Click here to get back home

Login Interactively
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Login Interactively David 06-23-2005
Posted by David on June 23, 2005, 8:20 am
Please log in for more thread options
 We're running a domain with a Windows 2003 server as the pdc and a Windows
2000 server as the sdc. All of the clients are XP Pro or 2000.

I just enabled group policy so that all of the machines would get automatic
updates.

Now when the majority of the users try to login they get "'The local policy
of this system does not permit you to logon interactively"

If I reboot sometimes it will let them login. Other times logging in as
administrator then trying to login as them works.

Some users have no problem logging in.

Is there some setting somewhere that configures this?

I've already given everyone local login rights through the Domain Controller
Security Policy, but still get the error.

Thanks




Posted by Roger Abell on June 23, 2005, 11:22 am
Please log in for more thread options
 You should reverse the change made to the local login right in the
Domain Controllers linked GPO you have mentioned.
That lets them log in at the DCs !!
The ideal is to set that in a GPO linked to an OU that contains
the machines to be affected by the setting. If none is available,
instead try setting this in a GPO linked to the Domain, not to
the Domain Controllers OU, (and, with the other reversed it
will override the Domain GPO on this setting and restrict
local login rights for DCs)
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> We're running a domain with a Windows 2003 server as the pdc and a Windows
> 2000 server as the sdc. All of the clients are XP Pro or 2000.
>
> I just enabled group policy so that all of the machines would get
automatic
> updates.
>
> Now when the majority of the users try to login they get "'The local
policy
> of this system does not permit you to logon interactively"
>
> If I reboot sometimes it will let them login. Other times logging in as
> administrator then trying to login as them works.
>
> Some users have no problem logging in.
>
> Is there some setting somewhere that configures this?
>
> I've already given everyone local login rights through the Domain
Controller
> Security Policy, but still get the error.
>
> Thanks
>
>




Posted by Steven L Umbach on June 23, 2005, 11:54 pm
Please log in for more thread options
Roger's advice as usual is right on. I just want to add that from your
description you seem to have inconsistent application of Group Policy and
that it seems that at the domain/OU level you configured the user rights for
logon locally and/or deny logon locally incorrectly. Keep in mind that deny
user right will override an allow user right. I would also suggest that you
make sure that your dns is correctly configured for the domain as per the
first link below. Use the support tools netdiag, dcdiag, and gpotool on your
domain controller and the support tools netdiag and gpresult on your domain
member computers to check for proper network connectivity, dns name
resolution, domain membership/secure channel, and replication for domain
controllers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

> We're running a domain with a Windows 2003 server as the pdc and a Windows
> 2000 server as the sdc. All of the clients are XP Pro or 2000.
>
> I just enabled group policy so that all of the machines would get
> automatic updates.
>
> Now when the majority of the users try to login they get "'The local
> policy of this system does not permit you to logon interactively"
>
> If I reboot sometimes it will let them login. Other times logging in as
> administrator then trying to login as them works.
>
> Some users have no problem logging in.
>
> Is there some setting somewhere that configures this?
>
> I've already given everyone local login rights through the Domain
> Controller Security Policy, but still get the error.
>
> Thanks
>




Posted by Roger Abell on June 24, 2005, 7:29 am
Please log in for more thread options
Agreed. Rereading the post the inconsistent application does
much indicate some systemic failure of domain infrastructure.

--
Roger Abell
Microsoft MVP (Windows Security)

> Roger's advice as usual is right on. I just want to add that from your
> description you seem to have inconsistent application of Group Policy and
> that it seems that at the domain/OU level you configured the user rights
for
> logon locally and/or deny logon locally incorrectly. Keep in mind that
deny
> user right will override an allow user right. I would also suggest that
you
> make sure that your dns is correctly configured for the domain as per the
> first link below. Use the support tools netdiag, dcdiag, and gpotool on
your
> domain controller and the support tools netdiag and gpresult on your
domain
> member computers to check for proper network connectivity, dns name
> resolution, domain membership/secure channel, and replication for domain
> controllers. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
> > We're running a domain with a Windows 2003 server as the pdc and a
Windows
> > 2000 server as the sdc. All of the clients are XP Pro or 2000.
> >
> > I just enabled group policy so that all of the machines would get
> > automatic updates.
> >
> > Now when the majority of the users try to login they get "'The local
> > policy of this system does not permit you to logon interactively"
> >
> > If I reboot sometimes it will let them login. Other times logging in as
> > administrator then trying to login as them works.
> >
> > Some users have no problem logging in.
> >
> > Is there some setting somewhere that configures this?
> >
> > I've already given everyone local login rights through the Domain
> > Controller Security Policy, but still get the error.
> >
> > Thanks
> >
>
>




Posted by David on June 27, 2005, 9:14 am
Please log in for more thread options
I did have a problem with the backup domain controler replicating (FRS)
correctly. I had to enable Journal Wrap Automatic restore for it to work
again.

As of Friday afternoon replication was working again, but I am still getting
the error on clients. dcdiag passes fully on the primary domain controler.
netdiag does as well except for the Kerberos test which failed with the
error "Kerberos does not have a ticket for host/server.domainname"


> Roger's advice as usual is right on. I just want to add that from your
> description you seem to have inconsistent application of Group Policy and
> that it seems that at the domain/OU level you configured the user rights
> for logon locally and/or deny logon locally incorrectly. Keep in mind that
> deny user right will override an allow user right. I would also suggest
> that you make sure that your dns is correctly configured for the domain as
> per the first link below. Use the support tools netdiag, dcdiag, and
> gpotool on your domain controller and the support tools netdiag and
> gpresult on your domain member computers to check for proper network
> connectivity, dns name resolution, domain membership/secure channel, and
> replication for domain controllers. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
>> We're running a domain with a Windows 2003 server as the pdc and a
>> Windows 2000 server as the sdc. All of the clients are XP Pro or 2000.
>>
>> I just enabled group policy so that all of the machines would get
>> automatic updates.
>>
>> Now when the majority of the users try to login they get "'The local
>> policy of this system does not permit you to logon interactively"
>>
>> If I reboot sometimes it will let them login. Other times logging in as
>> administrator then trying to login as them works.
>>
>> Some users have no problem logging in.
>>
>> Is there some setting somewhere that configures this?
>>
>> I've already given everyone local login rights through the Domain
>> Controller Security Policy, but still get the error.
>>
>> Thanks
>>
>
>




Similar ThreadsPosted
Remote desktop: cannot logon interactively (please help...) March 28, 2006, 1:01 pm
"the local policy of this system does not permit you to logon interactively" April 11, 2007, 5:15 pm
Login Script Question - Failed Login Count, Location, and Method October 5, 2005, 6:28 pm
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:03 pm
login October 19, 2007, 4:46 pm
Login Auditing June 17, 2005, 11:05 am
Login Control November 16, 2005, 9:48 pm
Login Domain November 25, 2005, 7:13 pm
Server login help December 27, 2005, 9:52 am
login once per user March 14, 2007, 9:16 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap