 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows Server 2003 / Security / June 2005Login Interactively
We're running a domain with a Windows 2003 server as the pdc and a Windows 2000 server as the sdc. All of the clients are XP Pro or 2000. I just enabled group policy so that all of the machines would get automatic updates. Now when the majority of the users try to login they get "'The local policy of this system does not permit you to logon interactively" If I reboot sometimes it will let them login. Other times logging in as administrator then trying to login as them works. Some users have no problem logging in. Is there some setting somewhere that configures this? I've already given everyone local login rights through the Domain Controller Security Policy, but still get the error. Thanks You should reverse the change made to the local login right in the Domain Controllers linked GPO you have mentioned. That lets them log in at the DCs !! The ideal is to set that in a GPO linked to an OU that contains the machines to be affected by the setting. If none is available, instead try setting this in a GPO linked to the Domain, not to the Domain Controllers OU, (and, with the other reversed it will override the Domain GPO on this setting and restrict local login rights for DCs)  SignatureRoger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA > We're running a domain with a Windows 2003 server as the pdc and a Windows > 2000 server as the sdc. All of the clients are XP Pro or 2000. [quoted text clipped - 16 lines] > > Thanks Roger's advice as usual is right on. I just want to add that from your description you seem to have inconsistent application of Group Policy and that it seems that at the domain/OU level you configured the user rights for logon locally and/or deny logon locally incorrectly. Keep in mind that deny user right will override an allow user right. I would also suggest that you make sure that your dns is correctly configured for the domain as per the first link below. Use the support tools netdiag, dcdiag, and gpotool on your domain controller and the support tools netdiag and gpresult on your domain member computers to check for proper network connectivity, dns name resolution, domain membership/secure channel, and replication for domain controllers. --- Steve http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 > We're running a domain with a Windows 2003 server as the pdc and a Windows > 2000 server as the sdc. All of the clients are XP Pro or 2000. [quoted text clipped - 16 lines] > > Thanks Agreed. Rereading the post the inconsistent application does much indicate some systemic failure of domain infrastructure. SignatureRoger Abell Microsoft MVP (Windows Security) > Roger's advice as usual is right on. I just want to add that from your > description you seem to have inconsistent application of Group Policy and [quoted text clipped - 30 lines] > > > > Thanks I did have a problem with the backup domain controler replicating (FRS) correctly. I had to enable Journal Wrap Automatic restore for it to work again. As of Friday afternoon replication was working again, but I am still getting the error on clients. dcdiag passes fully on the primary domain controler. netdiag does as well except for the Kerberos test which failed with the error "Kerberos does not have a ticket for host/server.domainname" > Roger's advice as usual is right on. I just want to add that from your > description you seem to have inconsistent application of Group Policy and [quoted text clipped - 30 lines] >> >> Thanks And did you get any further failures to follow up on when you ran these tools on the other DCs ? The test are relative to the DC (or client) on which they are run. SignatureRoger Abell Microsoft MVP (Windows Security) > I did have a problem with the backup domain controler replicating (FRS) > correctly. I had to enable Journal Wrap Automatic restore for it to work [quoted text clipped - 39 lines] > >> > >> Thanks As Roger suggested you need to verify that dcdiag/netdiag shows that all domain controllers are working well. Does gpotool show that all is fine with Group Policies/sysvol?? The domain computers could be obtaining their Group Policy settings from any domain controller and you can use the support tool gpresult to see exactly what domain controller a domain computer is using and the last time Group policy was applied for user and computer. What errors are you still getting?? If the problem is still no interactive logon what I would do is to configure the Group Policy that is closest to the computers [either domain or OU where the computer accounts are located if they are in an OU] so that the user right for logon locally includes authenticated users and administrators and configure deny logon locally to include only guest. The reboot the problem domain computers to see if you can logon. --- Steve >I did have a problem with the backup domain controler replicating (FRS) >correctly. I had to enable Journal Wrap Automatic restore for it to work [quoted text clipped - 40 lines] >>> >>> Thanks |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.