Windows 2000 Server Logon Problem

[Jim]

I have setup a Windows 2000 Server that I intend to
eventually load Terminal Services on to. I have joined
the domain and can logon both locally and onto the network.
as long as it's as an Administrator.

The problem I'm having is that I can not add a user and
have them logon with anything less then Administrator
Rights. If I do, I get a message that says,

"The Local Policy of this system does not permit you to
logon interactively".

If I set the user as an Administrator, they can logon
without any problem... But I can't allow that.

I have searched the local policy settings and haven't been
able to locate the correct setting. Please point me in the
right direction.

Thank you,
Jim

 

[pbasham]

Jim

I assume you have promoted this Win2k server to a domain
controller.

On the server, logon with administrative rights
Point Start-Programs-Admin Tools-Domain Controller
Security Policy.
Expand Local Policies-User Rights Assignments.
In the right pane scroll to Log on Locally, right click
and choose security. Here you can add users or groups with
permission to log on to the DC.

Hope this helps
Paul

 

[Jim]

As to whether or not the server was promoted to a domain
controller, I "think" it was, but to be honest I'm not
sure. How can that be proven one way or the other?

 

[pbasham]

Jim
If you can follow my previous instructions, then the
machine is a domain controller.
Another way to check is: When you logon, do you have the
choice of logging on to the local machine? (%computername%
(This Computer) in the bottom drop down box)
Regards
Paul

 

[Jim]

Paul,

Yes I can do these steps and I can choose whether to log
on locally or to the domain. I added users to the local
security list. Unfortunately for whatever reason they
still can't log on unless I give them "Administrator
Rights".

Jim

 

[pbasham]

Jim

Yes I can do these steps and I can choose whether to log
on locally or to the domain.

This machine is not a domain controller. When logging on
to a domain controller the option to logon to the local
machine is not available.

I added users to the local
security list. Unfortunately for whatever reason they
still can't log on unless I give them "Administrator
Rights".

By default, members of the users group, either local or
domain, cannot loggon to server machines.

To resolve this, create a group in Active Directory ie
Terminal Services User Group, add any domain user accounts
who wishes to use the terminal server to this group.

Next, right click the domain name in Active Directory ie
yourdomain.com, choose properties - group policy - edit -
computer configuration - windows settings - security
settings - local policies - user rights assignments.
Scroll down to "log on locally" and add your Terminal
Services User Group.

When the domain users wishes to loggon to the terminal
server, ensure they loggon to the domain on the server,
not the local machine. Note: the terminal server may need
to be rebooted in order to pick up the new domain policy.

Regards
Paul Basham
MCP

 

[Jim]

Paul,

I hope you see this reply... It has been awhile since I
posted. I finally solved the problem due in large effect
to your help. I finally brought the computer back to
square one by loading an image that I created when I
originally set the server up.

As soon as I was back to the start point, terminal
services installed perfectly and works like it is suppose
too. Apparently a registry key did not set correctly when
I originally started or something, because I redid
everything exactly as I had previously done, except this
time it worked. Thank goodness that I made an image
and thank you sir for your input!

Jim