The local policy of this system does not permit you to logon interactively
Last week we promoted a new DC on one of our subnets and demoted the DC that was originally on that subnet. Since then we have been receiving this message when ever we attempt to RDC to a workstation:
The local policy of this system does not permit you to logon interactively.
I have verified that the "Allow log on through Terminal Services" is enabled for the local policy and that Remote Desktop Users group is allowed. I have also forced an update using gpupdate /force command. No one can RDC not even the Administrators. I have made sure that the group of employees that need this right are part of the Remote Desktop Users group.
We can remote control these boxes using Dameware, just can't using RDC.
The local policy of this system does not permit you to logon interactively.
I have verified that the "Allow log on through Terminal Services" is enabled for the local policy and that Remote Desktop Users group is allowed. I have also forced an update using gpupdate /force command. No one can RDC not even the Administrators. I have made sure that the group of employees that need this right are part of the Remote Desktop Users group.
We can remote control these boxes using Dameware, just can't using RDC.
ASKER
I am sorry, I guess I wasn't clear. I am not trying to log into a DC.
If I am at home and use a VPN client to RDC to my work desktop, I get the message. If I try to RDC into a computer that belongs to one of my employees, I get the message. I have Domain Admin Rights and am a user in the Remote Desktop user group, but can't RDC into non-DC systems. We were able to do this prior to the promotion and demotion of our servers.
If I am at home and use a VPN client to RDC to my work desktop, I get the message. If I try to RDC into a computer that belongs to one of my employees, I get the message. I have Domain Admin Rights and am a user in the Remote Desktop user group, but can't RDC into non-DC systems. We were able to do this prior to the promotion and demotion of our servers.
hi,
this may be a little bit complicated, and I can forward one hypothesys:
there is a server in your company that manages the VPN and allows remote users
to login or not. To do this, it contacts not the Active Directory in general,
but it has been configured, it is done so, to contact a DC server.
After DC swap, in such machine ( or db, configuration,...) there is still old name
and you have to write new one.
bye
vic
this may be a little bit complicated, and I can forward one hypothesys:
there is a server in your company that manages the VPN and allows remote users
to login or not. To do this, it contacts not the Active Directory in general,
but it has been configured, it is done so, to contact a DC server.
After DC swap, in such machine ( or db, configuration,...) there is still old name
and you have to write new one.
bye
vic
ASKER
Vic,
Again, I don't think you quite understand. It is not specific to the VPN or to a DC. This problem occurs whether coming in across a VPN or on the local network.
Again, I don't think you quite understand. It is not specific to the VPN or to a DC. This problem occurs whether coming in across a VPN or on the local network.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There isn't a computer managing the VPN, we have a Cisco PIX firewall that manages the VPN and that hasn't changed in a couple of years. Additionally, as I tried to explain this happens on our network as well as across the VPN. Because of this I don't think the problem is specific to just VPN traffic. I can sit in my office and try to RDC to a workstation on the same switch and get the error.
ASKER
Vic,
By the way, thanks for hanging in there with me!
THANKS!
By the way, thanks for hanging in there with me!
THANKS!
ASKER
Ready to close. Didn't fix the problem, but I will open with Microsoft for solution.
in a DC, just Domain Admins can login (at console OR by TS).
"Interactive Logins" stay for no-batch, no-service, no-network: you press CtrAltDel, enter U/P,
and see a desktop.
Probably the user that you are using to login, isn't a DomainAdmin: also if you go at Server Console (without TS), you receive the same message.
There is a way to permit any user to login on a DC, and this is used when, someone
want use a DC as TS in Application Mode.
If you are interested to permit any user to login on a DC, post again, sayng type of OS.
bye
vic