo.txt
ASKER
See new post
There was no need to close the question if solution is not found.
First, a question: what kind of computer is WIGAN_3?
There is your problem:
User Rights
-----------
GPO: Default Domain Policy
Policy: RemoteInteractiveLogonRigh
Computer Setting: ADR\Roy
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
For all computers (apart from DCs) you configured, that only Administrators can logon localy on all computers in domain and that only Roy can log through RDP.
What I need you to do is to revert Default Domain Policy back to originial settings - both setting should be "Not defined".
Then create new OU, move computer accounts in this OU and define new GPO with the following settings:
User Rights
-----------
GPO: NewGPO
Policy: RemoteInteractiveLogonRigh
Computer Setting: Administrators, Remote Desktop Users
First, a question: what kind of computer is WIGAN_3?
There is your problem:
User Rights
-----------
GPO: Default Domain Policy
Policy: RemoteInteractiveLogonRigh
Computer Setting: ADR\Roy
GPO: Default Domain Policy
Policy: InteractiveLogonRight
Computer Setting: Administrators
For all computers (apart from DCs) you configured, that only Administrators can logon localy on all computers in domain and that only Roy can log through RDP.
What I need you to do is to revert Default Domain Policy back to originial settings - both setting should be "Not defined".
Then create new OU, move computer accounts in this OU and define new GPO with the following settings:
User Rights
-----------
GPO: NewGPO
Policy: RemoteInteractiveLogonRigh
Computer Setting: Administrators, Remote Desktop Users
ASKER
Thank you for your further comments, which are useful. I am a novice in relation to Server 2003, as you may have guessed and was broadly expecting local policy to be the same as Server 2000.
When you say revert default domain policy back to original settings - which two settings are you referring to. I know what a 'DC' is but what is an 'OU'.
When you say revert default domain policy back to original settings - which two settings are you referring to. I know what a 'DC' is but what is an 'OU'.
If you want an account to be granted Remote Desktop access throughout your domain, add the account to the Remote Desktop Users group in the Builtin container within Active Directory.