Re: Local policy does not allow interactive login
From: Dave (dave_advantage_at_hotmail.com)
Date: 09/09/04
- Next message: Ken B: "Re: Backround wallpaper."
- Previous message: Yardsale: "Re: Limiting Browser to one URL"
- In reply to: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Next in thread: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Reply: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 9 Sep 2004 09:18:08 -0500
> There have been various worms that use secedit to reset the user rights on
> a computer so you may want to make sure the computers are clean and use
> Autoruns from SysInternals to see if there any strange startup entries for
> these computers.
>
> http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
There doesn't appear to be anything out of the ordinary running on startup.
I've also performed a virus sweep on the network and that came up with
nothing also.
> The other thing to try is to define the deny logon locally user right.
You can define
> it and leave no entries or I usually add the guest account to the list. In
> addition enable auditing of policy change on those computers and then
> check the security log in Event Viewer for "policy change" events under
> category such as Event ID 622 that may help you track down what is going
> on. It is curious that it is not affecting the Windows XP computers.---
> Steve
I've defined the Deny Logon Locally policy on both the Domain Security
Policy and the Domain Controller Security Policy and put only Guests in the
list. I don't see anything out of the ordinary in the Event Viewer.
Here's one other curious piece to the puzzle...The old antivirus server is
listed as a Domain Controller when I look in active directory. I don't
think it was a DC before and I'm sure that I've never promoted it. I've not
been doing this job for very long, so it's possible that it may have been
there before, but I wouldn't think you would want an antivirus server as a
DC. Anyway, when I try to go into either Domain Security Policy or Domain
Controller Security Policy, I get an error saying "Failed to open the Group
Policy Object. You may not have appropriate rights. Logon failure: the
target account name is incorrect". Now when I take this machine offline, my
users still get the "interactive logon" error message. So it doesn't matter
if that server is up and running or not. However, when it is up and
running, they are also not able to connect to the PDC, though they can
eventually get logged into the domain. Could it be that the other machines
are trying to pull down the security policy from this server and are unable
to, thus causing the "interactive logon" error?
- Next message: Ken B: "Re: Backround wallpaper."
- Previous message: Yardsale: "Re: Limiting Browser to one URL"
- In reply to: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Next in thread: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Reply: Steven L Umbach: "Re: Local policy does not allow interactive login"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
