Re: Local policy of this system does not permit you to logon interactively

Hello Mike,

Thank you for posting here.

According to your description, I understand that:

You try to log onto the client computer through RWW (remote desktop) with
a user account that is removed from the Domain Admin group. A message "the
local policy of this system does not permit you to logon interactively" is
prompted.

If I have misunderstood the problem, please don't hesitate to let me know.

Explanations:
======================
By default, the Administrators group is granted the permission to log onto
the SBS domain clients through terminal service. As you have removed the
user from the Domain Admins group, that user no longer belongs to the
Administrative group and you will fail to log onto the client via TS with
that account. To correct that, you can verify the following setting on the
client:

1. The user account is in the Remote Desktop Users group on the client
computer

2. The Remote Desktop Users group is granted the permission to logon
through TS. To verify that:

a) Run gpedit.msc in the command prompt to open the local computer policy.\
b) Locate the Allow logon through terminal service policy setting in
Computer Configuration--->Windows Settings--->Security settings--->Local
polices--->User rights assignments.
c) Make sure Remote Desktop Users group is listed in it. If not, try to
manually add it.


Instead checking only local group policy, I suggest you using the following
steps to check whether a custom group policy has defined user right.

1. Logon to a client as administrator, click Start -> Run, type "rsop.msc"
in the text box, and click OK.
2. Locate the [Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment] item.
3. Check the "Allow log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure "Administrators", "Remote Desktop
Users", and any other desired users are granted this right. If it is
different, please configure the corresponding policy to grant the
permission.
4. Check the "Deny log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure that the user or any user groups
that remote user belongs to is not included in this right. If so, please
modify the corresponding policy to remove them.
5. Click Start -> Run, type "cmd" in the text box, and click OK.
6. Run the following command to refresh policy:

Gpupdate /force

7. Wait for a while so that the group policy is replicated and then try to
connect to the server again.

In addition, please collect the following information if the problem
continues:

1) Download and install the GPMC tool from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-
9272-DD3CBFC81887&displaylang=en
2) Go to Start -> Run, type GPMC.MSC, it will load the GPMC
console
3) Right click on "group policy result" and choose wizard to
generate a report for a client and the problematic user. (Choose computer
and select the properly user in the wizard)
4) Right click the generated group policy report and click
"group policy result" => save report to save the report to a HTML file and
send it to me at v-mileli@xxxxxxxxxxxxxx


886620 "The local policy does not permit you to logon
interactively" error message when users try to connect to a Windows Small
Business Server 2003-based computer by using the Remote Desktop client
http://support.microsoft.com/kb/886620

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Local policy of this system does not permit you to logon interactively
    ... "Remote Desktop Users" already in Allow Logon To Term.... ... Apply Group Policy objects containing this ... The client machine is WinXP with all the latest service packs, ... the SBS domain clients through terminal service. ...
    (microsoft.public.windows.server.sbs)
  • RE: Drive Redirection and Group Policy on the Client PC
    ... should be handled by the remote desktop software running on the client. ... Since the client software is hosting the endpoint for the drive redirection I ... > security policy, or any applied to it by domain membership. ...
    (microsoft.public.win2000.termserv.apps)
  • Re: XP "Remote Desktop" disabled
    ... To enable/disable Remote Desktop on the XP Pro Remote Desktop host via a Group Policy go to ... "Allow users to connect remotely using Terminal Services", policy and configure as needed. ... Reinstalling the client won't help... ... "Colin M. McGroarty" wrote in message ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Administrator Access needed on client machine
    ... Small Business Server Client Computer ... Small Business Server Domain Password Policy ... > user account that had admin privileges. ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
    (microsoft.public.windows.server.sbs)
Loading