Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Regular users cannot logon locally

Posted on 2010-08-13
6
Medium Priority
?
603 Views
Last Modified: 2013-11-25
Hi,

Something got messed up in my windows 2003 server AD.
The clients that ARE NOT local admins cannot logon locally.

If I go to each clients machine and set the users group to be a member of the administrators group, then it works fine in windows xp forever, but I have a box with windows seven, and that configuration only works for a day. The next day, the users group are no longer members of the administrators group and so the regular users cannot logon to that machine.

I found that in the AD the domain users are not a member of the users group, so I added that configuration and it works until I refresh the GPO, then everything goes back to not working and the domain users are no longer members of the builtin users group.

How can I reset my gpo to the default ? I tried importing a GPO template, but there are so many template files that I dont know which one is the default.
Or is this happening because of something else ?
0
Comment
Question by:tarcis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 16

Assisted Solution

by:cantoris
cantoris earned 2000 total points
ID: 33434226
Have you got any GPOs that are setting Restricted Group memberships?
Or have you used the "Deny Logon Locally" setting in a GPO and misconfigured either it or where it is applied?
0
 
LVL 2

Author Comment

by:tarcis
ID: 33434250
I remember trying to mess with that option, but on "Deny logon locally" only "SUPPORT_xxxxxx" is listed.
I dont have any important changes in the GPO, thats why I thought I could reset it to the default values, maybe I messed it up and dont remember.
0
 
LVL 16

Accepted Solution

by:
cantoris earned 2000 total points
ID: 33435638
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 2

Author Comment

by:tarcis
ID: 33457171
Sorry it took me a while to respond, I just got back from the weekend and just tryed reseting the gpo to both domain and gc, it seems to have worked since gpupdate /force no longer removes the domain users from the builtin users group.

Not I have to wait for tomorrow to see if all regular users can logon again.

THANK YOU!
0
 
LVL 2

Author Comment

by:tarcis
ID: 33457568
typos:

2nd line: "both domain and DC..."
5th line: "NOW i have to wait..."
0
 
LVL 2

Author Closing Comment

by:tarcis
ID: 33566904
It worked.
The problem indeed was the "domain users" not being a part of the "built-in users" on the AD.
And reseting the GPO did the trick.

Thank you so much.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question