The local policy does not permit logon ~ Urgent Help needed!

[stolimarie]

have 3 Windows 2003 DC's and 6 Windows 2003 member servers. Out of no where
today, I cannot logon to the DC's. I get the error message that the local
policy does not permit logon interactively. I only get this on the DC's. I
can logon without a problem on all other computer and servers. I have checked
the Default Domain Controllers policy. Nothing, that I can see has changed.
Even though the log on locally right was undefined, I tried to define it to
help my situation. I added domain admins and adminstrator to the log on
locally config in the defaut DC GPO. I ran gpupdate /enforce on all DC's and
I STILL can't log on. I just dont see what I have missed. I had made zero
changes to the GPO. I can, however, use remote desktop to get the servers,
but I need to be able to log on at the console. Please help! Thanks guys!!

Marie

 

[pgaliardo]

Is it possible that the account you are trying to log on with was mistakingly placed in a group that has been denied logon locally rights?

 

[stolimarie]

I'm not sure. How would I check? I thought the Deny option could only be set in the GPO and I've checked that, it is undefined.

 

[pgaliardo]

Who's in the Allow Logon Locally setting? Is the account you are using defined there? Are you logging on with an Administrator account?

 

[stolimarie]

It WAS undefined. When the problem started this morning I went in and defined the setting and added the administrator account to it. But that didnt seem to make a difference at all.

 

[pgaliardo]

Have a look at the following. According to the article, the command to update the policy is gpudate /force on Windows 2003 (not enforce). Not sure if it is the problem, but worth a shot.

http://www.petri.co.il/logon_locally_user_right.htm

 

[stolimarie]

I'm sorry, that was a typo, I did do the gpupate /force command and it completed successfully and showed up fine in the event viewer.

 

[ILW]

I'm going to ask (hopefully) dumb questions, but please bear with me as the answers aren't listed above.

1) Are you signing on with an account that is a member of the Domain and/or Enterprise Administrators group?

2) Are there other Administrator accounts? Do these have the same problem? Can anyone signon locally to the DCs?

3) If there are other Admin accounts, is it possible someone accidentally (deliberately?) demoted your account's status?

 

[stolimarie]

No, thats ok, I would ask the same if I were trouble shooting this problem!

1) Yes, I am signing on with domain administrator, which is still a member of all the default groups including enterprise admin and admin group.

2) Yes, there is an exact copy of the administrator account I copied months ago. This is also the account I usually use and have had no problems with up until today as this account does not either.

3)We have a few people that are members of the domain admin group and if they did do anything of that nature, they did it by accident. Yet, there have been no changes from what I can see. The admin all are still in the same groups, and the GPO for the DC's is edited to allow the right to logon locally to EVERYONE.

I'm stumped! I just cant see how this has happened. The GPO seems to be processing fine and I can rdt into the DCs, just not log on locally at the console.

 

[GrimR]

Another stupid question, have you shutdown all DC's and restarted them

 

[stolimarie]

Well actually no. I have only been able to restart one of them because the others are being heavly used at the moment.

 

[GrimR]

So I take it the one that was restarted, still no luck.
Can you rdt using your login credentials? assuming you are the administrator

 

[GrimR]

Have you got GPMC installed on any of the DC's, then you can use gpmc.msc from your workstation to hopefully access the Group Policies on the server. Works normally just not sure if it's going to work in your case.

 

[stolimarie]

Hey GrimR,

Yes, I've gog GPMC installed on my pc and have made changes to the GPO to allow my admin group to allow log on locally and have run gpupdate but still nothing.

 

[GrimR]

checked the services?

 

[GrimR]

Have you loaded the adminpak.msi on your XP machine?

 

[stolimarie]

I have all the resource and supports tools on my XP machine.

Also, just to test, I just moved one of my dc's out of the Domain Controllers OU and into the Domain computers OU just to see how it would process the default domain gpo and I STILL get the error message that I'm not permitted to log in interactively.

I am so stumped!

 

[stolimarie]

I've put myself in all the domain admin groups, I've tried the default domain administrator account that is built in with windows, I've double checked that the account is in all the groups.

There are no denies defined anywhere in any GPO. I'm so confused! And it's only a problem with the domain controllers. And, like I said early, I even tried putting one of the DC's in the domain computers OU. This is driving me nuts!