Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is the Default Active Directory policy preventing login?

Status
Not open for further replies.

ilusv

Technical User
Dec 27, 2003
52
US
I finally setup my Sonic Wall & VPN - it works great when I access my servers. I tried accessing my PC (A client on the network) and the following message appeared while I logging-in.

“The local policy doesn't permit you to log on interactively”

I almost positive its an Active Directory issue, what do you guys think? I am thinking it’s the default domain policy.

your thoughts please

Thanks
 
I remember a similar issue when I was trying to use RDP from a server.

Two things you can check, the most important I think is to go into the properties for the user in the AD, select the "Terminal Services Profile" tab, and make sure the box labelled "Allow logon to terminal server" is checked.

If I remember correctly, this solved my problem.

You could also enable the remote access options in the "Remote Control" tab by clicking "Enable remote control"

Give that a shot and let me know what happens!
 
Sounds like a valid assumption. Are you logging on directly to the console (via remote control) or are you using TS to logon to your machine.
 
Cyberspace:

Yes the "Allow logon to terminal server" is checked along with the "Enable remote control"


itsp1965:


I login using my laptop from home. I have the Sonic Wall VPN client installed on my laptop. I establish a tunnel using the VPN Client then I launch the remote desktop application and key in the IP address of the machine


Thanks for your feedback guys..


 
got into the local security policy on the server and make sure you have "logon locally right"

Nick
 
would that be under Computer Config > Windows settings > security Settings > Local Policies > User Rights Assignment > log on localy?

if that's the case I have done that and added the user yet I get the same error message.
 
I got the same message when using RDP as well. Look at the groups other users who can do this belong to to see if that helps. Are you a member of the Admin group? If you are and cant get in then that would rule out permissions.
 
you need to be a member of the Local remote Desktop Users group.... ie on the PC. if it is a necessary for all users to be able to RDP onto their desktops from a VPN, then include a command in the login script to add Domain Users to the local remote Desktop Users group.

Do it some thing like this:

create a new batch file in the SYSVOL scripts folder:
rdp.bat edit it with the following:
if exist C:\WINNT goto END
if exist C:\group.txt goto END
net localgroup "remote desktop users" /add "%domainname%\domain users"
echo "Group Added" > C:\group.txt
:END

First line checks to see if the OS is W2K and skips to the end. second line checks if the the operation has already been carried out. Third line adds the Domain Users group. 4th line creates a txt file on the local PC. obviously replace %domainname% with your domain.

add a line in the users logon script to call rdp.bat

Hope this helps
Ian
 
It worked.. finally :) thanks a million zigcoors
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top