Re: Local Policy Does not permit logon interactively ~ Urgent help

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hey Jorge,

I finally got it! I made a new user and started adding him to groups until
he was denied log on locally. I narrowed it down to the "domain admins"
group. Went through the gpo's over and over again and never found a single
"deny". Then I used
"ntrights -r SeDenyInteractiveLogonRight -u "Domain Admins" and that did it!

Thank you so much for your help, I've really learned alot dealing with the
issue and sometimes that's the best way to learn!

"Jorge Silva" wrote:

there must be a reason why the policy isnt being applied, you should track
why, if you change the OU do you get the same behavior? did you enabled the
userenv and check the log...
--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"ttroutman" <ttroutman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F180661C-4408-443C-B077-12F676D9DD5B@xxxxxxxxxxxxxxxx
Thanks Jorge,

I enabled the log but cant make heads or tails of it. It doesnt look like
any major bad things are going on. DNS looks good and the DC's passed the
netdiag /test:dns test.

I was thinking about reseting User Rights in the default domain group
policy, do you think this could help? Would this also take care of the
default domain controllers policy?

"Jorge Silva" wrote:

run the gpupdate /force to try to apply again that policy, review your
DNS,
FW, etc... configurations, and make sure that everything is correct.
If none of the eabove solves your problem, you may want to enable userenv
log more details about why that policy isn't being applied.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"ttroutman" <ttroutman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:759D7F9B-1CD2-4C22-8C5B-5A54468A50A6@xxxxxxxxxxxxxxxx
I ran that and I get an x by the log on locally right and it says "The
policy
engine did not attempt to configure this setting"

Any ideas?

"Jorge Silva" wrote:

check if the users are members of other groups that may be members of
the
restricted group.
Use rsop.msc to check the policies that are being applied in the
Server.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"ttroutman" <ttroutman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6DBB5256-EE12-463C-86B4-DAFAF71EB149@xxxxxxxxxxxxxxxx
Hi Jorge,

I've checked those settings in the default dc gpo and the deny
setting
is
undefined and the logon locally setting has the domain admin group
in
it
and
the i'm trying to logon with a member that is in that group, but
still
get
the same error.

"Jorge Silva" wrote:

Hi
By default not all type of users are allowed to logon in a DC.
Check
the
polices option "Allow Logon Locally" and the "Deny Logon Locally",
the
Deny
option overrides the first one.
Also check:
http://support.microsoft.com/kb/823659


--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"ttroutman" <ttroutman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:58606258-B97B-4C7E-874A-C19C70884852@xxxxxxxxxxxxxxxx
I have 3 Windows 2003 DC's and 6 Windows 2003 member servers. Out
of
no
where
today, I cannot logon to the DC's. I get the error message that
the
local
policy does not permit logon interactively. I only get this on
the
DC's. I
can logon without a problem on all other computer and servers. I
have
checked
the Default Domain Controllers policy. Nothing, that I can see
has
changed.
Even though the log on locally right was undefined, I tried to
define
it
to
help my situation. I added domain admins and adminstrator to the
log
on
locally config in the defaut DC GPO. I ran gpupdate /enforce on
all
DC's
and
I STILL can't log on. I just dont see what I have missed. I had
made
zero
changes to the GPO. I can, however, use remote desktop to get the
servers,
but I need to be able to log on at the console. Please help!
Thanks
guys!!

Marie












.

Relevant Pages

  • Re: Local Policy Does not permit logon interactively ~ Urgent help
    ... I ran that and I get an x by the log on locally right and it says "The policy ... "Jorge Silva" wrote: ... undefined and the logon locally setting has the domain admin group in it ... the i'm trying to logon with a member that is in that group, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Policy Does not permit logon interactively ~ Urgent help
    ... run the gpupdate /force to try to apply again that policy, review your DNS, ... configurations, and make sure that everything is correct. ... "Jorge Silva" wrote: ... the i'm trying to logon with a member that is in that group, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Policy Does not permit logon interactively ~ Urgent help
    ... policy, do you think this could help? ... "Jorge Silva" wrote: ... the i'm trying to logon with a member that is in that group, ... the Default Domain Controllers policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Anyone can explain mechanism, time to get this policy updated?
    ... "Jorge Silva" wrote: ... a policy to "EnableMSFirewall". ... Immediately after moving the computer account from OUA to OUB, ... For some policies you'll need the next policy refresh time, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Policy Does not permit logon interactively ~ Urgent help
    ... there must be a reason why the policy isnt being applied, ... "Jorge Silva" wrote: ... undefined and the logon locally setting has the domain admin group ... the Default Domain Controllers policy. ...
    (microsoft.public.windows.server.active_directory)