Marcus N
asked on
Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".
Group Memberships;
Domain Users CompanyName.local/Users
Internet Users CompanyName.local/MyBusine ss/Securit y Groups
Remote Desktop Users CompanyName.local/Builtin
Users CompanyName.local/Builtin
DG1 CompanyName.local/MyBusine ss/Distrib ution Groups
DG3 CompanyName.local/MyBusine ss/Distrib ution Groups
DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.
DG3 is also not a member of any other group and also has the security radio button checked.
In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.
My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.
Only when I add the user to Domain Admins are they allowed to logon to an XP client.
I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.
ANy help and advice is gratefully appreciated.
Group Memberships;
Domain Users CompanyName.local/Users
Internet Users CompanyName.local/MyBusine
Remote Desktop Users CompanyName.local/Builtin
Users CompanyName.local/Builtin
DG1 CompanyName.local/MyBusine
DG3 CompanyName.local/MyBusine
DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.
DG3 is also not a member of any other group and also has the security radio button checked.
In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.
My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.
Only when I add the user to Domain Admins are they allowed to logon to an XP client.
I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.
ANy help and advice is gratefully appreciated.
It sounds like you've got a group policy object defined that has one of the following settings configured:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
or
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
Let me know if either if these is configured and what groups are defined therein.
I suspect you've got the first one set and Domain Admins specified.
Cheers,
TCP
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
or
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
Let me know if either if these is configured and what groups are defined therein.
I suspect you've got the first one set and Domain Admins specified.
Cheers,
TCP
ASKER
Mr. TheCapedPlodder -
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined
Mr. ilantz -
From where do I install GPMC please?
Mr. ms-pro -
Thank you, but solution A isn't relevant as Administrator can logon.
Solution B isn't true (see the answer provided above).
Solution C isn't relevant as this isn't a remote logon terminal services issue.
I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined
Mr. ilantz -
From where do I install GPMC please?
Mr. ms-pro -
Thank you, but solution A isn't relevant as Administrator can logon.
Solution B isn't true (see the answer provided above).
Solution C isn't relevant as this isn't a remote logon terminal services issue.
I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
ASKER
Mr. ms-pro -
Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you could generate the report & see which policy affects the issue.