Group/Local Policy => Insanity

[ChristineMD]

Hello, if some kind soul is able to help me figure this out I would be eternally grateful.

Windows XP workstations, Windows Server 2003 Standard Domain Controller

There are 10 machines in a customer service area that require customer service agents to be set as ADMNISTRATORS in order to log on locally. Whoever set this up this way should be SHOT in the HEAD. Sorry. Deep Breath.

I cannot find where this is set.

Here's the info I DO know:

If I login as an administrator on one of these boxes and run cmd/k gpresult I get these pertinent facts (ran a gpupdate right before):

workstation IS a member of the domain
Applied group policy: default domain policy
local group policy: not applied (EMpty)
computer is in these groups(no more, no less)
builtin/administrators
everyone
builtin/users
nt authority/network
nt authority/authenticated users
the "computername$" group
domain computers

On my 2003 server
default domain policy
computer config
windows settings
security settings
local policies
user rights assignment
deny logon locally is NOT DEFINED
restricted groups contains no items


When I try to login (to the domain) as a customer service user I get "Local Policy of this system does not permit you to logon interactively"

I can login to my computer as the user, and the only local security (users) I have set up on my machine is admins for the domain and the local admin, and myself. No other groups or users.

What else should I be looking at? It's driving me BONKERS. Please save the sanity of this little admin.

Thanks in Advance!

 

[lhuegele]

http://support.microsoft.com/kb/289289

This KB Article explains the issue and how to resolve.
Good luck,

 

[ChristineMD]

Well... hmmm I was excited there for a moment, but it's not a remote connection issue. I can remote desktop to the machine and login as the domain admin, or myself, but not as the customer service user(s) I really don't think it has anything to do with any group membership, and think it must be something on the local machine, because the users can login at any other machine, except for the machines in THAT room. But the cmd /k gpresult shows NO local policy and the group policy is being applied. It really doesn't make any sense at all. Thank you so much for taking the time to post though, I really do appreciate it.

 

[Knackster]

Check for this:
Create an OU to hold this computer account(s), move the computer account(s) to the OU, then create a Group Policy on the OU with the Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Log on Locally policy modified to allow only the proper security group (plus Domain Admins as a safety).

Also, make sure there isn't a lcoal security policy in palce as well that does the same.

Chris
IT Manager
Houston, Texas

 

[PcLinuxGuru]

is the domain users in the local users group and the agent account in the domain users group?

Whatever the group is that you created should link to the local users group of the machine.

Didn't see it listed so figured I would ask.