Unable to login to domain over VPN when using a "domain user" account.

Here is what I have going on.

We have a Windows Server 2003 PDC, and a Windows 2000 server acting as a terminal server.

We have multiple remote offices that connect over a VPN back to our main office. This VPN is managed with Sonicwall devices.

The problem is this:

With certain users, we cannot login to the domain unless we had them to the "domain admin" group.

I've checked the security policy on the PC's in question to make sure deny logon locally is not checked, as well as added those users to the "allow logon locally" section of the policy. However, we still get a "The local policy of this computer does not permit you to logon locally.

I've checked and double checked the GP settings on the PDC and nothing is enabled that would deny someone from logging on locally to their PC's. Same thing goes for the remote PC's that I've logged into and checked the settings on there.

I've done several restarts on the PC's, and several gpupdate /force .

From what I've seen, this error generally pertains to when a user is attempting to logon to a terminal server, but that is not the case for us. These are users attempting to logon to their workstation using their username / pass. Not logon to a terminal server.

I created a test account in the AD, but had the same issue, unless I added him to the domain admin group.

Any insight is appreciated.

Thanks
Matt
LVL 4
themightydudeAsked:
Who is Participating?
 
Jay_Jay70Connect With a Mentor Commented:
correct - you need to look at the allow logn through terminal services - not allow logon locally :)
0
 
Jay_Jay70Commented:
local policies dont come into play if there is a domain policy on board - i would be looking there to start with
0
 
themightydudeAuthor Commented:
I'm not sure where to start with the domain policy though.

The message I get on the computers is:

"The Local policy of this computer does not allow you to login locally"

I've gone though the user rights / local policies in the domain GP, but I have been unable to find anything there which might be inhibiting logins.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Jay_Jay70Commented:
and you said this is only applying to xp machines yes? just want to clarify that small part - the users can log in to the terminal server?
0
 
themightydudeAuthor Commented:
Correct.

User can login to our terminal server just fine..no problems. Its only when a logs onto the XP workstation.

I've verified that the DNS servers are configured to point to the PDC on the computers.
0
 
Jay_Jay70Commented:
yah its nothing but policy related - can you screen shot the security settings relevant for local logon on the xp machines for me please? and let me know what GPO's are applying to the machines
0
 
themightydudeAuthor Commented:
I've attached a screen shot of the GPO that is is applied for these users.

In the screen shot is just what I thought was necessary...let me know if I need to include more information for you.

Thanks
ss1.JPG
0
 
Jay_Jay70Commented:
there we go

your allow logon locally is not defined - you need to enable it and specify your groups or users etc (best bet is to add domain users group) or Authenticated users etc
0
 
themightydudeAuthor Commented:
hmmm ok.

Didn't know you had to define that...I thought that if you didn't define it, it would allow log on locally.

I'll give that a shot in the morning, and let you know how it goes.

Thanks
Matt
0
 
Jay_Jay70Commented:
yah its one of those things that are hit and miss....magical some might say **Grin** PITA others like me would say
0
 
themightydudeAuthor Commented:
Ok...that didn't work.

Still getting the same message.

There are users in the same GPO that can login...as far as I know, I have 2 users right now who are unable to login like I was saying before unlesse they are added to the domain admin group.

I did change the gpo settings so allow logon locally was defined...I also added the "domain users" group, as well as the individual user names..but still having the same problem...I have no idea.

I've attached a SS of the msg I get...and another SS of the GPO settings.
logon.JPG
gpo.JPG
0
 
themightydudeAuthor Commented:
or actually...you know I'm thinking maybe this.

These are remote offices obviously..that I'm using RDC to connect to while I'm testing this issue.

Maybe I am a complete idiot, and logging on at the physical office will work fine.

Maybe its not working for me, because i'm using RDC to connect to the PC then login that way?

Just now thought of that.
0
 
themightydudeAuthor Commented:
Thats what I just realised....man its been a week...lol

Not sure why I didn't think of that before.

I'll test it out in the morning.
0
 
Jay_Jay70Commented:
no worries mate
0
 
themightydudeAuthor Commented:
Thanks for the help...
0
 
themightydudeAuthor Commented:
Yep...everyone logged in just fine over there....

Thanks for the help.
0
 
Jay_Jay70Commented:
Pleasure :)
0
All Courses

From novice to tech pro — start learning today.