When ANY domain user tries to log into a particular Win2K workstation they recieve the following error message "The LocalPolicy of This System Does Not Permit You to Logon Interactively". Upon logging in with a LOCAL account I find a strange entry in the Admin Tools -> Local Security Policy -> Security Settings -> Local Policies -> User Rights Assignment -> Log on locally properties. And there is a column for "effective policy settings" which I have never seen before. Inside that column there is a greyed-out checked box for this new entry, which I ofcourse cannot uncheck. There is nothing in the "Deny Log on Locally" properties. Anyway, the only solution to the problem I've found is to remove the computer from the domain, and then re-join it. Unfortunately the symptom then re-appears the next day. And no domain user can log into that machine, receiving the above error message. The machine in question is a laptop and connects via VPN in the evenings. I have confirmed the unit to be virus-free. If anyone has any insight into this, it would be GREATLY appreciated. Thanks!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Local system policies changing on their own???
- Thread starter LiLAmy
- Start date
butchrecon
MIS
Who is setup to logon locally aside from the Admi? You may need to add users to that section of the Security policy. Try adding everyone or users. It sounds as if someone removed users from access without knowing. Once you add users type the following at the command prompt to set the settings:
secedit /refreshpolicy machine_policy /enforce
Let me know if that helps. James Collins
Field Service Engineer
A+, MCP
email: butchrecon@skyenet.net
Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.
secedit /refreshpolicy machine_policy /enforce
Let me know if that helps. James Collins
Field Service Engineer
A+, MCP
email: butchrecon@skyenet.net
Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.
- Thread starter
- #3
"Everyone" is in the local log on rights. As is the "strange and new" entry that I mentioned before. Apparently this entry is overriding everything else in the local log on rights properties. And it keeps re-appearing after a day or so. I'm so baffled!
butchrecon
MIS
Have you tried removing the strange and new enrty? I have never herd of that one. Add the USERS to the list. Let me know what happens. James Collins
Field Service Engineer
A+, MCP
email: butchrecon@skyenet.net
Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.
Field Service Engineer
A+, MCP
email: butchrecon@skyenet.net
Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.
- Thread starter
- #5
paul123456
Technical User
check your server, u probably have some type of entry in there for all or some computers, does this happend to all computers, if so check the domain GPO and the site to. if this only happends to a few computer figure out which one's and see were there contianer is and check for GPO there.
GL Thanks, PAUL
GL Thanks, PAUL
GlenJohnson
MIS
Has this always happened? Try going into local users and groups on the laptop, open the groups admin and add the person who will use it. Admin is in there by default, so if you try it and your'e a member of admin and the problem doesn't pop up, that's your awnser. (No guarentee though.) Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com
"Every step of life shows much caution is required".
Johann Wolfgang von Goethe (1749-1832); German poet and playwright.
Microsoft Certified Professional
glen@nellsgiftbox.com
"Every step of life shows much caution is required".
Johann Wolfgang von Goethe (1749-1832); German poet and playwright.
CharlieJax
MIS
Remember, Local Policys are applied first, then Site, Domain and OU. (LSD-OU) so any local policy is overwritten by the site, domain, and OU. You will need to find the policy that is restricting people from logging on localy and correct it, it could be in the site, domain, or OU.
The reason you see the "effective rights" is because it is being overwritten by a higher level policy. CJ
- Jr. Rocket Man
The reason you see the "effective rights" is because it is being overwritten by a higher level policy. CJ
- Jr. Rocket Man
Guest_imported
New member
- Jan 1, 1970
- 0
i have same problem with mrs. LilAmy, just the simple question,
why i can't logon locally on windows2000 server as a user, not administrator login ? FYI, i am using Active Directory.
I already create new user in windows2000 server, but i can't logon locally into my windows 2000 server machine.
could someone help me to answer this question ?
thank's a lot for bothering you.
why i can't logon locally on windows2000 server as a user, not administrator login ? FYI, i am using Active Directory.
I already create new user in windows2000 server, but i can't logon locally into my windows 2000 server machine.
could someone help me to answer this question ?
thank's a lot for bothering you.
Hey gusy, I just had this problem the other day and this article helped me fix the problem of a totally locked server
just follow the instructions and its a piece of cake.
Also the greyed out column is the GPO. so just check the local setting of the GPOs and you should be able to find the culprit
hope this helps
just follow the instructions and its a piece of cake.
Also the greyed out column is the GPO. so just check the local setting of the GPOs and you should be able to find the culprit
hope this helps
Domain server has Domain Policy, Domain controller policy, and a local policy. local applied first then domain policy is applied. Ofcourse in Active Directory Users and Computers you can create an OU and put computers in it and assign it a policy which would overide normal domain policy. This is where the effective settings come from(domain and OU policies). Best practices says that only Administrators, server operators, backup operators, etc. (basically everyone who would access server except for domain users(clients) should be given the right to logon to servers locally). There are several vulnerabilities that allow normal users to do stuff, so the best practice is to only give server operators, administrators, etc. logon locally rights. It just adds layers to security.
In one of your Domain or OU policies the policy is set to probably only allow administrators logon locally. So you should create an OU for clients and an OU for servers other then domain controllers since there is a domain controller policy and apply policies accordingly. Ofcourse there are vastly many other alternatives to setup organizations other than this one.
In one of your Domain or OU policies the policy is set to probably only allow administrators logon locally. So you should create an OU for clients and an OU for servers other then domain controllers since there is a domain controller policy and apply policies accordingly. Ofcourse there are vastly many other alternatives to setup organizations other than this one.
- Status
Similar threads
- Locked
- Question
- Locked
- Question