RE: Can't set Local Security policies. They fail to save
- From: "Al-Amin" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Oct 2005 09:17:05 -0700
Jenny Hi there and thanks for all the help.
I followed your instructions on applying the predefined security templates.
I also ran the gpupdate.exe /force. the administrator account still can't
connect to serverThe local policies are still set as before.
The user accounts are back online but unfortunately the administrative
account still can’t connect to server from client computers. It still gives
the error "Logon Failure: The user has not been granted the requested logon
type at this computer".
I still can’t set any of the local security policies on the server box. It
still fails to save giving the error message "An extended error has occurred.
Failed to save". I have e-mailed the group policy report and the system and
security logs from the server box to you.
Regards
--
AIP Admin
""Jenny wu [MSFT]"" wrote:
> Hi,
>
> Thanks for your update!
>
> For your now scenario, I suggest you follow KB 816585 article to apply
> predefined Security Template on SBS 2003 to restore security groups
> permissions.
>
> 816585 HOW TO: Apply Predefined Security Templates in Windows Server 2003
> http://support.microsoft.com/?id=816585
>
> Note: please strictly follow the steps to process and create a backup file
> of the SYSVOL share.
>
> Next, run "gpupdate.exe /force" under command prompt to force the policy
> refresh, reboot the Server to test. Additionally, domain user try to logoff
> and then logon to client computer to test if user can save system logs.
>
> If the issue persists, please help me collect group policy report for
> further analyze:
> 1. Please run command " gpresult /v > c:\gpresult.txt" respectively in the
> server box and some problematic workstation and find the files to mail to
> me for analyze. My mailboxes: v-yanniw@xxxxxxxxxxxxx
>
> 2. Collect system/security log in the server box and the problematic
> workstation. If the user still can not save system log permissions, you can
> try to use domain admin account to test, or logon on to local computer
> using local Administrator account to test, how about the result?
>
> I appreciate your time! I am look forward to hearing from you!
>
> Have a nice day!
>
> Sincerely,
>
> Jenny Wu
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: Can't set Local Security policies. They fail to save
> >thread-index: AcXYv+CmZah0jpn4Sg+QnWhHJDaXPA==
> >X-WBNR-Posting-Host: 62.173.36.24
> >From: "=?Utf-8?B?QWwtQW1pbg==?=" <AlAmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >References: <524324AD-BD69-47E0-B1F5-1DD131613BE7@xxxxxxxxxxxxx>
> <6wdjMLH2FHA.3936@xxxxxxxxxxxxxxxxxxxxx>
> >Subject: RE: Can't set Local Security policies. They fail to save
> >Date: Mon, 24 Oct 2005 10:25:06 -0700
> >Lines: 234
> >Message-ID: <69F5C0BD-DB81-4E08-8FF5-F10AD70F525E@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 8bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:164087
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hi Jenny. Thanks for your post. I was starting to lose hope.
> >In reply to your questions.
> >
> >1. Yes I can logon to the server box remotely using the built in
> >administrator account but no I can’t logon to the server locally with
> the
> >same administrator account
> >2. I can’t logon on locally with any of the other administrator accounts.
> >I created a new Administrator account using the add user wizard and it
> >allowed me to logon locally to the server box. But I still can’t set
> local
> >policies
> >3. I have rebooted the server and I still get the same results
> >4. The policies I tried to change to allow local and remote logon are
> ACCESS
> >THIS COMPUTER FROM THE NETWORK and ALLOW LOGON LOCALLY in Domain Security
> >Policy>Local Policies>User Rights Assignment.
> >The issue of policies not saving happens all the time since I first
> >experienced the problems with the server box.
> >On other computers
> >5. I tried saving the application/security log but got the error UNABLE TO
> >SAVE EVENT LOG FILE. A REQUIRED PRIVILEDGE IS NOT HELD BY THE CLIENT
> >
> >With regards to your suggestion for trouble shooting.
> >I. The user does not have the “logon locally†user right and like I
> >mentioned I can’t seem to grant the rights.
> >Secondly I’ve checked and the user is not a member of the Remote
> Operators
> >group but a member of Domain Power Users Group. I removed the user from
> the
> >groups and was able to logon locally. Thanks One problem solved.
> >II. Here are the results after I ran rsop.msc
> >i. The Domain Users Group is not listed in “Allow logon locallyâ€
> policy. I
> >couldn’t add it into the default domain policy
> >The “Deny logon locally†in RSOP is defined and lists SBS Remote
> Operators
> >and SBS STS Workers
> >“The Access This computer from Network†policy is defined and everyone
> is
> >listed.
> >While the “Deny Access to this computer from the network†is not
> defined
> >ii. On Terminal services Tab “Allow Logon to terminal Server" is checked
> >Hope I got it right.
> >
> >--
> >AIP Admin
> >
> >
> >""Jenny wu [MSFT]"" wrote:
> >
> >> Hi,
> >>
> >> Thanks for posting here!
> >>
> >> For your description, I understand that you have some problems to access
> >> the SBS server box locally or remotely. If I am off base, please don't
> >> hesitate to let me know.
> >>
> >> Before we go further, please kindly help me collect some information to
> >> isolate the issue in order to resolve the issue efficiently:
> >>
> >> 1. In current status, Can you logon the server box remotely (from other
> >> client computer)? Can you logon the server box locally (before the
> server
> >> box)?
> >>
> >> 2. Do you try to use another Administrator user account to test? How
> about
> >> the result? Do you try to create a new Administrator account using Add
> User
> >> Wizard (Server Management console -> Users -> Add a User) to test? How
> >> about the result?
> >>
> >> 3. Try to reboot the server box to refresh configuration and then test,
> how
> >> about the result?
> >>
> >> 4. Which computer local security policy did you change to try to grant
> the
> >> specific Administrator logon on locally and remotely permissions? Did
> the
> >> issue that the local security policy can not saved happen on the
> specific
> >> box random or always time? Does it happen on other computer?
> >>
> >> 5. Can you find any error events in Event Viewer? If yes, please tell me
> >> the detail error information in the newsgroup or mal me the error log
> for
> >> further analyze.
> >>
> >> Save a text copy of Application /System log:
> >> A. Open Event Viewer: Start -> All Programs -> Administrative Tools ->
> >> Event Viewer.
> >> B. Right-click on Application/System log and select "Save Log File As?".
> >> Please send the log files to my mailbox:v-yanniw@xxxxxxxxxxxxx
> >>
> >> Additionally, I would like to give you some suggestions to try to
> trouble
> >> shoot the issue:
> >>
> >> I. As you known, the error "The local policy of this system does not
> permit
> >> you to log on interactively" may occur if the user does not have "logon
> >> locally" user right.
> >>
> >> Please check if the user accounts who can not logon to the server is a
> >> member of either the Remote Operators group or the Domain Power Users
> >> group. On SBS 2003, the "Deny log on locally" policy setting is applied
> to
> >> the Remote Operators group in the Default Domain Controllers Policy
> object.
> >> This policy setting also applies to the Domain Power Users group because
> >> the Domain Power Users group is a member of the Remote Operators group.
> >> Since a deny policy always overrides an allow policy, this policy
> setting
> >> prevents users from logging on to domain controllers in the domain, even
> if
> >> the "Allow log on locally" policy applies to the same users.
> >>
> >> Remove the Domain Users group or those users from the Remote Users group
> or
> >> the Domain Power Users group. Try to test, how about the result?
> >>
> >> Please refer to the following KB article to get detail methods:
> >> "The local policy of this system does not permit you to logon
> >> interactively" error message when you try to log on to a computer that
> is
> >> running Windows Small Business Server 2003 by using an Administrator
> account
> >> http://support.microsoft.com/?id=841188
> >>
> >> II. And also try to check the following settings:
> >>
> >> 1. On the problematic Workstation, run rsop.msc to check the effective
> >> "Allow logon locally" policy to make sure that the domain users group is
> >> listed. If not, add it into the Default domain policy. In addition, make
> >> sure that the "deny logon locally" policy is not defined in RSOP (Result
> >> set of policy). In addition, check the "Access this computer from
> network"
> >> policy to make sure that the everyone is listed and the "Deny access to
> >> this computer from the network" is configured properly.
> >>
> >> 2. On the server, open Server Management console, locate Users node,
> right
> >> click the user account and click Properties, click the Terminal Services
> >> profile tab and make sure that the "Deny this user permissions to logon
> to
> >> terminal server" option is uncheck.
> >>
> >> 3. To grant guests Logon rights to the RDP-TCP connection, start the
> >> Terminal Services Configuration snap-in, edit the RDP-TCP so that the
> guest
> >> has at least Logon rights.
> >>
> >> For detail information, please see:
> >> 278433 Accessing Terminal Services Using New User Rights Options
> >> http://support.microsoft.com/?id=278433
> >>
> >> 289289 Remote Desktop Connection "The Local Policy of This System Does
> Not
> >> http://support.microsoft.com/?id=289289
> >>
> >> I am currently standing by for your test result. I appreciate your time
> and
> >> efforts to perform test and collect information. I am happy to be
> >> assistance of you!
> >>
> >> Have a nice day!
> >>
> >> Sincerely,
> >>
> >> Jenny Wu
> >> Microsoft CSS Online Newsgroup Support
> >> Get Secure! - www.microsoft.com/security
> >> ======================================================
> >> This newsgroup only focuses on SBS technical issues. If you have issues
> >> regarding other Microsoft products, you'd better post in the
> corresponding
> >> newsgroups so that they can be resolved in an efficient and timely
> manner.
> >> You can locate the newsgroup here:
> >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> >>
> >> When opening a new thread via the web interface, we recommend you check
> the
> >> "Notify me of replies" box to receive e-mail notifications when there
> are
> >> any updates in your thread. When responding to posts via your
> newsreader,
> >> please "Reply to Group" so that others may learn and benefit from your
> >> issue.
> >>
> >> Microsoft engineers can only focus on one issue per thread. Although we
> >> provide other information for your reference, we recommend you post
> >> different incidents in different threads to keep the thread clean. In
> doing
> >> so, it will ensure your issues are resolved in a timely manner.
> >>
> >> For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> >> check http://support.microsoft.com for regional support phone numbers.
> >>
> >> Any input or comments in this thread are highly appreciated.
> >> ======================================================
> >> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >>
> >> --------------------
> >> >Thread-Topic: Can't set Local Security policies. They fail to save
.
- References:
- RE: Can't set Local Security policies. They fail to save
- From: "Jenny wu [MSFT]"
- RE: Can't set Local Security policies. They fail to save
- Prev by Date: Re: connect to small business server - connection manager
- Next by Date: Re: demoting SBS2000 into Win2000 TS box ?
- Previous by thread: RE: Can't set Local Security policies. They fail to save
- Next by thread: RE: Can't set Local Security policies. They fail to save
- Index(es):
Relevant Pages
|
