Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

User acct permissions 2

Status
Not open for further replies.
SepMan76

SepMan76

Technical User
Apr 5, 2001
45
US
I am new to server administration. I am trying to set up Term Services so that users may login to the server but not change the date... but when I create a user who is in the User group, they are not allowed to login. I get the following error:

"The local policy of this system does not permit you to logon interactively"

I get this from the console and a Term Srvr session. What value(s) need tweaking in order to allow the user to logon?

Thank you in advance!
 
Sort by date Sort by votes
The users group needs to be added to the "logon local" policy found in user manager under the policies menu in user rights.
 
Upvote 0 Downvote
I am still having some trouble here.
I am actually running Small Business Server, so the Computer Management-> Settings -> Local Users and Groups is disabled and it tells me to use the AD Users to manage the domain accounts (the server is a domain controller).

I have created a security group (GROUP_TEST) in the active directory and added a user (USER1) to the group. Next, I went to Local Security Settings -> Local Policies -> User Rights Assignments and added GROUP_TEST to the "log on locally" policy.

I still cannot logon and continue to get the error message above. The policy takes effect immediately, right? When I am adding users/groups to the "log on locally" policy, there are two columns: Local Policy setting and Effective Policy Setting. For GROUP_TEST, the Local Policy Setting is checked, but the Effective Policy Setting is NOT check and is greyed out. What does that mean? How do I change the "Effective" setting?

Once again, your help is much appreciated!

Regards,
Chris
 
Upvote 0 Downvote
You have almost answered your own question. And when will the "set" policy become "effective' policy? You guested it! when the system does it's next complete sweep of the registry at boot up.

Congrats on getting that far, you're doing great!
Cheers
 
Upvote 0 Downvote
OK... I rebooted the server, but USER1 still cannot log on.
The Effective Policy Setting for log on locally is still unchecked! Let me ask one more question... when I setup the security group (GROUP_TEST), I have USER1 as a member, should I add any groups in the "Members Of" tab?

J'ai besoin d'aider!!!!!!! :eek:)

(I'm getting there... just a little bit more knowledge...)
 
Upvote 0 Downvote
I guess my main question here is "How do I make the Local Policy Setting the Effective Policy Setting?"

Rebooting the server, didn't work. What is the overiding precedence for the effective setting? i.e. what setting would keep the local setting from becoming the effective setting?
 
Upvote 0 Downvote
Sounds like the Domain Group policy is over-riding the local policy that you have activated. Try adjusting the Group policy settings. (this will mean that the users will have the rights to log-onto all servers interactively)
 
Upvote 0 Downvote


OK... I am about to bang my head through the wall.

Thanks for the reply french01! but still can conquer this thing!

I have added a Group in the AD and created a new Group Policy allowing members to logon locally and disabled their ability to change the system time. I have applied this group policy to the group, added users to the group and rebooted the server... still unable to logon as one of the users in the group... again the local policy settings is checked and the effective settings is not.

Maybe if I reset and describe my goal. I am running small business server, the only DC (thus PDC), actually the only server on the network. I want to create a group so that when I add users to the group they are limited to:

-Running Terminal Services and logging on to the server
-Running one particular application
-Seeing only one shared folder

Can someone (french01) walk me through this from scratch? or am I missing something?

Thank you to all who respond!!!!
 
Upvote 0 Downvote
You need to change the "Domain Controller Security Policy". This change will be effective within the default policy refresh interval, which is 90 minute by default! A restart in NOT required! You can also speed up the policy refresh from the run command with ....
secedit /refreshpolicy machine_policy
This will cause the machine policy changes to be implemented immediately. Also make sure that the user account property sheet "Terminal Services Profile" is set to "enable user logon"
Hope this helps.
 
Upvote 0 Downvote
BINGO! that was it! I was updating the group policy but not the DC. The command to speed up the policy refresh was great as well! :)
 
Upvote 0 Downvote
Is there anyway you can set it up where a user could not use any of the adminstrative tools when logging on to the terminal server? I've looked in all the security policy editors, but I haven't seen anything that might work. any ideas?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
264
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup
kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
78
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
151
goombawaho
goombawaho
goombawaho
  • Locked
  • Question
How to open Change user role for user accounts wizard
Replies
2
Views
83
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top