Group Policy troubles - Unable to login

[hambo12]

This one is for the Group policy gurus out there:

A bit if background first:

I am playing around with Organizational Unit's and Group Policies at the moment, trying to get my head around the options and setup etc.

I have six or so computers on the domain, and have connected a test machine on the domain. The DC is Server 2003, the test machine XP Pro.

On the Domain Controller, I have created a test OU, called 'test'. I have created a new user in that OU, called 'tester'. I have created a Group Policy, and applied it to that OU. I have not setup anything in the group policy as yet. Everything is default.

I attempted to logon to the test machine (locally, not through Terminal Services) using the 'tester' account, only to get the following error message:

"the local policy of this system does not permit you to logon interactively"

I have since found out that only the domain admins and administrators have the ability to log in to the computer.

I have found the following information:

http://technet2.microsoft.com/windo...e188-4fac-ac60-9380a58b30ae1033.mspx?mfr=true

And have done as it says, yet this does not fix the problem. Only adding the user to the domain admins group fixes the problem.

Any ideas?

 

[FloDiggs]

Sounds like the local policy of the computer is screwed up. Click Start --> Control Pannel --> Administrative Tools --> Local Security Policy. When it opens, right click on Security Settings on the left, and select Import Policy... Select the Setup Security.inf and click Open. This shoud take your machines local policy back to the defaults and hopefully allow you to log on.

 

[zram]

You do not need to add yourself to the domain admin group to login... only to the local admin group of the computer.

If you want to work around this you have to modify the group policy and add your account in to the log on locally setting. If you are trying to RDP into the server you need to be a member of the remote users group as well.

 

[hambo12]

Thanks for the info guys, however, I still cant login.

Flodigs: I reset the local policy, but it didnt work.

zram: I dont want to give the users local admin rights, I want to lock down the desktops using group policies...

 

[theravager]

Is domain users a member of the local users group on the machine.

Try placing an account in there and seeing if they can log on.

 

[hambo12]

Domain users are already added to the 'users' group on the local computer...

 

[zram]

So you have added the "tester" user account to the "allow logon locally setting. Got it. Where did you do that at, the group policy linked to the test OU?

If so, is the XP workstation you are tyring to logon to in the test OU? (it needs to be or else that setting will not be applied to the XP machine)

 

[hambo12]

Thanks for the info, it worked! Sort of...

I added the computer to the OU, which didnt fix the problem.

I then added the 'domain computers' group to the 'allow local login' list in the group policy. This allowed me to logon.

Its weird, I had to add the computer to the list to allow it to login to itself...?!?!

Damn Microsoft, giving me a headache!

Thanks everyone again for the help, im sure ill be asking quite a few more questions in my travels!