Solved

The local policy of this system does not permit you to logon interactively

Posted on 2009-05-05
8
769 Views
Last Modified: 2013-11-21
Last week we promoted a new DC on one of our subnets and demoted the DC that was originally on that subnet.  Since then we have been receiving this message when ever we attempt to RDC to a workstation:

The local policy of this system does not permit you to logon interactively.

I have verified that the "Allow log on through Terminal Services" is enabled for the local policy and that Remote Desktop Users group is allowed.  I have also forced an update using gpupdate /force command.  No one can RDC not even the Administrators.  I have made sure that the group of employees that need this right are part of the Remote Desktop Users group.

We can remote control these boxes using Dameware, just can't using RDC.
0
Comment
Question by:sfletcher1959
  • 5
  • 3
8 Comments
 
LVL 7

Expert Comment

by:dolomiti
ID: 24306280
hi,
in a DC, just Domain Admins can login (at console OR by TS).

"Interactive Logins" stay for no-batch, no-service, no-network: you press CtrAltDel, enter U/P,
and see a desktop.

Probably the user that you are using to login, isn't a DomainAdmin: also if you go at Server Console (without TS), you receive the same message.

There is a way to permit any user to login on a DC, and this is used when, someone
want use a DC as TS in Application Mode.

If you are interested to permit any user to login on a DC, post again, sayng type of OS.

bye
vic

0
 

Author Comment

by:sfletcher1959
ID: 24307067
I am sorry, I guess I wasn't clear.  I am not trying to log into a DC.  

If I am at home and use a VPN client to RDC to my work desktop, I get the message.  If I try to RDC into a computer that belongs to one of my employees, I get the message.  I have Domain Admin Rights and am a user in the Remote Desktop user group, but can't RDC into non-DC systems.  We were able to do this prior to the promotion and demotion of our servers.
0
 
LVL 7

Expert Comment

by:dolomiti
ID: 24307967
hi,
this may be a little bit complicated, and I can forward one hypothesys:

there is a server in your company that manages the VPN and allows remote users
to login or not. To do this, it contacts not the Active Directory in general,
but it has been configured, it is done so, to contact a DC server.
After DC swap, in such machine ( or db, configuration,...) there is still old name
and you have to write new one.

bye
vic
0
 

Author Comment

by:sfletcher1959
ID: 24317249
Vic,
    Again, I don't think you quite understand.  It is not specific to the VPN or to a DC.  This problem occurs whether coming in across a VPN or on the local network.
0
Why are Office 365 signatures so complicated?

Trying to setup transport rules for Office 365 email signatures and can’t quite figure it out? Having to test the signature over and over? Make things simple by using Exclaimer Cloud - Signatures for Office 365.

 
LVL 7

Accepted Solution

by:
dolomiti earned 500 total points
ID: 24320115
hi,
in my last post, I did not speak about login on a DC.
I believe there is a computer that manages the VPN:
what I proposed is to check if in its configuration (of VPN)
there is a reference (witten in some fields) to the old (demoted) DC rather to new.

In your first post, you were clear, I misunderstood the scenario.

sorry
vic
0
 

Author Comment

by:sfletcher1959
ID: 24325721
There isn't a computer managing the VPN, we have a Cisco PIX firewall that manages the VPN and that hasn't changed in a couple of years.  Additionally, as I tried to explain this happens on our network as well as across the VPN.  Because of this I don't think the problem is specific to just VPN traffic.  I can sit in my office and try to RDC to a workstation on the same switch and get the error.
0
 

Author Comment

by:sfletcher1959
ID: 24326331
Vic,
    By the way, thanks for hanging in there with me!

THANKS!
0
 

Author Closing Comment

by:sfletcher1959
ID: 31578056
Ready to close.  Didn't fix the problem, but I will open with Microsoft for solution.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now