Re: The local policy of this system does not permit you to logon i

Hi Les

Well I had a conversation with dell before i contact microsoft & they
located the following error in the logs though said they could find no real
problem with any of the group policys or permissions

This is the error they located

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 15/04/2008
Time: 14:57:05
User: N/A
Computer: Server1
Description:
Security policies were propagated with warning. 0x534 : No mapping between
account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com.
Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects
(GPOs) could not be resolved to a SID. This error is possibly caused by a
mistyped or deleted user account referenced in either the User Rights or
Restricted Groups branch of a GPO. To resolve this event, contact an
administrator in the domain to perform the following actions:

1. Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"
%SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem
account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This
most likely occurs because the account was deleted, renamed, or is spelled
differently (e.g. "JohnDoe").

2. Use RSoP to identify the specific User Rights, Restricted Groups, and
Source GPOs that contain the problem accounts:

a. Start -> Run -> RSoP.msc
b. Review the results for Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment and Computer
Configuration\Windows Settings\Security Settings\Local Policies\Restricted
Groups for any errors flagged with a red X.
c. For any User Right or Restricted Group marked with a red X, the
corresponding GPO that contains the problem policy setting is listed under
the column entitled "Source GPO". Note the specific User Rights, Restricted
Groups and containing Source GPOs that are generating errors.

3. Remove unresolved accounts from Group Policy

a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in..."
c. From the "Add/Remove Snap-in" dialog box select "Add..."
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and
click "Add"
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g. For each source GPO identified in step 2, correct the specific User
Rights or Restricted Groups that were flagged with a red X in step 2. These
User Rights or Restricted Groups can be corrected by removing or correcting
any references to the problem accounts that were identified in step 1.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Can anyone shed any light please??

Thanks in advance

Paul

"Les Connor [SBS MVP]" <les.connor@xxxxxxxxxxxx> wrote in message
news:196B2A66-81E9-4477-8DD7-49CE7BFAC801@xxxxxxxxxxxxxxxx
mobile users is the problem, I believe.

--
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us


"Franky" <frankie_600@xxxxxxxxxxxxx> wrote in message
news:5MadnU4A2_r8xGLanZ2dnUVZ8tignZ2d@xxxxxxxxx
Hi Matabra

I have checked the security policies & the administrator profile is not
in any of the "Deny" settings. I then had a look (&that's all I did) as
I am not to comfy with GPO's so any additional advice would be most
welcome

The administrator is a member of the following:-
Administrators, Domain Admins, Domain Users, Enterprise Admins, Group
Policy Creator Owners, Mobile Users & Schema Admins

Is this correct as I assumed so from previous information I have
researched



"Matabra" <Matabra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6F27FAEA-F704-4A58-8E2D-7F652097BA70@xxxxxxxxxxxxxxxx
Hi,

Check in the security policys, and all GPO's as to whether the
Administrator
group is in the "Deny local logon" or anything like that. Denys will
always
take precedence over allows.

Is the administrator in any groups other than Administrators and Domain
Users?

Is the administrators group itself nested in any other groups?

The problem has to lie somewhere in your Local Security policy, Domain
Security policy or a diferent GPO

Give me a yell if you still have no joy!

Matt

"Franky" wrote:

Hi Matt

Here is my original post (sorry for the duplication)

1) We were asked to look at a SBS 2003 server & found that the group
policy
has somehow been altered & we decided to do a complete re-install of
the
system. We did a standard install & everything appeared to be running
correctly for about the last month or so we thought, though we had not
rebooted the server at all since we rebuilt it.

2) As this company had no backup device we purchased & shut the server
down
& then fitted backup device & brought server up only to find we could
not
login to the SBS server using the admin UID & PWD. I started to panic
at
this stage as the error given is as follows:-

"the local policy of this system does not allow you to logon
interactively"

After checking for this error I followed this guide

http://support.microsoft.com/kb/841188

did not work for me though from the article above I found it was
possible to
login to the SBS via RDP & I could use the admin UID & PWD!!

even though I could login the via RDP the problems don't end there as
if I
try to run a program using the "run as" command I receive an error
advising
:-

"Logon Failure: the user has not been granted the requested logon type
at
this computer"

I guess this is because the administrator cannot log on so I then
checked
the local policy by running secpol.msc and then checked Security
Settings->Local Policies->User Rights Assignment->Log on Locally

the administrator is already there though I did note that you can not
add/remove any groups

I then checked the Domain Controller Security Policy & checked that the
administrator was allowed to "log on locally" & it is there so I am a
little
stumped as to the cause & was hoping someone has been through this
before
who can assist

I have also created an additional account with the admin template but I
continue to recevie this error

Any help appreciated

Paul

Thanks in advance

"Matabra" <Matabra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E13FCAED-AA9C-4839-8D42-BCC4C54506F1@xxxxxxxxxxxxxxxx
Franky,

Are you having the problem with the domain admin account or another
account
trying to log onto the server?

Matt

"Franky" wrote:

Hi

I am experiencing exactly this problem & have found no resolution to
this
as
of yet

Les has given me some guides to follow though you may want to try
the
following guide

http://support.microsoft.com/kb/841188

Hope this helps

Paul

"MSExchangeStudent" <exchangestudent@xxxxxxxxxxxxxx> wrote in
message
news:u1nge9vmIHA.5084@xxxxxxxxxxxxxxxxxxxxxxx

"Matabra" <Matabra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3339FAC5-27A7-4B2B-83B6-479E2A2E7FCD@xxxxxxxxxxxxxxxx
The reason for this is that he is trying to log directly onto the
server.
He
will need to be given the "allowed to log on interactively" right

Ok, i will do that.Thanks

I assume this is related to your earlier post.. Do you trust this
person?
if
so, give him Domain Admin rights for long enough to install his
app,
then
remove him from that group.
I did that in the meanwhile while waiting for your reply and you
confirm
the same. 100%. thanks you very much

Depends also whether this is a production network or test
network, and
what
security policies are in place.

"MSExchangeStudent" wrote:

A user get this when trying to log on directly onto the server
with
his
credentials but when i use the exact same credentials and log in
via
RDC
from a different location i can get in.

He is allready granted "Allow logon throught terminal
services...right"?
Why is this happening?















.