RE: Can't set Local Security policies. They fail to save
- From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
- Date: Tue, 25 Oct 2005 09:43:28 GMT
Hi,
Thanks for your update!
For your now scenario, I suggest you follow KB 816585 article to apply
predefined Security Template on SBS 2003 to restore security groups
permissions.
816585 HOW TO: Apply Predefined Security Templates in Windows Server 2003
http://support.microsoft.com/?id=816585
Note: please strictly follow the steps to process and create a backup file
of the SYSVOL share.
Next, run "gpupdate.exe /force" under command prompt to force the policy
refresh, reboot the Server to test. Additionally, domain user try to logoff
and then logon to client computer to test if user can save system logs.
If the issue persists, please help me collect group policy report for
further analyze:
1. Please run command " gpresult /v > c:\gpresult.txt" respectively in the
server box and some problematic workstation and find the files to mail to
me for analyze. My mailboxes: v-yanniw@xxxxxxxxxxxxx
2. Collect system/security log in the server box and the problematic
workstation. If the user still can not save system log permissions, you can
try to use domain admin account to test, or logon on to local computer
using local Administrator account to test, how about the result?
I appreciate your time! I am look forward to hearing from you!
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Can't set Local Security policies. They fail to save
>thread-index: AcXYv+CmZah0jpn4Sg+QnWhHJDaXPA==
>X-WBNR-Posting-Host: 62.173.36.24
>From: "=?Utf-8?B?QWwtQW1pbg==?=" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <524324AD-BD69-47E0-B1F5-1DD131613BE7@xxxxxxxxxxxxx>
<6wdjMLH2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: Can't set Local Security policies. They fail to save
>Date: Mon, 24 Oct 2005 10:25:06 -0700
>Lines: 234
>Message-ID: <69F5C0BD-DB81-4E08-8FF5-F10AD70F525E@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 8bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164087
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Jenny. Thanks for your post. I was starting to lose hope.
>In reply to your questions.
>
>1. Yes I can logon to the server box remotely using the built in
>administrator account but no I canâ??t logon to the server locally with
the
>same administrator account
>2. I canâ??t logon on locally with any of the other administrator accounts.
>I created a new Administrator account using the add user wizard and it
>allowed me to logon locally to the server box. But I still canâ??t set
local
>policies
>3. I have rebooted the server and I still get the same results
>4. The policies I tried to change to allow local and remote logon are
ACCESS
>THIS COMPUTER FROM THE NETWORK and ALLOW LOGON LOCALLY in Domain Security
>Policy>Local Policies>User Rights Assignment.
>The issue of policies not saving happens all the time since I first
>experienced the problems with the server box.
>On other computers
>5. I tried saving the application/security log but got the error UNABLE TO
>SAVE EVENT LOG FILE. A REQUIRED PRIVILEDGE IS NOT HELD BY THE CLIENT
>
>With regards to your suggestion for trouble shooting.
>I. The user does not have the â??logon locallyâ?? user right and like I
>mentioned I canâ??t seem to grant the rights.
>Secondly Iâ??ve checked and the user is not a member of the Remote
Operators
>group but a member of Domain Power Users Group. I removed the user from
the
>groups and was able to logon locally. Thanks One problem solved.
>II. Here are the results after I ran rsop.msc
>i. The Domain Users Group is not listed in â??Allow logon locallyâ??
policy. I
>couldnâ??t add it into the default domain policy
>The â??Deny logon locallyâ?? in RSOP is defined and lists SBS Remote
Operators
>and SBS STS Workers
>â??The Access This computer from Networkâ?? policy is defined and everyone
is
>listed.
>While the â??Deny Access to this computer from the networkâ?? is not
defined
>ii. On Terminal services Tab â??Allow Logon to terminal Server" is checked
>Hope I got it right.
>
>--
>AIP Admin
>
>
>""Jenny wu [MSFT]"" wrote:
>
>> Hi,
>>
>> Thanks for posting here!
>>
>> For your description, I understand that you have some problems to access
>> the SBS server box locally or remotely. If I am off base, please don't
>> hesitate to let me know.
>>
>> Before we go further, please kindly help me collect some information to
>> isolate the issue in order to resolve the issue efficiently:
>>
>> 1. In current status, Can you logon the server box remotely (from other
>> client computer)? Can you logon the server box locally (before the
server
>> box)?
>>
>> 2. Do you try to use another Administrator user account to test? How
about
>> the result? Do you try to create a new Administrator account using Add
User
>> Wizard (Server Management console -> Users -> Add a User) to test? How
>> about the result?
>>
>> 3. Try to reboot the server box to refresh configuration and then test,
how
>> about the result?
>>
>> 4. Which computer local security policy did you change to try to grant
the
>> specific Administrator logon on locally and remotely permissions? Did
the
>> issue that the local security policy can not saved happen on the
specific
>> box random or always time? Does it happen on other computer?
>>
>> 5. Can you find any error events in Event Viewer? If yes, please tell me
>> the detail error information in the newsgroup or mal me the error log
for
>> further analyze.
>>
>> Save a text copy of Application /System log:
>> A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
>> Event Viewer.
>> B. Right-click on Application/System log and select "Save Log File As?".
>> Please send the log files to my mailbox:v-yanniw@xxxxxxxxxxxxx
>>
>> Additionally, I would like to give you some suggestions to try to
trouble
>> shoot the issue:
>>
>> I. As you known, the error "The local policy of this system does not
permit
>> you to log on interactively" may occur if the user does not have "logon
>> locally" user right.
>>
>> Please check if the user accounts who can not logon to the server is a
>> member of either the Remote Operators group or the Domain Power Users
>> group. On SBS 2003, the "Deny log on locally" policy setting is applied
to
>> the Remote Operators group in the Default Domain Controllers Policy
object.
>> This policy setting also applies to the Domain Power Users group because
>> the Domain Power Users group is a member of the Remote Operators group.
>> Since a deny policy always overrides an allow policy, this policy
setting
>> prevents users from logging on to domain controllers in the domain, even
if
>> the "Allow log on locally" policy applies to the same users.
>>
>> Remove the Domain Users group or those users from the Remote Users group
or
>> the Domain Power Users group. Try to test, how about the result?
>>
>> Please refer to the following KB article to get detail methods:
>> "The local policy of this system does not permit you to logon
>> interactively" error message when you try to log on to a computer that
is
>> running Windows Small Business Server 2003 by using an Administrator
account
>> http://support.microsoft.com/?id=841188
>>
>> II. And also try to check the following settings:
>>
>> 1. On the problematic Workstation, run rsop.msc to check the effective
>> "Allow logon locally" policy to make sure that the domain users group is
>> listed. If not, add it into the Default domain policy. In addition, make
>> sure that the "deny logon locally" policy is not defined in RSOP (Result
>> set of policy). In addition, check the "Access this computer from
network"
>> policy to make sure that the everyone is listed and the "Deny access to
>> this computer from the network" is configured properly.
>>
>> 2. On the server, open Server Management console, locate Users node,
right
>> click the user account and click Properties, click the Terminal Services
>> profile tab and make sure that the "Deny this user permissions to logon
to
>> terminal server" option is uncheck.
>>
>> 3. To grant guests Logon rights to the RDP-TCP connection, start the
>> Terminal Services Configuration snap-in, edit the RDP-TCP so that the
guest
>> has at least Logon rights.
>>
>> For detail information, please see:
>> 278433 Accessing Terminal Services Using New User Rights Options
>> http://support.microsoft.com/?id=278433
>>
>> 289289 Remote Desktop Connection "The Local Policy of This System Does
Not
>> http://support.microsoft.com/?id=289289
>>
>> I am currently standing by for your test result. I appreciate your time
and
>> efforts to perform test and collect information. I am happy to be
>> assistance of you!
>>
>> Have a nice day!
>>
>> Sincerely,
>>
>> Jenny Wu
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Thread-Topic: Can't set Local Security policies. They fail to save
>> >thread-index: AcXXCBimf2sT1zHCT3Wsrhy1fOe8nA==
>> >X-WBNR-Posting-Host: 62.173.36.24
>> >From: "=?Utf-8?B?QWwtQW1pbg==?=" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >Subject: Can't set Local Security policies. They fail to save
>> >Date: Sat, 22 Oct 2005 05:57:02 -0700
>> >Lines: 30
>> >Message-ID: <524324AD-BD69-47E0-B1F5-1DD131613BE7@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 8bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:163552
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Hi,
>> >I�m using Windows SBS 2003 with about 60 computers using XP pro
SP2 on
>> the
>> >network.
>> >
>> >Out of the blues my administrator account no longer connects to the
server
>> >from client computers on the network. It gives me the error "Logon
>> Failure:
>> >The user has not been granted the requested logon type at this
computer".
>> >
>> >A day later I could no longer logon to the server. It would give me the
>> >error message: ââ?¬Å?The local policy of this system does not permit
you to
>> logon
>> >interactively�. However I can still logon to the server remotely
from
>> any of
>> >the systems on the network.
>> >
>> >I believe my problems have to do with user rights specifically (Access
>> this
>> >computer from the Network, Allow Logon Locally & Allow Logon through
>> terminal
>> >services) not granted to the administrator. These rights were
previously
>> >defined but for some reason the local security policies have been
altered.
>> >
>> >I'm getting this error when attempting to grant a user any rights
through
>> >the local security policy. When I open up the Local Security Policy and
>> >navigate to "User Rights assignment," I can open a policy and add a
>> setting,
>> >but when I click OK, I get this error:
>> >"An extended error has occurred. Failed to save."
>> >After I click through the box, and the name appears in the list, but
when
>> you
>> >close/reopen the Local Security Policy, it's gone.
>> >
>> >I�m in need of help
>> >
>> >--
>> >AIP Admin
>> >
>>
>>
>
.
- Follow-Ups:
- RE: Can't set Local Security policies. They fail to save
- From: Al-Amin
- RE: Can't set Local Security policies. They fail to save
- Prev by Date: Re: SBS 2K3 reboots at noon everyday
- Next by Date: Re: SBS 2003 SP1 upgrade evaluation version
- Previous by thread: RE: Routing and Remote Access restart problem
- Next by thread: RE: Can't set Local Security policies. They fail to save
- Index(es):
Relevant Pages
|
