cannot login locally to 2k servers after live comm server install

[Guest]

I installed Live Communications Sever 2k5 on a Windows 2k3 Server(DC). Now
on all my 2k member servers, I cannot login to the system with the
Administrator account on the domain. The servers are under an OU in my AD
which is governed by a GP. I have changed that GP to specifically allow
logon locally to the Administrator account, but it does not affect the
action.

Here's where it gets really nuts. When I use ntrights to revoke the deny
permission ( -r SeDenyInteractiveLogonRight), and to grant the allow
permission (+r SeInteractiveLogonRight) against the servers in question, the
user is then allowed to logon locally. However, when the GP policy synchs
up, the user is no longer allowed to logon locally. What I've done
temporarly is set a scheduled .cmd file to use the ntrights program to set
the permissions every 10 min, but that is garbage and I'd really like to get
this fixed properly.

Has anybody seen anything like this, or have any insight as to what I can do
to fix this?

Thanks,
Eric

 

[msteben78]

Eric, try running the group policy results wizard under the GPMC. This
will reveal any overriding policies. Remember, the last written policy
wins!

Mike

 

[Guest]

Yeah, remember policies are applied in this order

Local, Site, Domain, OU

 

[Guest]

The problem was the GP policy. However, my OU is not applying in the order I
expect it to. I have

Domain
-Company OU (w/GP)
-Department OU (no GP)
-Department 2 OU (w/GP)

The Department 2 OU GP is not taking precedence over the Company OU GP.
This behavior is not what I expected. I cannot change the order either. It
only allows me to have Company OU GP over Department 2 OU GP. I must be
missing something in my understanding of the heirarchy of precedence.

-Eric