Re: Local policy of this system does not permit you to logon interactively

---

• From: Mike Edgewood <itmags@xxxxxxxxx>
• Date: Thu, 9 Oct 2008 13:18:08 -0700 (PDT)

---

Thanks for the reply:

"Remote Desktop Users" already in Allow Logon To Term....

Logged on to client as domain\Administrator, gpedit.msc, under User
Rights Assignment nothing is defined. Add User or Group... grayed
out.
"This setting is not compatible with computers using Windows 2000
Service Pack 1 or earlier. Apply Group Policy objects containing this
setting only to computers running a later version of the operating
system."

The client machine is WinXP with all the latest service packs,
patches, hotfixes, etc installed. (WSUS)

Following the instructions for GPMC I am confronted with the following
message on the second click of the Wizard:
GPMC -> Wizard -> "Another Computer" <client name> (next>>)

Failed to connect to <<client computer name>> due to the error listed
below. Ensure that the Windows Management Instrumentation (WMI)
service is enabled on the target computer, and consult the event log
of the target computer for further details:
DETAILS: The RPC server is unavailable

I see nothing in the event log of the client machine relating to this.

The user in question is a Member Of:
Domain Users
Internet Users
CompanyName
Mobile Users
Remote Desktop Users
Remote Web Workplace Users






On Oct 9, 4:53 am, v-mil...@xxxxxxxxxxxxxxxxxxxx (Miles Li [MSFT])
wrote:

Hello Mike,

Thank you for posting here.

According to your description, I understand that:

You try  to log onto the client computer through RWW (remote desktop) with
a user account that is removed from the Domain Admin group. A message "the
local policy of this system does not permit you to logon interactively" is
prompted.

If I have misunderstood the problem, please don't hesitate to let me know..

Explanations:
======================
By default, the Administrators group is granted the permission to log onto
the SBS domain clients through terminal service. As you have removed the
user from the Domain Admins group, that user no longer belongs to the
Administrative group and you will fail to log onto the client via TS with
that account. To correct that, you can verify the following setting on the
client:

1. The user account  is in the Remote Desktop Users group on the client
computer

2. The Remote Desktop Users group is granted the permission to logon
through TS. To verify that:

a) Run gpedit.msc in the command prompt to open the local computer policy..\
b) Locate the Allow logon through terminal service policy setting in
Computer Configuration--->Windows Settings--->Security settings--->Local
polices--->User rights assignments.
c) Make sure Remote Desktop Users group is listed in it. If not, try to
manually add it.

Instead checking only local group policy, I suggest you using the following
steps to check whether a custom group policy has defined user right.

1. Logon to a client as administrator, click Start -> Run, type "rsop.msc"
in the text box, and click OK.
2. Locate the [Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment] item.
3. Check the "Allow log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure "Administrators", "Remote Desktop
Users", and any other desired users are granted this right. If it is
different, please configure the corresponding policy to grant the
permission.
4. Check the "Deny log on through Terminal Services" item to see whether
this policy is defined. If so, the "Source GPO" column displays the policy
that defines this policy. Please ensure that the user or any user groups
that remote user belongs to is not included in this right. If so, please
modify the corresponding policy to remove them.
5. Click Start -> Run, type "cmd" in the text box, and click OK.
6. Run the following command to refresh policy:

Gpupdate /force

7. Wait for a while so that the group policy is replicated and then try to
connect to the server again.

In addition, please collect the following information if the problem
continues:

1)            Download and install the GPMC tool from the following link:http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CB...
9272-DD3CBFC81887&displaylang=en
2)            Go to Start -> Run, type GPMC.MSC, it will load the GPMC
console
3)            Right click on "group policy result" and choose wizard to
generate a report for a client and the problematic user. (Choose computer
and select the properly user in the wizard)
4)            Right click the generated group policy report and click
"group policy result" => save report to save the report to a HTML file and
send it to me at v-mil...@xxxxxxxxxxxxxx

886620                   "The local policy does not permit you to logon
interactively" error message when users try to connect to a Windows Small
Business Server 2003-based computer by using the Remote Desktop clienthttp://support.microsoft.com/kb/886620

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.

Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! -www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• References:
  • Local policy of this system does not permit you to logon interactively
    • From: Mike Edgewood
  • Re: Local policy of this system does not permit you to logon interactively
    • From: Merv Porter [SBS-MVP]
  • Re: Local policy of this system does not permit you to logon interactively
    • From: Miles Li [MSFT]

• Prev by Date: Re: Keep getting login failure for user "inna" on multiple servers
• Next by Date: Re: Domain server re-install
• Previous by thread: Re: Local policy of this system does not permit you to logon interactively
• Next by thread: Re: Local policy of this system does not permit you to logon interactively
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Local policy of this system does not permit you to logon interactively ... You try to log onto the client computer through RWW with ... local policy of this system does not permit you to logon interactively" is ... The user account is in the Remote Desktop Users group on the client ... (microsoft.public.windows.server.sbs) RE: Drive Redirection and Group Policy on the Client PC ... should be handled by the remote desktop software running on the client. ... Since the client software is hosting the endpoint for the drive redirection I ... > security policy, or any applied to it by domain membership. ... (microsoft.public.win2000.termserv.apps) Re: XP "Remote Desktop" disabled ... To enable/disable Remote Desktop on the XP Pro Remote Desktop host via a Group Policy go to ... "Allow users to connect remotely using Terminal Services", policy and configure as needed. ... Reinstalling the client won't help... ... "Colin M. McGroarty" wrote in message ... (microsoft.public.windowsxp.work_remotely) Terminal Server ... Specifying the port number that way does not work with any ... Remote Desktop client. ... >>tends to limit you to the Windows 2000 Terminal Service ... (microsoft.public.windows.server.sbs) Re: GPO causing client security logs to fill? ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)