Solved

The user has not been granted the requested logon type at this computer when accessing a network share

Posted on 2008-10-28
3
342 Views
Last Modified: 2012-05-05
I currently have a server (windows 2003 R2, sp2, server role = file server) with several shares on them. Users will be accessing these shares remotely from their desktops (windows XP prof).  However, when Im in the Local Security Settings on this server (that has the shares on it) I noticed that the following user right assignments are disabled: 1) Access this computer from the network; 2) Allow log on locally and 3) Enable computer & user accounts to be trusted for delegation.  Im guessing these are disabled because these are set at the DC under Default Domain Security Settings.  However, I want to make this server available so users can access the shares across the network on this server.  While doing a test the only way to do it is to put a user in the administrators group of this server  which I dont want to do.  How can I have a user access this server shares across the network without getting the following error message of The user has not been granted the requested logon type at this computer.  Is it a matter of going on the DC under Default Domain Security settings and changing the user right assignment by adding the desired group or everyone?  I was thinking if I made the change there that would be for all servers in that domain.  I was just hoping to make the change for this one server without affecting all the servers in the domain that this server happening to be in.  I hope I have explained this clearly.  Thanks
0
Comment
Question by:mitzig
3 Comments
 
LVL 14

Accepted Solution

by:
dfxdeimos earned 250 total points
ID: 22825647
I just want to clarify to make sure that I understand your situation.

You have SERVERA which is part of your domain, we will call it DOMAIN.LOCAL. You set up a folder on SERVERA that you want to share files from. You modify BOTH the share permissions and the NTFS permissions on that folder to allow the appropriate groups access. They try to navigate to the folder by visiting "\\SERVERA\ShareName" and they get the error message you described?

Users shouldn't have to have any special logon rights assigned to them in order to browse file shares, only the appropriate NTFS and share permissions.

You are partially correct in assuming that the policies at the domain level will override the local ones. Security policies are applied in the following order: Local, Site, Domain, OU. If the local security policy defines items that are NOT addressed at the domain level then the settings will stay, if the domain level addresses the same items then the domain will override the local settings.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
ID: 22827902
Your message was caused exactly due to the local policy of "Access this computer from the network" was disabled. "Disabled" may not be the correct word to use on this particular policy. You can add/remove group from accessing this computer from the network. When you mean by disabled, do you mean all the groups were removed or just the group consisted the users that you were trying to access the share on this server was removed or not added. Most likely the last one as if you have removed all the groups from accessing this server from the network that would make your server useless!

By Default, the "Access this computer from the network" was configured withe the followings:

On workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
On domain controllers: Administrators, Authenticated Users, Everyone

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
 
If you cannot make changes of the above locally on your server's local policy, then it is likely that the policy is set on the Active Directory, like you said on the default domain GPO. You need to verify this first. Once you find out which GPO has this configuration, then you can copy the GPO with a different name and adjust the above settings then apply to the sever by creating an OU inside the OU where all your servers are in. You can set block inheritance(depending on how your default GPO is configured) or simply link the GPO as the last GPO will be configured for multiple GPO applied to the same OU.

Hope this help.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question