Announcement

Collapse
No announcement yet.

random users getting: Interactive log on privilege has been disabled

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • random users getting: Interactive log on privilege has been disabled

    I have this strange problem and i'm not sure what the root cause is.

    We have 2000 ad accounts on server 2003. We run windows xp sp2 clients. This is the first time this has happened.

    I've seen a user try to log into a workstation (not remotely but interactively) and he gets:

    "Your Interactive log on privilege has been disabled"

    message.

    I then login with a user account with the same privileges as him and it works. i log on as local admin and it works. I get him to login again aftwards, it works. (no reboot).

    i don't understand why this is. So far it's happened to a few users only. we run labs, so all the machines are indentical.

    they are all in the same ou so all the same gpo's are applied

    all user accounts are in the same ou so they get all the same gpo's applied.

    As far as i can see from the security logs i see,

    evt 529's :unknown user name or bad passwords,
    evt 537

    It's not the username and a bad password wouldn't generate the "Your Interactive log on privilege has been disabled" message.


    the only i've done recently was:

    1. admodify tool to mass set the "deny this user permission to log on to any terminal server" - since my users are loging in interactively i don't see how this is the problem.

    2. I've been doing some manual software updates by RDP'ing into the machines, but i always log out.


    this has got me stump by the message. I don't see anything on the user's account setting and the work station does log people in, just not all users.

    right now there's very little people being affected and i want to head this off before it becomes a huge issue.

    so far the one solution is to log into the workstation as administator first or another user account. Log out and the workstation is fine.

    thanks,

  • #2
    Re: random users getting: Interactive log on privilege has been disabled

    http://support.microsoft.com/?kbid=265382

    http://support.microsoft.com/?kbid=815266

    Comment


    • #3
      Re: random users getting: Interactive log on privilege has been disabled

      How many groups the account affected is member of ?
      Can you run tokensz (usage explained in the URL) and post here the results when logged on as affected user ?
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: random users getting: Interactive log on privilege has been disabled

        thanks for the reply, I was away for the long weekend.

        the user is only part of one group which is domain users.

        i'll try the token software.

        it's strange how this message relates to remote login, yet the error is triggered by an interactive user.

        Comment

        Working...
        X