Effective Setting Greyed Out and Cannot Invoke Settings in 'Log on locally'

[Zack Schneeberger]

I have spent 5 hours trying to figure out this problem. We have a
server that is part of the Domain and is running Windows 2000 Server.
I am trying to modify the 'Log on locally' policy setting.

After I click on 'Log on locally', the 'Effective Policy Setting' for
the groups that I want to log on locally is greyed out and unchecked.
So that leads me to the conclusion that a Domain Level Policy is being
pushed down right?! Well wrong! I have scanned 'Domain Security
Policy' and the 'Default Domain Policy' and there is no reference to
'Deny Local Logon' to any group which is maybe why the 'Effective
Policy Setting' is greyed out and unchecked for certain groups in the
'Log on locally' policy setting.

Why is the 'Effective Policy Setting' greyed out and unchecked for
groups in my 'Log on locally' policy setting? It apears that that is
nothing denying their existance locally.

Thanks in Advance,
Zack

 

[Steven L Umbach]

If this is a domain controller it has to be configured in Domain Controller Security
Policy. You can also use the gpresult support tool on a domain computer to see what
"computer" configuration GPO's are applied to that computer [not user]. A GPO from
anywhere other than local could have that policy enabled for computer
onfiguration. --- Steve

 

[Zack Schneeberger]

Thanks for the fast reply Steve. It is not a DC so I am guessing that
it would not be configured in the Domain Controller Security Policy
but rather the 'Default Domain Policy.' I checked there here is what
I found:
- Administrator' is the only group given permission in Allow Local
Logon
- There is nothing is the 'Deny Local Logon' attribute

So since nothing is being denied I should still be able to add users
in my 'Local Security Policy' right? But I am not able to. I have no
idea why.

Zack

If this is a domain controller it has to be configured in Domain Controller Security
Policy. You can also use the gpresult support tool on a domain computer to see what
"computer" configuration GPO's are applied to that computer [not user]. A GPO from
anywhere other than local could have that policy enabled for computer
onfiguration. --- Steve

I have spent 5 hours trying to figure out this problem. We have a
server that is part of the Domain and is running Windows 2000 Server.
I am trying to modify the 'Log on locally' policy setting.

After I click on 'Log on locally', the 'Effective Policy Setting' for
the groups that I want to log on locally is greyed out and unchecked.
So that leads me to the conclusion that a Domain Level Policy is being
pushed down right?! Well wrong! I have scanned 'Domain Security
Policy' and the 'Default Domain Policy' and there is no reference to
'Deny Local Logon' to any group which is maybe why the 'Effective
Policy Setting' is greyed out and unchecked for certain groups in the
'Log on locally' policy setting.

Why is the 'Effective Policy Setting' greyed out and unchecked for
groups in my 'Log on locally' policy setting? It apears that that is
nothing denying their existance locally.

Thanks in Advance,
Zack

 

[Steven L Umbach]

If it is not a domain controller and you can not modify Local Security Policy for
that user right then there is a higher GPO applying the policy. If you run gpresult
/c on that computer it will show you what GPO's are applying computer configuration
and those would be the ones to check. From what you describe it may be the Domain
Security Policy. If you open Domain Security Policy you should be able to add
users/groups you want to have logon locally access. Then run secedit /refreshpolicy
machine_policy enforce first on the domain controller and then on your server to see
if that helps. Note that user rights can be defined without any entries which means
the policy is enabled and no one has that user right. Group/security policy is
applied in this order local>site>domain>OU>child OU. If policy is applied via a
defined setting in multiple GPO's the last policy applied is the effective policy
unless GPO filtering/no override/block inheritance is used. If there are multiple
GPO's in a container, the GPO at the top of the list has highest priority. The domain
controller container should be considered an OU for policy application. --- Steve

Thanks for the fast reply Steve. It is not a DC so I am guessing that
it would not be configured in the Domain Controller Security Policy
but rather the 'Default Domain Policy.' I checked there here is what
I found:
- Administrator' is the only group given permission in Allow Local
Logon
- There is nothing is the 'Deny Local Logon' attribute

So since nothing is being denied I should still be able to add users
in my 'Local Security Policy' right? But I am not able to. I have no
idea why.

Zack

If this is a domain controller it has to be configured in Domain Controller
Security
Policy. You can also use the gpresult support tool on a domain computer to see
what
"computer" configuration GPO's are applied to that computer [not user]. A GPO from
anywhere other than local could have that policy enabled for computer
onfiguration. --- Steve

I have spent 5 hours trying to figure out this problem. We have a
server that is part of the Domain and is running Windows 2000 Server.
I am trying to modify the 'Log on locally' policy setting.

After I click on 'Log on locally', the 'Effective Policy Setting' for
the groups that I want to log on locally is greyed out and unchecked.
So that leads me to the conclusion that a Domain Level Policy is being
pushed down right?! Well wrong! I have scanned 'Domain Security
Policy' and the 'Default Domain Policy' and there is no reference to
'Deny Local Logon' to any group which is maybe why the 'Effective
Policy Setting' is greyed out and unchecked for certain groups in the
'Log on locally' policy setting.

Why is the 'Effective Policy Setting' greyed out and unchecked for
groups in my 'Log on locally' policy setting? It apears that that is
nothing denying their existance locally.

Thanks in Advance,
Zack

 

[Zack Schneeberger]

When I run gpresult /C is get this (along with other info but this
important stuff:

===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy

So I see I can add 'Log On Locally' rights at the Default Domain
Policy but I don't want to do that because it will allow those users
to log into every computer in the domain. BAD. I just want one set of
users to log in locally into this one computer so I should be able to
go into 'Local Group Policy' and add the group right? But I cannot.
Any nothing is denying anyone rights.

I want just one set of users to be able to log into this one box.

Zack

If it is not a domain controller and you can not modify Local Security Policy for
that user right then there is a higher GPO applying the policy. If you run gpresult
/c on that computer it will show you what GPO's are applying computer configuration
and those would be the ones to check. From what you describe it may be the Domain
Security Policy. If you open Domain Security Policy you should be able to add
users/groups you want to have logon locally access. Then run secedit /refreshpolicy
machine_policy enforce first on the domain controller and then on your server to see
if that helps. Note that user rights can be defined without any entries which means
the policy is enabled and no one has that user right. Group/security policy is
applied in this order local>site>domain>OU>child OU. If policy is applied via a
defined setting in multiple GPO's the last policy applied is the effective policy
unless GPO filtering/no override/block inheritance is used. If there are multiple
GPO's in a container, the GPO at the top of the list has highest priority. The domain
controller container should be considered an OU for policy application. --- Steve

Thanks for the fast reply Steve. It is not a DC so I am guessing that
it would not be configured in the Domain Controller Security Policy
but rather the 'Default Domain Policy.' I checked there here is what
I found:
- Administrator' is the only group given permission in Allow Local
Logon
- There is nothing is the 'Deny Local Logon' attribute

So since nothing is being denied I should still be able to add users
in my 'Local Security Policy' right? But I am not able to. I have no
idea why.

Zack

If this is a domain controller it has to be configured in Domain Controller
Security
Policy. You can also use the gpresult support tool on a domain computer to see
what
"computer" configuration GPO's are applied to that computer [not user]. A GPO from
anywhere other than local could have that policy enabled for computer
onfiguration. --- Steve


I have spent 5 hours trying to figure out this problem. We have a
server that is part of the Domain and is running Windows 2000 Server.
I am trying to modify the 'Log on locally' policy setting.

After I click on 'Log on locally', the 'Effective Policy Setting' for
the groups that I want to log on locally is greyed out and unchecked.
So that leads me to the conclusion that a Domain Level Policy is being
pushed down right?! Well wrong! I have scanned 'Domain Security
Policy' and the 'Default Domain Policy' and there is no reference to
'Deny Local Logon' to any group which is maybe why the 'Effective
Policy Setting' is greyed out and unchecked for certain groups in the
'Log on locally' policy setting.

Why is the 'Effective Policy Setting' greyed out and unchecked for
groups in my 'Log on locally' policy setting? It apears that that is
nothing denying their existance locally.

Thanks in Advance,
Zack

 

[Steven L Umbach]

Create an Organizational Unit for that computer. Then create a new GPO for that OU
and configure the logon locally user right to be what you want for computers in that
OU. All other Group/security policy will be inherited for computer configuration,
just that one defined user right will override both local and domain policy. Move the
computer into that OU and run secedit /refreshpolicy machine_policy /enforce on the
domain controller and then reboot your computer in the new OU and you should be in
business. You can create a new OU by selecting the domain in AD Users and computers,
right click and select new/OU. Then for the OU select properties/Group Policy - new
to create a new GPO linked to that OU. Name it appropriate and select edit to modify
it. You then need to go to computer configuration/Windows settings/security
settings/local policies/user rights. --- Steve

When I run gpresult /C is get this (along with other info but this
important stuff:

===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy

So I see I can add 'Log On Locally' rights at the Default Domain
Policy but I don't want to do that because it will allow those users
to log into every computer in the domain. BAD. I just want one set of
users to log in locally into this one computer so I should be able to
go into 'Local Group Policy' and add the group right? But I cannot.
Any nothing is denying anyone rights.

I want just one set of users to be able to log into this one box.

Zack

If it is not a domain controller and you can not modify Local Security Policy for
that user right then there is a higher GPO applying the policy. If you run
gpresult
/c on that computer it will show you what GPO's are applying computer
configuration
and those would be the ones to check. From what you describe it may be the Domain
Security Policy. If you open Domain Security Policy you should be able to add
users/groups you want to have logon locally access. Then run secedit
/refreshpolicy
machine_policy enforce first on the domain controller and then on your server to
see
if that helps. Note that user rights can be defined without any entries which
means
the policy is enabled and no one has that user right. Group/security policy is
applied in this order local>site>domain>OU>child OU. If policy is applied via a
defined setting in multiple GPO's the last policy applied is the effective policy
unless GPO filtering/no override/block inheritance is used. If there are multiple
GPO's in a container, the GPO at the top of the list has highest priority. The
domain
controller container should be considered an OU for policy application. --- Steve

Thanks for the fast reply Steve. It is not a DC so I am guessing that
it would not be configured in the Domain Controller Security Policy
but rather the 'Default Domain Policy.' I checked there here is what
I found:
- Administrator' is the only group given permission in Allow Local
Logon
- There is nothing is the 'Deny Local Logon' attribute

So since nothing is being denied I should still be able to add users
in my 'Local Security Policy' right? But I am not able to. I have no
idea why.

Zack

If this is a domain controller it has to be configured in Domain Controller
Security
Policy. You can also use the gpresult support tool on a domain computer to see
what
"computer" configuration GPO's are applied to that computer [not user]. A GPO
from
anywhere other than local could have that policy enabled for computer
onfiguration. --- Steve


I have spent 5 hours trying to figure out this problem. We have a
server that is part of the Domain and is running Windows 2000 Server.
I am trying to modify the 'Log on locally' policy setting.

After I click on 'Log on locally', the 'Effective Policy Setting' for
the groups that I want to log on locally is greyed out and unchecked.
So that leads me to the conclusion that a Domain Level Policy is being
pushed down right?! Well wrong! I have scanned 'Domain Security
Policy' and the 'Default Domain Policy' and there is no reference to
'Deny Local Logon' to any group which is maybe why the 'Effective
Policy Setting' is greyed out and unchecked for certain groups in the
'Log on locally' policy setting.

Why is the 'Effective Policy Setting' greyed out and unchecked for
groups in my 'Log on locally' policy setting? It apears that that is
nothing denying their existance locally.

Thanks in Advance,
Zack