security policy

I have recently changed the network in one of our offices from a workgroup to a domain. I have installed an HP server running Windows Server 2003 R2.
Prior to the change I could dial in remotely and log on to any PC as user, having previously added that user to the remote desktop users. Now when I connect I can only log on as administrator. If I try to log on as the local user the above error message appears.
I understand that the default security policy for Server 2003 is different to 2000 ( which is what we have at our other office and no probs there).
I have tried adding the user to the remote desktop group in the domain but this has made no difference. I have also checked to see which users are listed in 'deny local logon'.
I would welcome any suggestion as to how to get over this security issue as I must be able to log on as local user as well as administrator
Who is Participating?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:

Go to command prompt on computer that reports the error. Run "gpresult /z > gpo.txt" and post text file here. This command will make a log of how your policies are configured and maybe reveal an error in your configuration.

You can also check if users are members of any group that has "Allow logon through Terminal services". This setting is new on Windows 2003 servers. Users don't need "Allow logon locally" right anymore.



If you want an account to be granted Remote Desktop access throughout your domain, add the account to the Remote Desktop Users group in the Builtin container within Active Directory.
TBlackburnAuthor Commented:
I have achieved a partial solution to this problem, I have added users to the Remote Desktop Users Group but have also had to add individual users to the 'Allow logon locally'. This was because none of them were able to log on their domain accounts, they were getting the same error message as I was logging onto as remote user. That problem has now gone but users cannot now logon to their PC's locally ie not the domain.
I am attaching the gpo.txt file as suggested by toniur:, hoping it will yield some clues.
I guess I also need to learn a lot more about Server 2003.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

TBlackburnAuthor Commented:
See new post
Toni UranjekConsultant/TrainerCommented:
There was no need to close the question if solution is not found.

First, a question: what kind of computer is WIGAN_3?

There is your problem:

User Rights
            GPO: Default Domain Policy
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  ADR\Roy
            GPO: Default Domain Policy
                Policy:            InteractiveLogonRight
                Computer Setting:  Administrators

For all computers (apart from DCs) you configured, that only Administrators can logon localy on all computers in domain and that only Roy can log through RDP.

What I need you to do is to revert Default Domain Policy back to originial settings - both setting should be "Not defined".

Then create new OU, move computer accounts in this OU and define new GPO with the following settings:

User Rights
            GPO: NewGPO
                Policy:            RemoteInteractiveLogonRight
                Computer Setting:  Administrators, Remote Desktop Users
TBlackburnAuthor Commented:
Thank you for your further comments, which are useful. I am a novice in relation to Server 2003, as you may have guessed and was broadly expecting local policy to be the same as Server 2000.

When you say revert default domain policy back to original settings - which two settings are you referring to.  I know what a 'DC' is but what is an 'OU'.
All Courses

From novice to tech pro — start learning today.