No logon interactively !!!

[JayIT]

"the local policy of this system does not permit you to logon interactively"

I get that error message when trying to logon on a w2k machine. The account is setup in AD. Is that block coming from the Domain Security Policy and if so, where do I cahnge that?

Thanks

 

[GiaBetiu]

Is it that machine a DC?

Anyway, a good debug is to start with all GPOs.
local, site, domain, OUs. That's the order they are applied also.
Because you are saying: "on a w2k" then I suppose that you have this problem just on one of the machines.
See what this machine has more. Check where is located in AD! If it is a DC then indeed will not let you to log on interactively. And this is set at the DomainControllers comtainer.
Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k

 

[JayIT]

Here is the whole deal.

The only GPO’s on my domain are the default GPO’s because most of my workstations are 98 machines.

If I create a new user called Joe in Active directory and try to logon in the domain from a 98 workstation, no problem.

If I try to logon in the Domain from a Windows 2000 Pro I get "the local policy of this system does not permit you to logon interactively" UNLESS on the W2k Pro I go to "control panel" "users and passwords" and add Joe as an administrator, then it will be fine but if I add Joe as a simple user I get the error again.

 

[GiaBetiu]

So, there is a policy that affects your Win2k workstations.
Check local policy on them.
Check the GPO from the OU where your W2k wkst are located.
Check all possible GPOs.

Of course you can use gpresult from win2k resource Kit. It will tell you what policies are applying on a machine/user (/C just for computer).
Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k

 

[juls38]

I had the same problem but on an XP professional machine. It was very frustrating. The ony way around was to make the user an administrator of the local machine. I did not want to do that.

I found in my domain security policy that logon locally did not contain that group that the user was in. I added the group and then they could logon successfully.

I was weird cause it doesn't sound right. Seems like you are giving them rights to logon to the server but it is not.

I hope it works for you.

 

[GiaBetiu]

By default in the Domain Security Policy should not be any settings about logon locally (deny or allow). Actually they are "not defined".

It seems that you applied a security policy on a wrong level.

Security in a network must be planned. Is not a good approach what you did. Patching like this in time it wil be a nightmare to debug.

Use Security Configuration and Analysis, check the configurations, and apply templates.


Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k

 

[juls38]

I did not change the policy default it is still set. The cahnge I made was under user rights.

 

[JayIT]

Thanks to all for those answers.

Giabetiu, could it be that the security policy applied on a wrong level came from the old NT domain (Idid an inplace upgrade)? because right now all security policies are default. I did not add any GPO or policies.

Thanks