Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"
Posted on 2008-06-24
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".
Domain Users CompanyName.local/Users
Internet Users CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users CompanyName.local/Builtin
DG1 CompanyName.local/MyBusiness/Distribution Groups
DG3 CompanyName.local/MyBusiness/Distribution Groups
DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.
DG3 is also not a member of any other group and also has the security radio button checked.
In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.
My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.
Only when I add the user to Domain Admins are they allowed to logon to an XP client.
I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.
ANy help and advice is gratefully appreciated.