• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1314
  • Last Modified:

SBS 2011 Local policy does not allow you to log in interactively AT A CLIENT MACHINE

I am helping a friend on vacation. His boss called saying a new user on their SBS 2011 box can't log into their desktop - they get the 'local policy does not allow you to log on interactively'.

This is a standard domain user logging in at a DESKTOP - I know only domain admins can get onto the SBS box directly,

Looking at local policy, I see the entry log in locally has 1 user that always sits at that desk, local admins and domain admins.  The add button and that screen is grey - can't add / change anything.

I wound up going into control userpasswords2 and making this user a local admin and she could get in.  

How would I put comain users in the log in local screen since it's greyed out (that was local policy on that machine - and she couldn't log in on other machines either so it's likely something someone did at each machine? (to lock it to 1 user and local and domain admins).

usually domain users would be in the 'log in locally' policy for a desktop, right?

I forget - does domain group policy override local policy or vice versa?
  • 2
2 Solutions
mcsweenSr. Network AdministratorCommented:
This is probably set at a domain level group policy.  Also; check the "deny log in locally" policy setting.
James HIT DirectorCommented:
I have seen servers do this but not desktops.
Here is the way to fix this.

goto ---> Run--->gpedit.msc--->
computerconfiguration-->computerconfiguration-->windows settings-->localpolicies-->user rights assignment-->allow userlogon locally-->Adduser Name
BeGentleWithMe-INeedHelpAuthor Commented:
spartan - that's for the local machine, right? Have to go to each one? can't do it at dimain level?

looking in active directory, I saw all the computers under the user folder.  then in group policy, there's no GPs for that folder (but I guess I have to look above that to see what folders that users folder is in and if they have GPOs attached, right?
mcsweenSr. Network AdministratorCommented:
Yes, look to see if there is a GPO linked at the domain level.  Someone may have modified the Default Domain Policy as well though this is against MS Best Practices.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now