Solved

Active Directory GPO prevents users local login with error "Local policy of this system does not permit you to logon interactively"

Posted on 2008-06-24
8
1,094 Views
Last Modified: 2012-08-13
Users with the following group memberships receive the following error message, "Local policy of this system does not permit you to logon interactively".

Group Memberships;
Domain Users                   CompanyName.local/Users
Internet Users                   CompanyName.local/MyBusiness/Security Groups
Remote Desktop Users     CompanyName.local/Builtin
Users                                CompanyName.local/Builtin
DG1                                  CompanyName.local/MyBusiness/Distribution Groups
DG3                                  CompanyName.local/MyBusiness/Distribution Groups

DG1 is not a member of any other group but under the properties->general tab the security radio button is checked, not the distribution radio button.

DG3 is also not a member of any other group and also has the security radio button checked.

In ISA2004 firewall DG1 prevents users getting access to a blacklist of websites and DG3 allows access to some specific websites on a whitelist. In both cases the policies are just before the allow internet access policy, well down the policy stack.

My configuration consists of SBS2003R2 Premium with ISA Firewall 2004 and a network of XP clients.

Only when I add the user to Domain Admins are they allowed to logon to an XP client.

I have looked at many of the KB articles and blogs but many refer to Server 2000 problems or problems logging onto the server. I'm specifically interested in users logging onto XP clients.

ANy help and advice is gratefully appreciated.

0
Comment
Question by:MarcusN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Expert Comment

by:ilantz
ID: 21853108
you should install GPMC , and double check if you accedently linked gpo's in the domain level...
you could generate the report & see which policy affects the issue.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21853872
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21854513
It sounds like you've got a group policy object defined that has one of the following settings configured:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

or

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally

Let me know if either if these is configured and what groups are defined therein.

I suspect you've got the first one set and Domain Admins specified.

Cheers,

TCP


0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:MarcusN
ID: 21868151
Mr. TheCapedPlodder -

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" it says the following.
Account Operators
Administrators
Backup Operators
CompanyName\BESAdmin
CompanyName\Domain Admins
Print Operators
Remote Desktop Users
Server Operators

Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally" it says the following.
Not Defined

Mr. ilantz -

From where do I install GPMC please?

Mr. ms-pro -

Thank you, but solution A isn't relevant as Administrator can logon.

Solution B isn't true (see the answer provided above).

Solution C isn't relevant as this isn't a remote logon terminal services issue.

I'd welcome any other thoughts and opinions, of course. And thank you in advance for this and those.
0
 
LVL 7

Expert Comment

by:ms-pro
ID: 21868773
0
 

Author Comment

by:MarcusN
ID: 21870532
Mr. ms-pro -

Thank you. I have run the gpmc and attached are two screen shots taken from that. Does this help to understand the problem?
GPMC-2008-06-24.jpg
GPMC-2008-06-24b.jpg
0
 
LVL 13

Accepted Solution

by:
TheCapedPlodder earned 125 total points
ID: 21872596
Have you checked every GPO you have defined, you need to check all GPO's that apply to the XP workstation(s).

I can't see Domain Users listed which to my mind is why your users cannot logon.  Try adding Domain Users to one of the GPO's that applies to the computer and see if that does the trick.
0
 
LVL 7

Assisted Solution

by:ms-pro
ms-pro earned 125 total points
ID: 21875545
Under "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally" you need to add domian users.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question