Solved

The user has not been granted the requested logon type at this computer when accessing a network share

Posted on 2008-10-28
3
338 Views
Last Modified: 2012-05-05
I currently have a server (windows 2003 R2, sp2, server role = file server) with several shares on them. Users will be accessing these shares remotely from their desktops (windows XP prof).  However, when Im in the Local Security Settings on this server (that has the shares on it) I noticed that the following user right assignments are disabled: 1) Access this computer from the network; 2) Allow log on locally and 3) Enable computer & user accounts to be trusted for delegation.  Im guessing these are disabled because these are set at the DC under Default Domain Security Settings.  However, I want to make this server available so users can access the shares across the network on this server.  While doing a test the only way to do it is to put a user in the administrators group of this server  which I dont want to do.  How can I have a user access this server shares across the network without getting the following error message of The user has not been granted the requested logon type at this computer.  Is it a matter of going on the DC under Default Domain Security settings and changing the user right assignment by adding the desired group or everyone?  I was thinking if I made the change there that would be for all servers in that domain.  I was just hoping to make the change for this one server without affecting all the servers in the domain that this server happening to be in.  I hope I have explained this clearly.  Thanks
0
Comment
Question by:mitzig
3 Comments
 
LVL 14

Accepted Solution

by:
dfxdeimos earned 250 total points
ID: 22825647
I just want to clarify to make sure that I understand your situation.

You have SERVERA which is part of your domain, we will call it DOMAIN.LOCAL. You set up a folder on SERVERA that you want to share files from. You modify BOTH the share permissions and the NTFS permissions on that folder to allow the appropriate groups access. They try to navigate to the folder by visiting "\\SERVERA\ShareName" and they get the error message you described?

Users shouldn't have to have any special logon rights assigned to them in order to browse file shares, only the appropriate NTFS and share permissions.

You are partially correct in assuming that the policies at the domain level will override the local ones. Security policies are applied in the following order: Local, Site, Domain, OU. If the local security policy defines items that are NOT addressed at the domain level then the settings will stay, if the domain level addresses the same items then the domain will override the local settings.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
ID: 22827902
Your message was caused exactly due to the local policy of "Access this computer from the network" was disabled. "Disabled" may not be the correct word to use on this particular policy. You can add/remove group from accessing this computer from the network. When you mean by disabled, do you mean all the groups were removed or just the group consisted the users that you were trying to access the share on this server was removed or not added. Most likely the last one as if you have removed all the groups from accessing this server from the network that would make your server useless!

By Default, the "Access this computer from the network" was configured withe the followings:

On workstations and servers: Administrators, Backup Operators, Power Users, Users, Everyone
On domain controllers: Administrators, Authenticated Users, Everyone

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
 
If you cannot make changes of the above locally on your server's local policy, then it is likely that the policy is set on the Active Directory, like you said on the default domain GPO. You need to verify this first. Once you find out which GPO has this configuration, then you can copy the GPO with a different name and adjust the above settings then apply to the sever by creating an OU inside the OU where all your servers are in. You can set block inheritance(depending on how your default GPO is configured) or simply link the GPO as the last GPO will be configured for multiple GPO applied to the same OU.

Hope this help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now