Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"

Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".

Group Memberships;
Domain Users                   CompanyName.local/Users
Internet Users                   CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users     CompanyName.local/Builtin
Users                                CompanyName.local/Builtin
DG1                                  CompanyName.local/MyBusiness/Distribution Groups
DG3                                  CompanyName.local/MyBusiness/Distribution Groups

DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.

DG3 is also not a member of any other group and also has the security radio button checked.

In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.

My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.

Only when I add the user to Domain Admins are they allowed to logon to an XP client.

I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.

ANy help and advice is gratefully appreciated.

Marcus NTechnical SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ilantzCommented:
you should install GPMC , and double check if you accedently linked gpo's in the domain level...
you could generate the report & see which policy affects the issue.
0
TheCapedPlodderCommented:
It sounds like you've got a group policy object defined that has one of the following settings configured:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

or

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally

Let me know if either if these is configured and what groups are defined therein.

I suspect you've got the first one set and Domain Admins specified.

Cheers,

TCP


0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Marcus NTechnical SpecialistAuthor Commented:
Mr. TheCapedPlodder -

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined

Mr. ilantz -

From where do I install GPMC please?

Mr. ms-pro -

Thank you, but solution A isn't relevant as Administrator can logon.

Solution B isn't true (see the answer provided above).

Solution C isn't relevant as this isn't a remote logon terminal services issue.

I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
0
ms-proCommented:
0
Marcus NTechnical SpecialistAuthor Commented:
Mr. ms-pro -

Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
0
TheCapedPlodderCommented:
Have you checked every GPO you have defined, you need to check all GPO's that apply to the XP workstation(s).

I can't see Domain Users listed which to my mind is why your users cannot logon.  Try adding Domain Users to one of the GPO's that applies to the computer and see if that does the trick.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ms-proCommented:
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" you need to add domian users.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.