The local policy of this system does not permit you to logon interactively.

[robert oytun]

All of a sudden in our network, no one can logon to their
local computer
even as a local admin, we have searched google and MS,
solutions did not
help, no luck. It has related to local policy but we
cannot locate. Some
Domain local policy passed on to the local policy of the
local machines.

We are using w2k servers and desktops.

If we disjoined the domian we can logon to the local
machine.
if we rejoin the machines to the domain and try to logon
with the local
account we get "The local policy of this system does not
permit you to logon
interactively". As a domain user we can logon without any
problems.

DC s are replicating without an error.

Any Suggestion?
Thx.
Robert

 

[Tom Ausburne]

There is a good article on this:

285793 Error Message: The Local Policy of This System Does Not Permit
You to
http://support.microsoft.com/?id=285793

You did say that no one could logon to their local computer. I am
assuming that you mean that no one can logon to the domain from their
local computer.

The problem could also be that someone has removed the Everyone Group
from the "Access this computer from the network" user right and has
not replaced it with the appropriate user or group accounts. This
would cause users not to be able to logon to the domain.


Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Robert Oytun]

If the computer is a part of the domain, users can log on
to the domain but not to the local machine domain.

Everyone is still there.....

We have tried many of the fixes posted (285793,276580,
279664, 152478)... The "Deny logon locally" policy is not
defined on our PDC or BDC.

It should not make any difference but lately, we have
deployed Panda Antivirus Enterprise eddition, and 3 weeks
ago we have pulled the DHCP server from Active directory,
currently we are using 3rd party DHCP server.

Thank you

Robert Oytun

 

[Tom Ausburne]

If you can log on to the domain then it's most likely the Local
Security Policy of the machine causing the issue. While you are
logged on look at the same settings on the Local Security Policy and
make sure that Everyone has rights to log on locally.


Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Steven L Umbach]

Tom. I have a question about the KB285793. To quote it says " This issue may occur if
the "Deny logon locally" policy is set on your computer". Actually it may also occur
if a user does not have "logon locally" user right.

The problem is that the solution entails moving the problem computer into an OU with
a GPO configured with users/groups in the "logon locally" user right in order for it
to override Local Security Policy where the user/groups may be missing. However if
the reason that a user can not log on is because his account or a group he belongs to
is in the "deny logon locally" user right - as the KB infers, the solution in
KB285793 will not fix it because the "deny logon locally" user right will still be in
effect in Local Security Policy and the user will not be able to logon because the
"deny logon locally" right overrides a user having the "logon locally" user right.

Therefore in addition to what is described in KB285793 as far as adding users/groups
to "logon locally" user right, I believe that it should also should entail
configuring the "deny logon locally" user right by defining it and not adding any
groups or perhaps adding just the guest account if that would be less confusing to
users. Doing such would override any settings for "deny logon locally" in the Local
Security Policy. After they regain access, they probably should also be reminded to
correct Local Security Policy in case down the road they move the computer out of the
OU and the logon problem returns.

Thanks. --- Steve MVP Windows Security

 

[Tom Ausburne]

Hi Steve,

You are right on the money with this one. I believe the article is
assuming that you
have a Local policy that has had users or groups removed and not
explicitedly denied.
If this is the case then your option is the only logical choice.


Tom Ausburne (MSFT)
Windows 2000 Directory Services
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Steven L Umbach]

Hi. Tom.

Thanks for the reply.
I just brought it up because I have come across users that have used the method
described without any luck until I suggested that they define the "deny logon
locally" user right that fixed the problem for them. Not sure how they got there in
the first place, but I just try to help them out.

Thanks. --- Steve