log on locally problem in W2K pro & server

H

Harold Youtzy

I am presently working with a client that has a global
security group defined within an user OU of the domain.
User Jane is a member of that global security group.
That global security group is one of the members listed in
the global policy of the default domain controllers with
log on locally rights. If I remove Jane from the global
security group and place her individually in the default
domain controllers policy for log on locally rights, then
she is unable to log onto her W2K pro workstation.
When a member of the global security group, Jane's local
group policy of the W2K workstation for log on locally
rights, shows the global security group as an empty box
under local policy setting and a greyed-out checked box
under effective policy setting, and she is able to log
onto her W2K workstation.
I do not understand how removing her from the global
security group, yet placing her in the log on locally list
on the default domain controller policy would not permit
her to log on to her W2K workstation. Shouldn't the right
be the same whether she is a member of a group given the
log on locally right or listed indidually in that same
right? Help me to understand why this is not so.
 
D

Derek Melber [MVP]

It appears that you are dealing with resultant set of policies and policy
precedence. Your scenario indicates that membership in this group is
essential for logging on locally to most computers in your enterprise, which
is not the default. So, you might want to check if any GPOs have been
altered for the logon locally user right. (client computers and servers have
Authenticed Users as having the ability to logon locally, DCs do not.)

When you see a gray box for the User rights, that means that that setting is
coming from a GPO that is linked to the site, domain, or OU, where that
computer account resides in the AD. (User rights are computer policies, not
user policies). So, when Jane is in the group, she can logon locally, but
when you move her out of the group, she can't, since she is in no group that
gives her that ability.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Logon locally 3
log on locally problem 1
no log on locally for administrators 1
Cannot Logon Locally 2
Local Policy doesn't allow logon interactively 3
Incorrect GPResult result 3
Log on Locally 1
Allowing user to logon locally to WIndows 2003 Server 3

Top