Local Policy Prevents Login Interactively

M

Michael Cooper

Upgraded a Windows NT 4.o domain to Win2K03. Also had a
Citrix server that was Win2K. Had to promote Citrix
server to BDC so that Terminal Services Licensing would
work. All seems fine now with service but non Admin users
get error message at login that "local policy prevents
them from loggin in interactively". I get the same error
at either the console or through a Terminal Logon.

I have checked the following:

Local Security Policy has Authenticated Users in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"

Domain Controller Policy has Authenticated Users (and
Users) in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"


If I make a change to the Domain Controller Policy (it
seems any arbitrary change) and then use secedit to force
the update, the non-admin users can suddenly login fine
with GPO's applied as they should be. If I give it time
(15-20 minutes) for Group Policy to update, I am back to
where I started.

HELP!

Michael Cooper
 
S

Steven L Umbach

By default, Domain Controllers Security Policy would be where to configure
the user rights for logon locally. The user right for logon through Terminal
Services can be configured in Local Security Policy. Keep in mind that any
deny user right will override the allow user right so check that there are
no conflicting settings. If you happen to have more than one GPO in the
domain controllers container, the GPO at the top of the list takes
precedence for defined settings and security policy is a subset of Group
Policy/computer configuration. If you still are having problems you may have
a misconfiguration and/or replication problem. The support tools gpotool,
netdiag, and dcdiag can be used to check for health/proper configuration of
domain controllers. Netdiag can be used on any computer also. Look in Event
Viewer on the domain controllers to see if any related problems are
reported. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Incorrect GPResult result 3
Domain Controller GPO 4
local security policy does not get applied 2
Local policy does not allow interactive login 3
Local Security Policy and DCs 6
Cannot Logon Locally 2
Local policy 1
can not login local machine interactively. 3

Top