• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

The user has not been granted the requested logon type at this computer when accessing a network share

I currently have a server (windows 2003 R2, sp2, server role = file server) with several shares on them. Users will be accessing these shares remotely from their desktops (windows XP prof).  However, when Im in the Local Security Settings on this server (that has the shares on it) I noticed that the following user right assignments are disabled: 1) Access this computer from the network; 2) Allow log on locally and 3) Enable computer & user accounts to be trusted for delegation.  Im guessing these are disabled because these are set at the DC under Default Domain Security Settings.  However, I want to make this server available so users can access the shares across the network on this server.  While doing a test the only way to do it is to put a user in the administrators group of this server  which I dont want to do.  How can I have a user access this server shares across the network without getting the following error message of The user has not been granted the requested logon type at this computer.  Is it a matter of going on the DC under Default Domain Security settings and changing the user right assignment by adding the desired group or everyone?  I was thinking if I made the change there that would be for all servers in that domain.  I was just hoping to make the change for this one server without affecting all the servers in the domain that this server happening to be in.  I hope I have explained this clearly.  Thanks
2 Solutions
I just want to clarify to make sure that I understand your situation.

You have SERVERA which is part of your domain, we will call it DOMAIN.LOCAL. You set up a folder on SERVERA that you want to share files from. You modify BOTH the share permissions and the NTFS permissions on that folder to allow the appropriate groups access. They try to navigate to the folder by visiting "\\SERVERA\ShareName" and they get the error message you described?

Users shouldn't have to have any special logon rights assigned to them in order to browse file shares, only the appropriate NTFS and share permissions.

You are partially correct in assuming that the policies at the domain level will override the local ones. Security policies are applied in the following order: Local, Site, Domain, OU. If the local security policy defines items that are NOT addressed at the domain level then the settings will stay, if the domain level addresses the same items then the domain will override the local settings.
Your message was caused exactly due to the local policy of "Access this computer from the network" was disabled. "Disabled" may not be the correct word to use on this particular policy. You can add/remove group from accessing this computer from the network. When you mean by disabled, do you mean all the groups were removed or just the group consisted the users that you were trying to access the share on this server was removed or not added. Most likely the last one as if you have removed all the groups from accessing this server from the network that would make your server useless!

By Default, the "Access this computer from the network" was configured withe the followings:

On workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
On domain controllers: Administrators, Authenticated Users, Everyone

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
If you cannot make changes of the above locally on your server's local policy, then it is likely that the policy is set on the Active Directory, like you said on the default domain GPO. You need to verify this first. Once you find out which GPO has this configuration, then you can copy the GPO with a different name and adjust the above settings then apply to the sever by creating an OU inside the OU where all your servers are in. You can set block inheritance(depending on how your default GPO is configured) or simply link the GPO as the last GPO will be configured for multiple GPO applied to the same OU.

Hope this help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now