Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows 2000 SBS - interactive logon

Status
Not open for further replies.
Jente

Jente

IS-IT--Management
Jun 2, 2004
19
BE
Hello

I just reinstalled our w2k sbs server.

If I try to log on as a regular user to the domain (from another pc) I get "interactive logon is disabled on the local computer". But when I add the user in AD to the Domain Admin group, log on takes place without any problem.

I don't want to grant all user the Domain Admin rights. Is there a workaround?
 
Sort by date Sort by votes
Sounds like a security problem. A quick way to solve this is..

Logon to the PC as domain admin. Right click My Computer (for XP/2K systems) and select MANAGE. Look for the folder called GROUPS. You will see a administrators group. Add the DOMAIN USER ACCOUNT of the person you want to be able to logon to this PC, to the this group. log off

Let the user log on. Now that the user is a member of the local administrators group, he/she should be able to log on.


Another way to solve this problem is to edit the PC's local security policy. This policy is set to restrictively right now, you can relax the security to allow normal users to logon to the PC.

-later

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
I don't want to permit administrative rights to users, even not on their own pc's.

And in the local security policy (of the user pc I suppose?) I cannot change those values.

Any idea?

Tnx in advance!
 
Upvote 0 Downvote
Maybe someone else can think of something other then the two solutions already shown.....I can't think of any other ways...

Either make the security policy of the workstation more relaxed or add the users as members of the local administrators group.

Here is the security setting:
When did this problem start happening?



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
first and for all, thanks for your patience.

the problem occurred right after installing w2k sbs.

I have read the solution of MS, but I think the local policy is configured on the domain controller if you have a domain? or am I wrong?

Anyways, on Domain Security Policy I already checked it and gave the user the right to log on locally.

But indeed, if I view the settings on the user pc, I see that the group I added on the server was not added there.

Any ideas?
 
Upvote 0 Downvote
To test your GPO, you may need to use this tool on the client:
Becareful of applying this setting in the domain GPO, because you may allow users to logon to the servers too. Make sure that you are targeting the right OU. however, I believe that you can make this setting in the domain (you don't need to walk around to each workstation).

After you make the GPO, you will have make sure that the computers apply the policy. The easiest way to do this is to reboot the machines. otherwise, you will have to run a command to re-apply the security policy: GPUPDATE /force

-later

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
To test your GPO, you may need to use this tool on the client:
Becareful of applying this setting in the domain GPO, because you may allow users to logon to the servers too. Make sure that you are targeting the right OU. however, I believe that you can make this setting in the domain (you don't need to walk around to each workstation).

After you make the GPO, you will have make sure that the computers apply the policy. The easiest way to do this is to reboot the machines. otherwise, you will have to run a command to re-apply the security policy: GPUPDATE /force

You may also want to go through the tedious extreme effor of modifying one of the PC with the logon locally security edit. I know this is totally extreme and a time consuming task...but at least if it works, you will know that you are on the right track.


-later

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
if this is win2003 you can run dcgpofix to reset your policies

the problem is that someone went and messed with your log on locally user right in the default domain policy

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
I edited permissions in the domain security policy and domaincontroller security policy, but what do I have to do to enable them? Because if I go wacht in local security policy, the effective policy setting is not the one I set up.


any idea's?
 
Upvote 0 Downvote
(Domain controller security policy will not help you with dealing with the desktops....but I would guess that normal users can now login to your DC's.. Not sure if this was a good idea)

You may also want to go through the tedious extreme effort of modifying one of the PC's with the logon locally security edit. Do this through the local security policy on a PC. I know this is totally extreme and a time consuming task...but at least if it works, you will know that you are on the right track in solving your problem. Did you try this yet? Did this resolve your problem?

If it did, you should continue working on setting this from a domain level.

If this test did not work, we are not on the right track..need to look in other directions.

Do the test and let me know...

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
ok this is win2000 right

get recreatedefpol and recreate your default policies

leave the DC policy alone...you shouldn't ever really edit that anyway unless absolutely needed (user rights)

as far as the domain policy...you should never change the base user rights needed from not defined

by default though they are logon locally=authenticated users, everyone, administrators I believe...add them into default domain policy and you should be good

but if you were playing with the policies...i recommend rebuilding them as it will ease things alot for you

dont forget
XP takes two reboots to apply the policy so if testing on XP workstation make sure to reboot twice

youve also got to keep in mind the policy application order..your effective may not always be what you set..depnding on OU structure and such

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
637
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
847
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
513
antonio_dsanchez
antonio_dsanchez
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
319
ADB100
ADB100
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
988
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top