Solved

Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"

Posted on 2008-06-24
8
1,084 Views
Last Modified: 2012-08-13
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".

Group Memberships;
Domain Users                   CompanyName.local/Users
Internet Users                   CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users     CompanyName.local/Builtin
Users                                CompanyName.local/Builtin
DG1                                  CompanyName.local/MyBusiness/Distribution Groups
DG3                                  CompanyName.local/MyBusiness/Distribution Groups

DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.

DG3 is also not a member of any other group and also has the security radio button checked.

In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.

My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.

Only when I add the user to Domain Admins are they allowed to logon to an XP client.

I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.

ANy help and advice is gratefully appreciated.

0
Comment
Question by:MarcusN
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Expert Comment

by:ilantz
ID: 21853108
you should install GPMC , and double check if you accedently linked gpo's in the domain level...
you could generate the report & see which policy affects the issue.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21853872
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21854513
It sounds like you've got a group policy object defined that has one of the following settings configured:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

or

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally

Let me know if either if these is configured and what groups are defined therein.

I suspect you've got the first one set and Domain Admins specified.

Cheers,

TCP


0
 

Author Comment

by:MarcusN
ID: 21868151
Mr. TheCapedPlodder -

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined

Mr. ilantz -

From where do I install GPMC please?

Mr. ms-pro -

Thank you, but solution A isn't relevant as Administrator can logon.

Solution B isn't true (see the answer provided above).

Solution C isn't relevant as this isn't a remote logon terminal services issue.

I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Expert Comment

by:ms-pro
ID: 21868773
0
 

Author Comment

by:MarcusN
ID: 21870532
Mr. ms-pro -

Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 125 total points
ID: 21872596
Have you checked every GPO you have defined, you need to check all GPO's that apply to the XP workstation(s).

I can't see Domain Users listed which to my mind is why your users cannot logon.  Try adding Domain Users to one of the GPO's that applies to the computer and see if that does the trick.
0
 
LVL 7

Assisted Solution

by:ms-pro
ms-pro earned 125 total points
ID: 21875545
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" you need to add domian users.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now