We help IT Professionals succeed at work.

"the local policy of this system does not permit you to logon interactively" on xp machine

got report that one of our users tried logging into their xp machine in windows 2003 domain and got error that local policy  wont permit logon interactively.  Only admin works and this was ok day before.  Used gpedit to look at local security policy under user rights assignment and saw that only domain  admins allowed on machine and add button grayed out  so cant add any other users.  Most likely this was  caused by a microsoft update as i have seen it before with remote desktop getting same error after an update.  Temporarily put them in domain admin group and able to get in but obviously dont wanna keep this setting.  Is there a way to override the local policy with domain wide policy to allow user to get into their machine?  Would removing from domain then joining again work?  thanks  also tried system restore but didnt work so not sure now if it was an update.
Watch Question

Top Expert 2012
Sounds more like someone created a GPO and inadvertantly took out Domain Users for the "Log on Locally" rights.  

Verify that his computer hasn't been moved to an OU that it shouldn't be in.  

Check if any GPO policies are being applied that shouldn't be with the gpresult command from the command line.
Group Policies should trump local policy settings if applied.  If this has been allowed in the past via a default GPO then make sure that the policy is being applied to the computer.

Run RSOP.MSC to see if the machine is applying policies, if not, what errors are being reported should be displayed there.


Sounds good, can you tell me the best way to access group policy management  console in the windows 2003 domain controller so i can look at these.  Is there a way to view them  through active directory?  I tried running gpmc.msc but got error.
gpedit.msc but you must have the Group Policy Management console installed from the Active Directory Mgmt Pack


i can actually run gpedit.msc on the domain controller so i guess i have it installed. From there which section should i look at or how do i create a policy to allow that user to log on to their machine and thus override the local policy currently set on it which is as i mentione grayed out so i cant add them as a user.  Is there a way to correct the local policy on that pc so i can correct the grayed out button to add users is my other question?
only admins on the local machine can edit the local policy.  So adding the user to the local admin group fixes this, but you're trying to avoid that.

To reset the local policies...

The way this can be done is by using the default security configuration templates that come with all versions of Windows XP and Vista. This may sound too technical, but all you have to do is run one command.

First, click on Start, Run and then type in CMD. Now copy and paste the following command into the window:

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

If you are running Windows Vista/W7 and need to reset the security settings to their default values, use this command instead:

    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

reset local security policy

That’s it! Now just wait for Windows to go through all the registry settings and reset them. It takes a few minutes and you’ll have to restart the computer to see the changes.


Ok thats a new one i havent heard of yet and looks useful so i will try later today after hours but still wanted to know about how to set up new policy or edit existing one which in other words would allow a certain user i select to be able to log on locally to any machine on the 2003 domain without being in the domain admins group so is there a way to do this?  thanks
ThinkPaperIT Consultant
You need to check what the current settings are for that computer:

1) Open Active Directory
2) Locate the computer
3) Right-click the computer > All Tasks > Resultant Set of Policy Logging
4) Select the computer, next, select the user's account, next
5) Click Finish
6)It will take a few seconds to load
7) Expand Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment

8) See what it says for:

Access this computer from the network   (normally should be "Users, Administrators")
Allow log on locally  (normally should be "Users, Administrators")
Allow log on through Remote Desktop Services
Deny access to this computer from the network
Deny log on locally
Deny log on through Remote Desktop Services

Make sure the user is not included any of the "deny" settings, and IS included in the "log on locally" setting. The "deny" overrides the "allow" settings.


Ok thanks

Explore More ContentExplore courses, solutions, and other research materials related to this topic.