security policy

I have recently changed the network in one of our offices from a workgroup to a domain. I have installed an HP server running Windows Server 2003 R2.
Prior to the change I could dial in remotely and log on to any PC as user, having previously added that user to the remote desktop users. Now when I connect I can only log on as administrator. If I try to log on as the local user the above error message appears.
I understand that the default security policy for Server 2003 is different to 2000 ( which is what we have at our other office and no probs there).
I have tried adding the user to the remote desktop group in the domain but this has made no difference. I have also checked to see which users are listed in 'deny local logon'.
I would welcome any suggestion as to how to get over this security issue as I must be able to log on as local user as well as administrator
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:

Go to command prompt on computer that reports the error. Run "gpresult /z > gpo.txt" and post text file here. This command will make a log of how your policies are configured and maybe reveal an error in your configuration.

You can also check if users are members of any group that has "Allow logon through Terminal services". This setting is new on Windows 2003 servers. Users don't need "Allow logon locally" right anymore.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

If you want an account to be granted Remote Desktop access throughout your domain, add the account to the Remote Desktop Users group in the Builtin container within Active Directory.
TBlackburnAuthor Commented:
I have achieved a partial solution to this problem, I have added users to the Remote Desktop Users Group but have also had to add individual users to the 'Allow logon locally'. This was because none of them were able to log on their domain accounts, they were getting the same error message as I was logging onto as remote user. That problem has now gone but users cannot now logon to their PC's locally ie not the domain.
I am attaching the gpo.txt file as suggested by toniur:, hoping it will yield some clues.
I guess I also need to learn a lot more about Server 2003.
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

TBlackburnAuthor Commented:
See new post
Toni UranjekConsultant/TrainerCommented:
There was no need to close the question if solution is not found.

First, a question: what kind of computer is WIGAN_3?

There is your problem:

User Rights
            GPO: Default Domain Policy
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  ADR\Roy
            GPO: Default Domain Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators

For all computers (apart from DCs) you configured, that only Administrators can logon localy on all computers in domain and that only Roy can log through RDP.

What I need you to do is to revert Default Domain Policy back to originial settings - both setting should be "Not defined".

Then create new OU, move computer accounts in this OU and define new GPO with the following settings:

User Rights
            GPO: NewGPO
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  Administrators, Remote Desktop Users
TBlackburnAuthor Commented:
Thank you for your further comments, which are useful. I am a novice in relation to Server 2003, as you may have guessed and was broadly expecting local policy to be the same as Server 2000.

When you say revert default domain policy back to original settings - which two settings are you referring to.  I know what a 'DC' is but what is an 'OU'.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.