Announcement

Collapse
No announcement yet.

The local policy of this system does not permit you to logon interactively

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The local policy of this system does not permit you to logon interactively

    Hi.

    I currently support a windows 2000 domain. Recently, a problem occured where a user was prevented from logging onto a member server (W2000) using a local account that was a member of the local administrators group. The msg observed was as follows:

    'The local policy of this system does not permit you to logon interactively'

    We have since discovered that this problem now effects all servers in the default computer container and also prevents any domain accounts from logging on either at the console or remotely!!

    We can still log onto the DC's as the DC OU GPO policy setting 'logon locally' is set to include domain admins.

    We therefore got around this by adding the appropriate users/groups to the following GPO setting in the default domain policy:

    computer/security/local policies/user rights assignment/logon locally.

    There is no explicit deny logon locally setting specified either at the domain level or locally.

    Why should this setting be required now when it was not need previously? We have several other very similar domains where this policy is not defined and there is no problem logging on.

    Many thanks for any assistance in advance.

  • #2
    Re: The local policy of this system does not permit you to logon interactively

    Don't use the default containers; because they are not OUs you can't link GPOs to them - they only get the Default Domain Policy. Put all your servers into specifically created OUs which you can then control policy for.

    In the meantime, you can look in the "Local Policy" snap-in to determine what groups are permitted to log in to the server; remembering that there is an "Allow logon locally" *AND* a "Deny logon locally" policy in the settings. If there is no setting defined in the Default Domain Policy, the local setting should determine who can and who cannot log in.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: The local policy of this system does not permit you to logon interactively

      Thanks for you quick response.

      I checked the local policies. There are no explicit 'deny logon locally' setting applied and the accounts now specified in the 'logon locally' are those that I included at the domain level GPO and have since been inherited.

      My main concern is that this setting was not previous required for local or domain accounts to logon either at the console or remotely. Can you think of what might have change to subsequently require explicit inclusion all users I wish to logon?

      Personally I would like to remove all the users from local and domain policies and re-start the investigation to uncover the route cause, but as this is now 'working' I don't want further disruption.

      Comment


      • #4
        Re: The local policy of this system does not permit you to logon interactively

        No. Administrators should be allowed to log on locally by default. What users/groups are members of the "Remote Desktop Users" local group on the server?


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: The local policy of this system does not permit you to logon interactively

          There is no local 'remote desktop users' group on the server. Was this default group not introduced in 2003?

          There is a 'terminal service access group' which I assume has been created for this purpose. The local administrator user account is a member amongst other user accounts.

          The termianl services access group has been added to the permissions in the RDP-TCP Permissions along with the local administrator group (which the domain admin group is a member of) and system group.

          The membership of these groups should not have changed recently (as far as I am aware).

          Comment

          Working...
          X