• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 737
  • Last Modified:

Issue on windows server 2008 R2

I'm having a problem on my network, its running a WS 2008R2 and the workstations are XP pro, we have just set up the domain and everything was working fine, then we tweaked the software restriction policies, and just added an additional rule to block the path of the software we intended to block. after doing this all the users on the domain started having problems logging in they got the message "Local Policy of this System Doesnt permit you to login interactively" to fix this we restored the security settings using the following command : "secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose" on each computer logged in as a domain admin, now users can log in with no problems until the next day, then they get the same issue, and the same solution is applied, this happens to some computers and some users, its not the same users/computers all the time. but the worst thing is that on 2 specific computers no matter who logs in the billing software doesn't work, only if I log on as an admin, then it works. we have even uninstalled and re installed the software and the same thing happens, we have removed the additional rule that was created to block firefox, and also restored to default the domain GPO and the default domain DC GPO using "dcgpofix /target:both" the problem is still there and the thing I don't understand is that the users can log in and use the Billing Software in any computer but 2. I even tried removing and re adding the computer from the domain and the problem persists. what can I do??
any help will be greatly appreciated.
1 Solution
Run an RSOP (Logging) on a User account/Computer.  Check to verify that:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

Allow log on locally -> Not defined
or that Domain Users are allowed to log in (And domain admins).
Diego_JaenAuthor Commented:
I checked that and changed the Allow log on locally to domain users and Admins - ok I think that could have solved the issue with getting "Local Policy of this System Doesnt permit you to login interactively".
then I'm left with one more problem, the Billing software will not work on any user other than the Admin, the only way I have found to get the regular users to be able to use the program is to make them members of Domain Admins, and Enterprise Admins. both of them it doesn't work with just one or the other. now I realize this is a crap solution, but its as far as I have got. so any ideas of why this could be the case will be greatly appreciated.
Thanks in advanced
Do the users have local adminrights on their system..? Perhaps you can try changing the userrights on the programs directory or at least compare the rights on those (user / program dir.) between a system that works correct and one that doesn't. I assume your billing software is installed locally on the XP systems and the data is on the 2008R2 machine.

In this case check for possible differences. Perhaps there are some rights which have not correctly been reversed by undoing the software restriction policies.
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

You can use Process Monitor from www.sysinternals.com to see where the permissions issues arise from with your Billing App.  Log in as a non-admin user, and Shift-Right-click procmon.exe to RunAs administrator.  Then use your troublesome app and get it to misbehave.  Stop Procmon from collecting data and then start going through the results.  Exclude the things that are not of interest to look for the "Access Denied" values in the Result column.  Typically I exclude all different entries in the Result column one by one until I'm left with just the "Access Denied" ones.  Some Access Denied messages can be ignored and are due to lazy programming - eg access denied when accessing a Windows system file.  Typical findings are the app wanting full control to the following places:
C:\Program Files\<app's folder>\
C:\Program Files\Common Files\<app's folder>\
an INI file in  c:\windows\
C:\Documents and Settings\All Users\Application Data\<app's folder>\
HKLM\Software\<app's key>\
Diego_JaenAuthor Commented:

I couldn't fix this problems, so I gave temporarily gave admin rights to the users with problems and now they can use the software normally.
Diego_JaenAuthor Commented:
I couldn't find another way to fix this, except for my solution.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now