Cannot Log On Locally

[Dave]

We have a Windows 2000 domain.

I added a new windows xp pro computer to the domain. When the user tried to
authenticate, they received a message saying that the local policy
prohibited them from logging on locally.

I moved the comouter to the "log on locally" OU but they still got the
message. I temporarly made them a Dom Admin and they _could_ log on.

Why can't a domain user log on locally to an XP workstation? What do I need
to do to give them access as a domain user?

 

[Ovidiu Popa]

Because that's the domain policy and that supersedes any local policy
(that's the price if you want to log into the domain). You need your domain
admin support.

Ovidiu Popa
MVP

 

[Dave]

Thr "price" for logging on to the network is that you can't log on?

As a domain user you can't log on locally to a domain controller. But, by
default, you should be able to log on locally to an XP workstation. All
domain users need to do this.

Perhaps someone changed the domain security policy regarding log ons. Where
do I look to find out?

 

[Ovidiu Popa]

When joining a domain, the Domain Administrators group is automatically aded
to the Local Administrators. Therefore, a domain administrator can enforce
on the local machine whatever policies they like. If a domain administrator
wants to deny local logon, even to local administrators, then they can do
it.

Run gpedit.msc and check under Computer Configuration, Windows settings,
Security settings, Local Policies, User Rights, Log On Locally.

Ovidiu Popa
MVP

 

[Dave]

Thank you Ovidiu

When I look at the Log On Locally right, I see certain users and groups are
included but the "Add" button is disabled (grayed out). I cannot add Domain
Users.

How do I enable this functionality?

Also, in the Deny Log on Locally right, I see two users, one is a regular NT
user account and the other is some type of GUID (e.g., * S-1-5-21...). How
do I find out what account this GUID relates to?

Thanks
DAve