The user has not been granted the requested logon type at this computer when accessing a network share

Posted on 2008-10-28
Last Modified: 2012-05-05
I currently have a server (windows 2003 R2, sp2, server role = file server) with several shares on them. Users will be accessing these shares remotely from their desktops (windows XP prof).  However, when Im in the Local Security Settings on this server (that has the shares on it) I noticed that the following user right assignments are disabled: 1) Access this computer from the network; 2) Allow log on locally and 3) Enable computer & user accounts to be trusted for delegation.  Im guessing these are disabled because these are set at the DC under Default Domain Security Settings.  However, I want to make this server available so users can access the shares across the network on this server.  While doing a test the only way to do it is to put a user in the administrators group of this server  which I dont want to do.  How can I have a user access this server shares across the network without getting the following error message of The user has not been granted the requested logon type at this computer.  Is it a matter of going on the DC under Default Domain Security settings and changing the user right assignment by adding the desired group or everyone?  I was thinking if I made the change there that would be for all servers in that domain.  I was just hoping to make the change for this one server without affecting all the servers in the domain that this server happening to be in.  I hope I have explained this clearly.  Thanks
Question by:mitzig
LVL 14

Accepted Solution

dfxdeimos earned 250 total points
Comment Utility
I just want to clarify to make sure that I understand your situation.

You have SERVERA which is part of your domain, we will call it DOMAIN.LOCAL. You set up a folder on SERVERA that you want to share files from. You modify BOTH the share permissions and the NTFS permissions on that folder to allow the appropriate groups access. They try to navigate to the folder by visiting "\\SERVERA\ShareName" and they get the error message you described?

Users shouldn't have to have any special logon rights assigned to them in order to browse file shares, only the appropriate NTFS and share permissions.

You are partially correct in assuming that the policies at the domain level will override the local ones. Security policies are applied in the following order: Local, Site, Domain, OU. If the local security policy defines items that are NOT addressed at the domain level then the settings will stay, if the domain level addresses the same items then the domain will override the local settings.
LVL 18

Assisted Solution

Americom earned 250 total points
Comment Utility
Your message was caused exactly due to the local policy of "Access this computer from the network" was disabled. "Disabled" may not be the correct word to use on this particular policy. You can add/remove group from accessing this computer from the network. When you mean by disabled, do you mean all the groups were removed or just the group consisted the users that you were trying to access the share on this server was removed or not added. Most likely the last one as if you have removed all the groups from accessing this server from the network that would make your server useless!

By Default, the "Access this computer from the network" was configured withe the followings:

On workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
On domain controllers: Administrators, Authenticated Users, Everyone

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
If you cannot make changes of the above locally on your server's local policy, then it is likely that the policy is set on the Active Directory, like you said on the default domain GPO. You need to verify this first. Once you find out which GPO has this configuration, then you can copy the GPO with a different name and adjust the above settings then apply to the sever by creating an OU inside the OU where all your servers are in. You can set block inheritance(depending on how your default GPO is configured) or simply link the GPO as the last GPO will be configured for multiple GPO applied to the same OU.

Hope this help.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now