Solved

Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"

Posted on 2008-06-24
8
1,088 Views
Last Modified: 2012-08-13
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".

Group Memberships;
Domain Users                   CompanyName.local/Users
Internet Users                   CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users     CompanyName.local/Builtin
Users                                CompanyName.local/Builtin
DG1                                  CompanyName.local/MyBusiness/Distribution Groups
DG3                                  CompanyName.local/MyBusiness/Distribution Groups

DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.

DG3 is also not a member of any other group and also has the security radio button checked.

In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.

My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.

Only when I add the user to Domain Admins are they allowed to logon to an XP client.

I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.

ANy help and advice is gratefully appreciated.

0
Comment
Question by:MarcusN
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Expert Comment

by:ilantz
ID: 21853108
you should install GPMC , and double check if you accedently linked gpo's in the domain level...
you could generate the report & see which policy affects the issue.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21853872
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21854513
It sounds like you've got a group policy object defined that has one of the following settings configured:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

or

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally

Let me know if either if these is configured and what groups are defined therein.

I suspect you've got the first one set and Domain Admins specified.

Cheers,

TCP


0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:MarcusN
ID: 21868151
Mr. TheCapedPlodder -

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined

Mr. ilantz -

From where do I install GPMC please?

Mr. ms-pro -

Thank you, but solution A isn't relevant as Administrator can logon.

Solution B isn't true (see the answer provided above).

Solution C isn't relevant as this isn't a remote logon terminal services issue.

I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21868773
0
 

Author Comment

by:MarcusN
ID: 21870532
Mr. ms-pro -

Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 125 total points
ID: 21872596
Have you checked every GPO you have defined, you need to check all GPO's that apply to the XP workstation(s).

I can't see Domain Users listed which to my mind is why your users cannot logon.  Try adding Domain Users to one of the GPO's that applies to the computer and see if that does the trick.
0
 
LVL 7

Assisted Solution

by:ms-pro
ms-pro earned 125 total points
ID: 21875545
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" you need to add domian users.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question