The user has not been granted the requested logon type at this computer when accessing a network share

Posted on 2008-10-28
Last Modified: 2012-05-05
I currently have a server (windows 2003 R2, sp2, server role = file server) with several shares on them. Users will be accessing these shares remotely from their desktops (windows XP prof).  However, when Im in the Local Security Settings on this server (that has the shares on it) I noticed that the following user right assignments are disabled: 1) Access this computer from the network; 2) Allow log on locally and 3) Enable computer & user accounts to be trusted for delegation.  Im guessing these are disabled because these are set at the DC under Default Domain Security Settings.  However, I want to make this server available so users can access the shares across the network on this server.  While doing a test the only way to do it is to put a user in the administrators group of this server  which I dont want to do.  How can I have a user access this server shares across the network without getting the following error message of The user has not been granted the requested logon type at this computer.  Is it a matter of going on the DC under Default Domain Security settings and changing the user right assignment by adding the desired group or everyone?  I was thinking if I made the change there that would be for all servers in that domain.  I was just hoping to make the change for this one server without affecting all the servers in the domain that this server happening to be in.  I hope I have explained this clearly.  Thanks
Question by:mitzig
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Accepted Solution

dfxdeimos earned 250 total points
ID: 22825647
I just want to clarify to make sure that I understand your situation.

You have SERVERA which is part of your domain, we will call it DOMAIN.LOCAL. You set up a folder on SERVERA that you want to share files from. You modify BOTH the share permissions and the NTFS permissions on that folder to allow the appropriate groups access. They try to navigate to the folder by visiting "\\SERVERA\ShareName" and they get the error message you described?

Users shouldn't have to have any special logon rights assigned to them in order to browse file shares, only the appropriate NTFS and share permissions.

You are partially correct in assuming that the policies at the domain level will override the local ones. Security policies are applied in the following order: Local, Site, Domain, OU. If the local security policy defines items that are NOT addressed at the domain level then the settings will stay, if the domain level addresses the same items then the domain will override the local settings.
LVL 18

Assisted Solution

Americom earned 250 total points
ID: 22827902
Your message was caused exactly due to the local policy of "Access this computer from the network" was disabled. "Disabled" may not be the correct word to use on this particular policy. You can add/remove group from accessing this computer from the network. When you mean by disabled, do you mean all the groups were removed or just the group consisted the users that you were trying to access the share on this server was removed or not added. Most likely the last one as if you have removed all the groups from accessing this server from the network that would make your server useless!

By Default, the "Access this computer from the network" was configured withe the followings:

On workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
On domain controllers: Administrators, Authenticated Users, Everyone

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
If you cannot make changes of the above locally on your server's local policy, then it is likely that the policy is set on the Active Directory, like you said on the default domain GPO. You need to verify this first. Once you find out which GPO has this configuration, then you can copy the GPO with a different name and adjust the above settings then apply to the sever by creating an OU inside the OU where all your servers are in. You can set block inheritance(depending on how your default GPO is configured) or simply link the GPO as the last GPO will be configured for multiple GPO applied to the same OU.

Hope this help.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question