Interactive Logon Problem

[tonymcp]

Hey guys! Please see if you can help on this one. I completely replaced an old server that had a corrupted active directory with a brand new nice Xeon Server and configured a new domain with the existing workstations. I rejoined the workstations on the new domain (which has a different name as well) and after joining them some came up with the error message " The policy of this system does not permit you to log on interactively". I checked the local policies of the offending workstations and found nothing that would disallow an interactive logon. The server is new the operating system is new (and genuine) and the domain name is also a different name (and new). Does anybody have a clue why or what ? Please help !

Tony
AP CompuServices
MCP

 

[BenChristian]

Hi Tony,

This message is coming up on the workstations (not the DC) right? If you're checking the local policies on the workstations, you may not be seeing the complete picture. Although it doesn't sound like anyone would have implemented a GPO, it's worth checking to make sure that the workstations aren't inheriting this setting through Group Policy.

What I suggest you do is run an RSOP session on one of the workstations (log in with admin account that isn't affected by the issue you describe). If you haven't done this before:

- Run mmc.exe
- Add the Resultant Set of Policy Snap-in
- Right click on "Resultant Set of Policy" and click "Generate RSOP data"
- Select logging mode. Select the local workstation and one of the users that has a problem logging on to the workstation.
- When the wizard has finished, drill down to Computer Settings, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Allow login locally.

The list of objects that are listed in the 'allow logon locally' right will be the actual list that is applied to that machine.

You can also run gpresult.exe to see if any GPOs have been created in AD that are applying to the workstation.

Ben.

http://www.benchristian.com

 

[tonymcp]

Hi Ben,

Thanks for your comments and suggestions. But let me give you more details to help you help me. Yes the message comes up on the workstations and nobody except me has applied any group policy cause I built that server from scratch. But I have implemented group policy just for folder redirection though which shouldn't be a problem. Mind you even that policy was not implementing properly but what I did was I put the users in the administrators group and logged on the DC with each user and then the policy applied. For some reasons I am supposed to let the users have administrator privileges for a while and the ironic thing is that this message came up on 2 workstations on one day and on another 2 that were perfeclty fine the next day. Strange isn't it? I resolved the problem by rejoining the domain and tell the wizard to add a user as well at the end with administrator privileges. But it does not sound rational to me. I shouldn't have to do this. Also this means that it might happen again tomorrow with a different workstation. Thanks again, let me know if you can think of anything.

Tony
AP CompuServices
MCP