Sounds good.
Jack,
Sorry. Should have included this also on my last post.
At your home test lab, why don't you try resetting the Default Domain Policy back to the defaults. There is an MSKB Article on how to do this. Here is the link:
http://support.microsoft.com/?kbid=226243
Remember, do this at home.....NOT at work.
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
Jack,
This is a bit weird. I would say that something is not correct. Doh! We know that already. Your network at home: did you use the same Windows Server CD-Media as at your work?
What is the exact message that they get? Is it 'The local policy of this system does not permit you to log on interactively'?
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
to clarify,
I had added log on locally for domain users under the default domain policy. It is not under the default domain controller policy.
I've done a little test with my domain at home. I created testuser member of domain users.
Logged off my XP machine and on as testuser to the domain. I received the exact same result as I do at work. Logged in and could not change the time or anything. so, I think I am on the right track but restrictions are a bit tight. I want employees to be able to run applications. If I install an application under a logon account that has admin privileges and then log back in as the user, they can not run the application. Does this help?
Thanks,
Jack
Originally when I would give an XP machine to an employee, I would have to logon and add their account to the PC as a local admin and then they could log onto the domain. If I kept it standard (Power User) in XP, when they would try to log on it would say logon policy of the local machine does not permit you to log on.
So, I just tried this, I added the domain users in the domain global policy log on locally rights. Then any domain user was able to go up to an XP machine and log in. However, they have minimal rights. They can't change the time or anything. does this make since?
I kind of like that idea but some things are too restrictive. If this is the wrong way, what is the correct way and what would be the best group to put them in? Maybe I am confused.
Thanks!!!
Jack,
There is something funny going on. I have never heard of having to add a domain user account object to any local user Group ( of the specific workstation ) so that they can log onto the domain. In your second sentence ( well, actually third! ) you then state that they have minimal rights on the machine! This completely and utterly contradicts the first sentence.
Are the computer account objects a member of the domain?
To what DNS Server to these computers point?
Are there any local policies that might restrict this sorta thing?
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
Issue:
In the past I have had to manually add a user to an XP machine as a local admin for them to be able to log on. I have added logon locally rights to the domain policy for domain users, this now allows them to log onto a PC without me having to do the above. however, they have very minimal rights on the PC. they can not change the time, add a printer, etc.
How can I allow them to perform certain tasks once they have logged in? I assume there is something in the domain group policy for this.
The other question I have is there a way to force an XP machine to automatically lock (Not log off) after a specified number of minutes?
Thanks!!
