Re: local logon locally denied for a domain user from a client workstation
- From: "Saisab Pradhan" <spradhan@xxxxxxxxxxxxx>
- Date: Wed, 18 May 2005 09:51:25 +0545
Ofcourse the domain users logon to the domain, not the local machine. When
trying to logon to a domain (not the local machine), the error message pops
up.. I have checked the group membership, the "domain users" group are the
members of local machine's "users" group which is added when a computer is
joined in a domain. Let me explain again..
- Active Directory domain
- created a user 'saisab' in a domain
- joined saisab's computer to the AD domain
- tried to logon to a domain with user 'saisab' from saisab's computer
- gives the error 'Local policy of this system...'
- Added domain user 'saisab' to local computer's administrator group
(This is not the way I want it to be)
- Lets saisab logon to the domain.
- 'domain admin' group is the member of local 'administrators' group and
'domain users' group is the member of local 'users' group by default when
the computer is added to a domain
- I remove user saisab from local computer's administrators group, create
a new security template in a local machine, in local policies, user rights
assingment, allow logon locally, I add domain user 'saisab'. I save the
template, analyze, then configure.
- then I try to logon to domain again with domain user saisab, I can logon
successfully. Doing this I will have to configure each and every computer
which I don't want to do. There must be something that I'm missing...
Apologies if I have not been able to explain this in an easy way....
Regards,
Saisab
"Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> wrote in message
news:ejJDsSuWFHA.3044@xxxxxxxxxxxxxxxxxxxxxxx
> Do your domain users logon to the machine itself? Is that what you're
> trying to achieve?
> When you use a domain user, they are suppose to logon to the domain, not
> the local machine. But if you want them to logon to the local machine (not
> domain) you need to add the domain users group to a local machine group,
> which you can accomplish with a script.
>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "Saisab Pradhan" <spradhan@xxxxxxxxxxxxx> wrote in message
> news:%23q4rOEtWFHA.2912@xxxxxxxxxxxxxxxxxxxxxxx
>>I haven't applied any GPOs that relates to this issue. The GPO's that I
>>have applied are windows update (using SUS), logon script (mapping network
>>drives), and automatic software deployment, that's all...
>>
>> A bit on my design...
>>
>> - Active Directory Domain on windows server 2003
>> - OU for each department and within departmental OUs, there are other
>> OUs..
>> - Default Domain policy applied (by default)
>> - Windows update policy applied to domain
>> - Logon policy applied to an OU and other OUs within the parent OU
>>
>> Regards,
>> Saisab
>>
>> "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx> wrote in message
>> news:uMfTg1rWFHA.3584@xxxxxxxxxxxxxxxxxxxxxxx
>>> Take a look at the order the GPOs applies, also take a look where you
>>> apply the GPO. It sounds like you applied it on a OU that the
>>> computers/users don't "live" in.
>>> Can you post a bit more info on your design, to me it sounds like an
>>> design issue...
>>>
>>> Regards,
>>> /Jimmy
>>> --
>>> Jimmy Andersson, Q Advice AB
>>> Microsoft MVP - Directory Services
>>> ---------- www.qadvice.com ----------
>>>
>>>
>>> "Saisab Pradhan" <spradhan@xxxxxxxxxxxxx> wrote in message
>>> news:eor4zmrWFHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi,
>>>>
>>>> I have windows 2003 server with AD installed. I am experiencing this
>>>> problem of domain users being denied logon locally from a client
>>>> workstation using win2k pro or win xp pro. Whenever I try to logon to
>>>> the domain using the domain user account, it gives error message "The
>>>> local policy of this system does not permit you to logon
>>>> interactively". The domain admins are members of local adminstrators
>>>> group and domain users are members of local users group (after joining
>>>> the domain). However, if I add the domain user to the local
>>>> administrators group, it lets me logon locally. I haven't fiddled with
>>>> the user rights options in logon locally and deny logon locally not in
>>>> domain group policy, neither in local security policy.
>>>>
>>>> I then created a new security template in the domain and added all the
>>>> domain users to allow logon locally, but in vain, it didn't work.
>>>> However, when I created the security template in the client workstation
>>>> and applied it, it worked and let me logon locally. With about 200
>>>> computers, I don't want to go to every computer and create and apply
>>>> the security template. I'm sure it can be done in a domain level, but
>>>> somehow it's not just working..
>>>>
>>>> Please help..
>>>>
>>>> Saisab
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- local logon locally denied for a domain user from a client workstation
- From: Saisab Pradhan
- Re: local logon locally denied for a domain user from a client workstation
- From: Jimmy Andersson [MVP]
- Re: local logon locally denied for a domain user from a client workstation
- From: Saisab Pradhan
- Re: local logon locally denied for a domain user from a client workstation
- From: Jimmy Andersson [MVP]
- local logon locally denied for a domain user from a client workstation
- Prev by Date: Re: Seeing LDAP Processing Detail
- Next by Date: RE: info from AD
- Previous by thread: Re: local logon locally denied for a domain user from a client workstation
- Next by thread: disable firewall of windows xp clients via group policy.
- Index(es):
Relevant Pages
|
Loading
