?
Solved

Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"

Posted on 2008-06-24
8
Medium Priority
?
1,096 Views
Last Modified: 2012-08-13
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".

Group Memberships;
Domain Users                   CompanyName.local/Users
Internet Users                   CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users     CompanyName.local/Builtin
Users                                CompanyName.local/Builtin
DG1                                  CompanyName.local/MyBusiness/Distribution Groups
DG3                                  CompanyName.local/MyBusiness/Distribution Groups

DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.

DG3 is also not a member of any other group and also has the security radio button checked.

In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.

My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.

Only when I add the user to Domain Admins are they allowed to logon to an XP client.

I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.

ANy help and advice is gratefully appreciated.

0
Comment
Question by:MarcusN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Expert Comment

by:ilantz
ID: 21853108
you should install GPMC , and double check if you accedently linked gpo's in the domain level...
you could generate the report & see which policy affects the issue.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21853872
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21854513
It sounds like you've got a group policy object defined that has one of the following settings configured:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

or

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally

Let me know if either if these is configured and what groups are defined therein.

I suspect you've got the first one set and Domain Admins specified.

Cheers,

TCP


0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:MarcusN
ID: 21868151
Mr. TheCapedPlodder -

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined

Mr. ilantz -

From where do I install GPMC please?

Mr. ms-pro -

Thank you, but solution A isn't relevant as Administrator can logon.

Solution B isn't true (see the answer provided above).

Solution C isn't relevant as this isn't a remote logon terminal services issue.

I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21868773
0
 

Author Comment

by:MarcusN
ID: 21870532
Mr. ms-pro -

Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 500 total points
ID: 21872596
Have you checked every GPO you have defined, you need to check all GPO's that apply to the XP workstation(s).

I can't see Domain Users listed which to my mind is why your users cannot logon.  Try adding Domain Users to one of the GPO's that applies to the computer and see if that does the trick.
0
 
LVL 7

Assisted Solution

by:ms-pro
ms-pro earned 500 total points
ID: 21875545
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" you need to add domian users.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question