Solved

Allow logon locally on server group policy

Posted on 2016-07-19
18
206 Views
1 Endorsement
Last Modified: 2016-07-26
This may seem a little stupid, but I need clarification.  I have been going over the group policy on  a server 2012 R2 computer.  I was looking at the Allow logon locally on the group policy.  It is the default setting.  My question  -  does this policy also affect  who can logon locally to computers that are joined to the domain or just who can logon locally to the server?
1
Comment
Question by:MomForLife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
18 Comments
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41720073
It depends,

Are you cahnging it from the Local Security Policy console (secpol.msc) or from the AD Group Policy management console (gpmc.msc) ?

if it is the first one, Local, then it only applicalbe for the Local server itself, which is impacting how can they logon to the OS via console.

Please note that this is different with the RDP permission.

usually the "Allow Logon Locally" is for granting AD service account to run the service or tasks in the server.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41720092
usually the "Allow Logon Locally" is for granting AD service account to run the service or tasks in the server.

I really hope people do not do this...

Permissions for a service account on a server are:

Deny logon locally (prevent the service account logging on locally)
AND
Allow logon as a service (if running as a service)
OR
Allow logon as a batch job (if running as a scheduled task)

does this policy also affect  who can logon locally to computers that are joined to the domain or just who can logon locally to the server?

Allow logon locally will default to users and administrators (that is the local users and administrators groups on the server) if you have never defined this policy...if I recall correctly. How it applies depends on where you have linked your policies (which OU's) and which OU the various computers are in.
1
 

Author Comment

by:MomForLife
ID: 41720097
I am going into through gpmc.msc.  For some reason I was thinking that this would  also affect the policy on user computers connected to the domain.   I am having trouble with having two domain users logging into the same computer.  One can login but the other one can't.  I get an error .  

Sign in method you are using is not allowed.  Contact  Network Administrator.
0
SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

 
LVL 17

Expert Comment

by:Learnctx
ID: 41720100
Check that they have the local on locally user right if they are logging on locally. If they're logging on remotely, check that they have the Allow log on through terminal services right. By default on a member server this would be members of: Administrators and Remote Desktop Users (these are the server local groups).
0
 

Author Comment

by:MomForLife
ID: 41720107
It is just a workstation with users accessing network folders.  So you are saying I need to login with the account that is allowing me in and check the local policy?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41720117
Yes, check the rights assignments. Check the local group memberships. Make sure the user is not denied logon locally.
0
 

Author Comment

by:MomForLife
ID: 41720121
Ok, here is another question.  What if for some reason I am not allowed to access the policy on the computer?   I had tried accessing it before and it seem to give me an error.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41720137
I'm not sure. In theory, if GPO's are applying correctly to the device then you could just generate RSOP from a DC. Or check the GPO's applying to the machine's OU. It could be there's a problem with the machine and the OS is stuffed. You would need to check the event logs.
0
 

Author Comment

by:MomForLife
ID: 41720140
do you use gpresult /r?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41720147
You can but I tend to use the one built into GPMC, particularly if I don't trust what I might get back from the endpoint.

If you open gpmc.msc, down the bottom on the left pane you should see Group Policy Modelling and Group Policy Results. Group Policy Modelling will create a model of what policies and their settings should apply to a device. You can do things like change group membership, etc. to test effects. Group Policy Results is just RSOP via GPMC and will pull the results of what is applying from the remote machine.
0
 

Author Comment

by:MomForLife
ID: 41720164
OK  Will try it out.
0
 

Author Comment

by:MomForLife
ID: 41721315
Ok was able to view the local policy on the users computer.  However i could not change allow login locally .  It is grayed out. What can i do to allow changes. Other policies allow me to change them but not allow login locally
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41721945
The setting will be greyed out because it is set by group policy. To update it, you will need to update the relevant group policy; if you don't normally do this you would need to contact your administrator. I assume these are domain joined devices.
0
 

Author Comment

by:MomForLife
ID: 41723122
Found the group policy on the server.    Apparently it is the setting on the server that has a group policy  allow locally -  It has specific users listed - one is the Administrator and other  ad users that don't have admin rights.  This is causing my local workstations on the network who are joined to the l domain to only be able to logon  to that workstation if  they are on the list set by the group policy.  The only other way I can have other users login to that workstation is if i  add a ad user to the admin group for the local computer.  

Any idea why someone would said this up like this?  I  normally let any user login to any computer with their ad user account.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41723919
I don't know why anyone would add specific users to a policy like that. It is unusual. Yes, typically all domain users would be able to log on to all workstations. If you were to restrict a particular workstation then you would do it with a group rather than individual users. The only reason to restrict a device is to really lock it down and if you wanted to do that you would need to go beyond just changing who can log on locally. You need it physically secured, secured on the network, the works.
0
 

Author Comment

by:MomForLife
ID: 41730432
Thanks for everyone's input.
0
 

Author Closing Comment

by:MomForLife
ID: 41730503
Thank you
0
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41730512
No problem.
Glad to help you as well Mom.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question