[Last Call] Learn how to a build a cloud-first strategyRegister Now


"the local policy of this system does not permit you to logon interactively" on xp machine

Posted on 2012-08-16
Medium Priority
Last Modified: 2012-08-20
got report that one of our users tried logging into their xp machine in windows 2003 domain and got error that local policy  wont permit logon interactively.  Only admin works and this was ok day before.  Used gpedit to look at local security policy under user rights assignment and saw that only domain  admins allowed on machine and add button grayed out  so cant add any other users.  Most likely this was  caused by a microsoft update as i have seen it before with remote desktop getting same error after an update.  Temporarily put them in domain admin group and able to get in but obviously dont wanna keep this setting.  Is there a way to override the local policy with domain wide policy to allow user to get into their machine?  Would removing from domain then joining again work?  thanks  also tried system restore but didnt work so not sure now if it was an update.
Question by:dankyle67
LVL 13

Assisted Solution

xDUCKx earned 400 total points
ID: 38301484
Sounds more like someone created a GPO and inadvertantly took out Domain Users for the "Log on Locally" rights.  

Verify that his computer hasn't been moved to an OU that it shouldn't be in.  

Check if any GPO policies are being applied that shouldn't be with the gpresult command from the command line.
LVL 12

Expert Comment

ID: 38301547
Group Policies should trump local policy settings if applied.  If this has been allowed in the past via a default GPO then make sure that the policy is being applied to the computer.

Run RSOP.MSC to see if the machine is applying policies, if not, what errors are being reported should be displayed there.

Author Comment

ID: 38301567
Sounds good, can you tell me the best way to access group policy management  console in the windows 2003 domain controller so i can look at these.  Is there a way to view them  through active directory?  I tried running gpmc.msc but got error.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 12

Expert Comment

ID: 38301574
gpedit.msc but you must have the Group Policy Management console installed from the Active Directory Mgmt Pack

Author Comment

ID: 38301651
i can actually run gpedit.msc on the domain controller so i guess i have it installed. From there which section should i look at or how do i create a policy to allow that user to log on to their machine and thus override the local policy currently set on it which is as i mentione grayed out so i cant add them as a user.  Is there a way to correct the local policy on that pc so i can correct the grayed out button to add users is my other question?
LVL 12

Accepted Solution

aindelicato earned 1000 total points
ID: 38301677
only admins on the local machine can edit the local policy.  So adding the user to the local admin group fixes this, but you're trying to avoid that.

To reset the local policies...

The way this can be done is by using the default security configuration templates that come with all versions of Windows XP and Vista. This may sound too technical, but all you have to do is run one command.

First, click on Start, Run and then type in CMD. Now copy and paste the following command into the window:

    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

If you are running Windows Vista/W7 and need to reset the security settings to their default values, use this command instead:

    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

reset local security policy

That’s it! Now just wait for Windows to go through all the registry settings and reset them. It takes a few minutes and you’ll have to restart the computer to see the changes.

Author Comment

ID: 38301770
Ok thats a new one i havent heard of yet and looks useful so i will try later today after hours but still wanted to know about how to set up new policy or edit existing one which in other words would allow a certain user i select to be able to log on locally to any machine on the 2003 domain without being in the domain admins group so is there a way to do this?  thanks
LVL 16

Assisted Solution

ThinkPaper earned 600 total points
ID: 38312339
You need to check what the current settings are for that computer:

1) Open Active Directory
2) Locate the computer
3) Right-click the computer > All Tasks > Resultant Set of Policy Logging
4) Select the computer, next, select the user's account, next
5) Click Finish
6)It will take a few seconds to load
7) Expand Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment

8) See what it says for:

Access this computer from the network   (normally should be "Users, Administrators")
Allow log on locally  (normally should be "Users, Administrators")
Allow log on through Remote Desktop Services
Deny access to this computer from the network
Deny log on locally
Deny log on through Remote Desktop Services

Make sure the user is not included any of the "deny" settings, and IS included in the "log on locally" setting. The "deny" overrides the "allow" settings.

Author Comment

ID: 38312507
Ok thanks

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question