Cant logon to local machine (this computer) as administrator

[James W. Long]

Hi all,

I can log onto the domain account on my clients but I
can not log into thier local accounts anymore.

I really need this back in case they fail or something.

For instance, my domain is called jewelconsulting.org
and I run a Win2000 Adv Server Domain Controller
that is authorative for the jewelconsulting.org domain.

If I go over to my client machine named hal9000,
I can logon as administrator to jewelconsulting fine.

But I cannot logon to HAL9000 (this machine)
as administrator at all.

I get this error message and I dont know how to
fix it, some help would be greatly appreciated.

" The policy of this system does not permit you
to logon interactively."

How do I fix this and where? on the DC or
on the local machine?

Thank you in advance,
James W. Long.

 

[Guest]

Sounds like the Security Policy setting "Deny Logon
Locally" has a group in there that doesnt belong. This KB
article describes your error exactly KB276580. If not take
a look at these KB 285793 and 826903

 

[Steven L Umbach]

As mentioned, the logon locally or deny logon locally user right are configured to
prevent administrator or local users from logging on locally. That could be
configured at the local or domain/OU level. I would logon to the local machine as
domain admin and look in Local Security Policy/security settings/local policies/user
rights for the mentioned user rights. Use secpol.msc to bring up Local Security
Policy. If you can reconfigure those rights at the local level, then that is where it
was configured at. If the local settings are grayed out and differ from the
"effective" settings the policy came from a higher priority level such as domain and
OU. I would first check the container the computer is in such as OU or domain. You
can run gpresult on that computer to see what computer policies are being applied to
it and any one of those GPO's listed could be the culprit. --- Steve

 

[James W. Long]

Steven:
yes there was a difference between local setting and effective setting.
I had to fix it at the domain level by taking out my settings there.

Then I could get in to the local machine as administrator. .


One coment I would like to make,
It would be nice If the domain controller could see the local accounts which
reside on client machines and be able to work with those.

for instance I would have liked to add HAL9000\Administrator
to "Log on Locally" and have it apply to HAL9000.
this was almost the case in KB article 826903, BUT
HAL9000\Administrator is not available in the directory from the DC,
which is in jewelconsulting.org, nor is it available in the full directory.

Once having removed my stipulated accounts from domain level,
it worked.

it works now, and thank you for that great information!

I later cleaned up the mess by stipulating in each client.

James W. Long.

 

[James W. Long]

Dear Anonymous:
and Steven, If you're reading this, I miswrote your reply, its article
285793 my comment.is about.

Thank you for the references to those articles, they helped me to solve the
problem,
in particular 276580 and 285793.

Yes, there was a difference between local setting and effective setting.
I had to fix it at the domain level by taking out my stipulated "log on
locally" settings there.

Then I could get in to the local machine as administrator. .



Regarding 285793:
It would be nice If the domain controller could see the local accounts which
reside on client machines and be able to work with those as well.

For instance I would have liked to add HAL9000\Administrator
to "Log on Locally" and have it apply to HAL9000.

This was _almost possible in KB article 285793, BUT
"HAL9000\Administrator" is not available in the directory from the DC,
which is jewelconsulting.org, nor is it available in the full directory.

Once having removed my stipulated accounts from the domain level,
it worked.

it works now, and thank you for that great information!

I later cleaned up the mess by stipulating in each client.

James W. Long.