"the local policy of this system does not permit you to logon interactively" on xp machine

Posted on 2012-08-16
Last Modified: 2012-08-20
got report that one of our users tried logging into their xp machine in windows 2003 domain and got error that local policy  wont permit logon interactively.  Only admin works and this was ok day before.  Used gpedit to look at local security policy under user rights assignment and saw that only domain  admins allowed on machine and add button grayed out  so cant add any other users.  Most likely this was  caused by a microsoft update as i have seen it before with remote desktop getting same error after an update.  Temporarily put them in domain admin group and able to get in but obviously dont wanna keep this setting.  Is there a way to override the local policy with domain wide policy to allow user to get into their machine?  Would removing from domain then joining again work?  thanks  also tried system restore but didnt work so not sure now if it was an update.
Question by:dankyle67
    LVL 13

    Assisted Solution

    Sounds more like someone created a GPO and inadvertantly took out Domain Users for the "Log on Locally" rights.  

    Verify that his computer hasn't been moved to an OU that it shouldn't be in.  

    Check if any GPO policies are being applied that shouldn't be with the gpresult command from the command line.
    LVL 12

    Expert Comment

    Group Policies should trump local policy settings if applied.  If this has been allowed in the past via a default GPO then make sure that the policy is being applied to the computer.

    Run RSOP.MSC to see if the machine is applying policies, if not, what errors are being reported should be displayed there.

    Author Comment

    Sounds good, can you tell me the best way to access group policy management  console in the windows 2003 domain controller so i can look at these.  Is there a way to view them  through active directory?  I tried running gpmc.msc but got error.
    LVL 12

    Expert Comment

    gpedit.msc but you must have the Group Policy Management console installed from the Active Directory Mgmt Pack

    Author Comment

    i can actually run gpedit.msc on the domain controller so i guess i have it installed. From there which section should i look at or how do i create a policy to allow that user to log on to their machine and thus override the local policy currently set on it which is as i mentione grayed out so i cant add them as a user.  Is there a way to correct the local policy on that pc so i can correct the grayed out button to add users is my other question?
    LVL 12

    Accepted Solution

    only admins on the local machine can edit the local policy.  So adding the user to the local admin group fixes this, but you're trying to avoid that.

    To reset the local policies...

    The way this can be done is by using the default security configuration templates that come with all versions of Windows XP and Vista. This may sound too technical, but all you have to do is run one command.

    First, click on Start, Run and then type in CMD. Now copy and paste the following command into the window:

        secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

    If you are running Windows Vista/W7 and need to reset the security settings to their default values, use this command instead:

        secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

    reset local security policy

    That’s it! Now just wait for Windows to go through all the registry settings and reset them. It takes a few minutes and you’ll have to restart the computer to see the changes.

    Author Comment

    Ok thats a new one i havent heard of yet and looks useful so i will try later today after hours but still wanted to know about how to set up new policy or edit existing one which in other words would allow a certain user i select to be able to log on locally to any machine on the 2003 domain without being in the domain admins group so is there a way to do this?  thanks
    LVL 16

    Assisted Solution

    You need to check what the current settings are for that computer:

    1) Open Active Directory
    2) Locate the computer
    3) Right-click the computer > All Tasks > Resultant Set of Policy Logging
    4) Select the computer, next, select the user's account, next
    5) Click Finish
    6)It will take a few seconds to load
    7) Expand Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment

    8) See what it says for:

    Access this computer from the network   (normally should be "Users, Administrators")
    Allow log on locally  (normally should be "Users, Administrators")
    Allow log on through Remote Desktop Services
    Deny access to this computer from the network
    Deny log on locally
    Deny log on through Remote Desktop Services

    Make sure the user is not included any of the "deny" settings, and IS included in the "log on locally" setting. The "deny" overrides the "allow" settings.

    Author Comment

    Ok thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now