Re: The local policy of this system does not permit you to logon i

Hi,

Check in the security policys, and all GPO's as to whether the Administrator
group is in the "Deny local logon" or anything like that. Denys will always
take precedence over allows.

Is the administrator in any groups other than Administrators and Domain Users?

Is the administrators group itself nested in any other groups?

The problem has to lie somewhere in your Local Security policy, Domain
Security policy or a diferent GPO

Give me a yell if you still have no joy!

Matt

"Franky" wrote:

Hi Matt

Here is my original post (sorry for the duplication)

1) We were asked to look at a SBS 2003 server & found that the group policy
has somehow been altered & we decided to do a complete re-install of the
system. We did a standard install & everything appeared to be running
correctly for about the last month or so we thought, though we had not
rebooted the server at all since we rebuilt it.

2) As this company had no backup device we purchased & shut the server down
& then fitted backup device & brought server up only to find we could not
login to the SBS server using the admin UID & PWD. I started to panic at
this stage as the error given is as follows:-

"the local policy of this system does not allow you to logon interactively"

After checking for this error I followed this guide

http://support.microsoft.com/kb/841188

did not work for me though from the article above I found it was possible to
login to the SBS via RDP & I could use the admin UID & PWD!!

even though I could login the via RDP the problems don't end there as if I
try to run a program using the "run as" command I receive an error advising
:-

"Logon Failure: the user has not been granted the requested logon type at
this computer"

I guess this is because the administrator cannot log on so I then checked
the local policy by running secpol.msc and then checked Security
Settings->Local Policies->User Rights Assignment->Log on Locally

the administrator is already there though I did note that you can not
add/remove any groups

I then checked the Domain Controller Security Policy & checked that the
administrator was allowed to "log on locally" & it is there so I am a little
stumped as to the cause & was hoping someone has been through this before
who can assist

I have also created an additional account with the admin template but I
continue to recevie this error

Any help appreciated

Paul

Thanks in advance

"Matabra" <Matabra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E13FCAED-AA9C-4839-8D42-BCC4C54506F1@xxxxxxxxxxxxxxxx
Franky,

Are you having the problem with the domain admin account or another
account
trying to log onto the server?

Matt

"Franky" wrote:

Hi

I am experiencing exactly this problem & have found no resolution to this
as
of yet

Les has given me some guides to follow though you may want to try the
following guide

http://support.microsoft.com/kb/841188

Hope this helps

Paul

"MSExchangeStudent" <exchangestudent@xxxxxxxxxxxxxx> wrote in message
news:u1nge9vmIHA.5084@xxxxxxxxxxxxxxxxxxxxxxx

"Matabra" <Matabra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3339FAC5-27A7-4B2B-83B6-479E2A2E7FCD@xxxxxxxxxxxxxxxx
The reason for this is that he is trying to log directly onto the
server.
He
will need to be given the "allowed to log on interactively" right

Ok, i will do that.Thanks

I assume this is related to your earlier post.. Do you trust this
person?
if
so, give him Domain Admin rights for long enough to install his app,
then
remove him from that group.
I did that in the meanwhile while waiting for your reply and you
confirm
the same. 100%. thanks you very much

Depends also whether this is a production network or test network, and
what
security policies are in place.

"MSExchangeStudent" wrote:

A user get this when trying to log on directly onto the server with
his
credentials but when i use the exact same credentials and log in via
RDC
from a different location i can get in.

He is allready granted "Allow logon throught terminal
services...right"?
Why is this happening?










.

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "WEB308\administrator" does not longer exist, because DC's have no local administrator. ... The computer is now member of the domain, if you mean this and still has the local user account. ... "in order to add the server or pc I would have to have a user on the domain to logon to the domain. ... To Logon locally I would use the admin account of the Server 2003 machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... they just get the result of that what the domain administrator ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... The users will not see anything of that basically, they just get the result of that what the domain administrator or equivalent configures there. ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Desktop Logon to Server
    ... User Rights assignments under Local Policies. ... > person to logon to the server in a restricted mode. ... > change (this was before I put them into the Administrator ...
    (microsoft.public.win2000.networking)