Local policy does not allow you to logon interactively

J

jslorenz

I am setting up a w2k server that is a domain controller and a term
server. I am getting an error at logon that says that the local policy
does not allow you to logon interactively. I know that the local
policy has to be set to allow local logon for a group that the account
is a member of and that has been done. I have other servers that are
set up the same way and they work. I have a group called terminal
users and grant the right to logon locally to that group. I am using a
few test accounts and they can logon to all of the existing servers,
but not the new one. I have a second server that I am setting up and I
installed TS before running dcpromo. The test accounts have no
problems logging on to the new server that is not a dc. I think it has
something to do with group policy or local policy or even domain
controller policy, but I cannot find the issue. Has anyone seen this
before? Any solutions?
 
V

Vera Noest [MVP]

I assume that you know that running Terminal Services in
Application Server mode is *not* recommended on a Domain
Controller, for both performance and security reasons?

You will have to modify the Default Domain Controller Security
Policy to allow your users the "Log on Locally" right to your
domain controllers.

246109 - Error Messages Generated When Logging on with Terminal
Services Client
http://support.microsoft.com/?kbid=246109
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

(e-mail address removed) wrote on 22 nov 2005 in
microsoft.public.win2000.termserv.clients:
 
J

jslorenz

Thanks Vera. I do know that this is not a recommended practice, but I
can not justify 2 boxes to support a handful of users.

I ended up demoting it, pulling it out of the domain, adding it back to
the domain, and promoting it. It works like a champ now. It must have
had some issues with the domain policy. I used secedit to refresh the
policy, but that didn't do anything for me. Isn't there some tool that
will allow you to dump all of the policies on a machine and reapply
them rather than just refreshing them? I feel like I took the long way
around the barn...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

interactive logon error 1
The local policy of this system does not permit you to logon interactively 17
Windows 2003 Remote Desktop Issue. 5
the local policy of this system does not permit you to logon inter 1
User "Cannot logon interactively"; copy of same account can logon just fine 2
Not allowed to logon interactively 3
Local System Policy not Applied to AD Account 1
New Server2003 setup with Term Serv. 4

Top