local policy of this group does not allow you to log on interactively
user has a home computer that is joined to a domain at his work.
When he tries to log on as guest locally it gives the error that "The local policy of this group does not allow you to log on interactively"
How can I fix that?
When he tries to log on as guest locally it gives the error that "The local policy of this group does not allow you to log on interactively"
How can I fix that?
The domain policy is probably overwriting the local. But you can check this out:
Click START
RUN
GPEDIT.MSC
That opens up the LOCAL group policy
Then go to
Windows settings
security settings
local policies
user rights assignments
log on locally
see if guest is registered to logon locally
The problem is that the next time he logs into the domain, it might overright the policy again.
Have him test this.
Click START
RUN
GPEDIT.MSC
That opens up the LOCAL group policy
Then go to
Windows settings
security settings
local policies
user rights assignments
log on locally
see if guest is registered to logon locally
The problem is that the next time he logs into the domain, it might overright the policy again.
Have him test this.
ASKER
guest is there under log on locally properties
He is definitely logging in locally, right? Changing the domain to "(this computer)"
Can he login as an admin locally?
If so, right click my computyer, choose manager, then choose groups & users. Make sure guest is not disabled.
Can he login as an admin locally?
If so, right click my computyer, choose manager, then choose groups & users. Make sure guest is not disabled.
ASKER
he is logging on locally and he can log in locally with the administrator account
guest is not disabled.
I'm thinking I just want to take him off the domain, but I'm concerned that if I do that I might not be able to log into his domain user account, and there might be something unforseen he needs in there.
I did this one other time with a laptop that a user had at home and I had to take it back to his office to rejoin it to the domain to get to his user account again.
guest is not disabled.
I'm thinking I just want to take him off the domain, but I'm concerned that if I do that I might not be able to log into his domain user account, and there might be something unforseen he needs in there.
I did this one other time with a laptop that a user had at home and I had to take it back to his office to rejoin it to the domain to get to his user account again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
how do I turn that off and why would anyone want that?
If it is in the local policy, gpedit.msc, browse to Windows Settings | Security Settings | Local Policies | User Rights Assignments | Deny logon locally, double-click, select Guest, click Remove, OK
The why is combination of security and accountability. The Guest is a built-in account and is not associated with a specific user and does not require a password. Most networks require identification of a user as a step in authorizing a user account.
ASKER
Thanks for the tip.
Just one more question.
If you have two accounts with the same name, one a domain account and one a local account, are they related in any way?
I'm going to take the computer off the domain, but I assume I won't be able to log into that one account that is a domain account, once I do, and because the computer is not on that network, that account will be unreachable right? Meaning, I won't be able to log into it anymore unless I take it to the workplace where that domain is.
Just one more question.
If you have two accounts with the same name, one a domain account and one a local account, are they related in any way?
I'm going to take the computer off the domain, but I assume I won't be able to log into that one account that is a domain account, once I do, and because the computer is not on that network, that account will be unreachable right? Meaning, I won't be able to log into it anymore unless I take it to the workplace where that domain is.
Domain accounts and local accounts (even if named the same) are distinctly different accounts.
You will not be able to logon to the domain account once the computer is removed from the domain (computer deleted from active directory), whereas you can logon with a domain account while disconnected (no network path to domain) from the domain because of cached credentials.
Make sure that you change permissions on files to allow the local account access to any files created by the domain account before disjoining the computer.
You will not be able to logon to the domain account once the computer is removed from the domain (computer deleted from active directory), whereas you can logon with a domain account while disconnected (no network path to domain) from the domain because of cached credentials.
Make sure that you change permissions on files to allow the local account access to any files created by the domain account before disjoining the computer.
ASKER
Okay. Thanks. Great advice.
Click START
RUN
GPEDIT.MSC
That opens up the LOCAL group policy
Then go to
Windows settings
security settings
local policies
user rights assignments
log on locally
see if guest is registered to logon locally
The problem is that the next time he logs into the domain, it might overright the policy again.
Have him test this.