Unable to login to domain over VPN when using a "domain user" account.

Here is what I have going on.

We have a Windows Server 2003 PDC, and a Windows 2000 server acting as a terminal server.

We have multiple remote offices that connect over a VPN back to our main office. This VPN is managed with Sonicwall devices.

The problem is this:

With certain users, we cannot login to the domain unless we had them to the "domain admin" group.

I've checked the security policy on the PC's in question to make sure deny logon locally is not checked, as well as added those users to the "allow logon locally" section of the policy. However, we still get a "The local policy of this computer does not permit you to logon locally.

I've checked and double checked the GP settings on the PDC and nothing is enabled that would deny someone from logging on locally to their PC's. Same thing goes for the remote PC's that I've logged into and checked the settings on there.

I've done several restarts on the PC's, and several gpupdate /force .

From what I've seen, this error generally pertains to when a user is attempting to logon to a terminal server, but that is not the case for us. These are users attempting to logon to their workstation using their username / pass. Not logon to a terminal server.

I created a test account in the AD, but had the same issue, unless I added him to the domain admin group.

Any insight is appreciated.

Thanks
Matt
LVL 4
themightydudeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
local policies dont come into play if there is a domain policy on board - i would be looking there to start with
0
themightydudeAuthor Commented:
I'm not sure where to start with the domain policy though.

The message I get on the computers is:

"The Local policy of this computer does not allow you to login locally"

I've gone though the user rights / local policies in the domain GP, but I have been unable to find anything there which might be inhibiting logins.
0
Jay_Jay70Commented:
and you said this is only applying to xp machines yes? just want to clarify that small part - the users can log in to the terminal server?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

themightydudeAuthor Commented:
Correct.

User can login to our terminal server just fine..no problems. Its only when a logs onto the XP workstation.

I've verified that the DNS servers are configured to point to the PDC on the computers.
0
Jay_Jay70Commented:
yah its nothing but policy related - can you screen shot the security settings relevant for local logon on the xp machines for me please? and let me know what GPO's are applying to the machines
0
themightydudeAuthor Commented:
I've attached a screen shot of the GPO that is is applied for these users.

In the screen shot is just what I thought was necessary...let me know if I need to include more information for you.

Thanks
ss1.JPG
0
Jay_Jay70Commented:
there we go

your allow logon locally is not defined - you need to enable it and specify your groups or users etc (best bet is to add domain users group) or Authenticated users etc
0
themightydudeAuthor Commented:
hmmm ok.

Didn't know you had to define that...I thought that if you didn't define it, it would allow log on locally.

I'll give that a shot in the morning, and let you know how it goes.

Thanks
Matt
0
Jay_Jay70Commented:
yah its one of those things that are hit and miss....magical some might say **Grin** PITA others like me would say
0
themightydudeAuthor Commented:
Ok...that didn't work.

Still getting the same message.

There are users in the same GPO that can login...as far as I know, I have 2 users right now who are unable to login like I was saying before unlesse they are added to the domain admin group.

I did change the gpo settings so allow logon locally was defined...I also added the "domain users" group, as well as the individual user names..but still having the same problem...I have no idea.

I've attached a SS of the msg I get...and another SS of the GPO settings.
logon.JPG
gpo.JPG
0
themightydudeAuthor Commented:
or actually...you know I'm thinking maybe this.

These are remote offices obviously..that I'm using RDC to connect to while I'm testing this issue.

Maybe I am a complete idiot, and logging on at the physical office will work fine.

Maybe its not working for me, because i'm using RDC to connect to the PC then login that way?

Just now thought of that.
0
Jay_Jay70Commented:
correct - you need to look at the allow logn through terminal services - not allow logon locally :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
themightydudeAuthor Commented:
Thats what I just realised....man its been a week...lol

Not sure why I didn't think of that before.

I'll test it out in the morning.
0
Jay_Jay70Commented:
no worries mate
0
themightydudeAuthor Commented:
Thanks for the help...
0
themightydudeAuthor Commented:
Yep...everyone logged in just fine over there....

Thanks for the help.
0
Jay_Jay70Commented:
Pleasure :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.