Solved

The local policy of this system does not permit you to logon interactively

Posted on 2009-05-05
8
768 Views
Last Modified: 2013-11-21
Last week we promoted a new DC on one of our subnets and demoted the DC that was originally on that subnet.  Since then we have been receiving this message when ever we attempt to RDC to a workstation:

The local policy of this system does not permit you to logon interactively.

I have verified that the "Allow log on through Terminal Services" is enabled for the local policy and that Remote Desktop Users group is allowed.  I have also forced an update using gpupdate /force command.  No one can RDC not even the Administrators.  I have made sure that the group of employees that need this right are part of the Remote Desktop Users group.

We can remote control these boxes using Dameware, just can't using RDC.
0
Comment
Question by:sfletcher1959
  • 5
  • 3
8 Comments
 
LVL 7

Expert Comment

by:dolomiti
Comment Utility
hi,
in a DC, just Domain Admins can login (at console OR by TS).

"Interactive Logins" stay for no-batch, no-service, no-network: you press CtrAltDel, enter U/P,
and see a desktop.

Probably the user that you are using to login, isn't a DomainAdmin: also if you go at Server Console (without TS), you receive the same message.

There is a way to permit any user to login on a DC, and this is used when, someone
want use a DC as TS in Application Mode.

If you are interested to permit any user to login on a DC, post again, sayng type of OS.

bye
vic

0
 

Author Comment

by:sfletcher1959
Comment Utility
I am sorry, I guess I wasn't clear.  I am not trying to log into a DC.  

If I am at home and use a VPN client to RDC to my work desktop, I get the message.  If I try to RDC into a computer that belongs to one of my employees, I get the message.  I have Domain Admin Rights and am a user in the Remote Desktop user group, but can't RDC into non-DC systems.  We were able to do this prior to the promotion and demotion of our servers.
0
 
LVL 7

Expert Comment

by:dolomiti
Comment Utility
hi,
this may be a little bit complicated, and I can forward one hypothesys:

there is a server in your company that manages the VPN and allows remote users
to login or not. To do this, it contacts not the Active Directory in general,
but it has been configured, it is done so, to contact a DC server.
After DC swap, in such machine ( or db, configuration,...) there is still old name
and you have to write new one.

bye
vic
0
 

Author Comment

by:sfletcher1959
Comment Utility
Vic,
    Again, I don't think you quite understand.  It is not specific to the VPN or to a DC.  This problem occurs whether coming in across a VPN or on the local network.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 7

Accepted Solution

by:
dolomiti earned 500 total points
Comment Utility
hi,
in my last post, I did not speak about login on a DC.
I believe there is a computer that manages the VPN:
what I proposed is to check if in its configuration (of VPN)
there is a reference (witten in some fields) to the old (demoted) DC rather to new.

In your first post, you were clear, I misunderstood the scenario.

sorry
vic
0
 

Author Comment

by:sfletcher1959
Comment Utility
There isn't a computer managing the VPN, we have a Cisco PIX firewall that manages the VPN and that hasn't changed in a couple of years.  Additionally, as I tried to explain this happens on our network as well as across the VPN.  Because of this I don't think the problem is specific to just VPN traffic.  I can sit in my office and try to RDC to a workstation on the same switch and get the error.
0
 

Author Comment

by:sfletcher1959
Comment Utility
Vic,
    By the way, thanks for hanging in there with me!

THANKS!
0
 

Author Closing Comment

by:sfletcher1959
Comment Utility
Ready to close.  Didn't fix the problem, but I will open with Microsoft for solution.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now