Logging in interactively

[Guest]

I just setup a windows 2000 server network. After installing AD, I created
the necessary accounts. These accounts only belong to the 'Domain Users'
group. When I test these accounts and the scripts on different PC's (Which
have been added to the domain), I receive the message "The local policy
prevents this account from logging in interactively). I checked the local
policy settings as well as the domain policy settings and everything seems
fine. And I missing something? Please help!

Mark

 

[Steven L Umbach]

By default users can logon to all domain computers except domain
controllers. When you check the Local Security Policy be sure to look at the
effective setting for a user right. The deny logon locally user right will
override the allow logon locally user right so be sure to check that which
by default does not have any entries. For domain controllers, the Domain
Controller Security Policy would have to be modified as those user rights
are defined there and will override Local Security Policy for domain
controllers. If you want to allow logon access to one domain controller, it
would have to be moved to an OU within the domain controller container and a
GPO configured for that OU to have logon locally configured to your needs.
All other Domain Controller Security Policy would still apply to the OU in
the domain controller container. --- Steve

 

[Guest]

This is happening on windows 2000 workstation clients machines....i did check
the local security policy on each client workstation and the 'users' group
(of which domain users are of a part of) are one of several groups allowed to
log in locally. Is there another policy i'm overlooking?

 

[Steven L Umbach]

Are those the local or effective settings?? They need to show as the
effective settings. Also make sure that there are no entries in effective
settings for deny logon locally. If it still does not work, try adding
everyone to the logon locally user right. If the computers are in the
default domain container, modify the Domain Security Policy so that
users/administrators/everyone are in the logon locally user right and add
just the guest account to deny logon locally. Then run " secedit
/refreshpolicy machine_policy enforce " on the domain controller and reboot
a domain workstation to see if that helps. In Active Directory Users and
Computers, look in the domain container by right clicking the domain name
and select Group Policy. If there is more than one GPO present, the one at
the top of the list takes precedence and you should check all of them to see
if they are configured to restrict user rights. In a default installation
only the default domain policy is present. If the computers are not in the
default container you will also need to check any Group Policy Objects in
the Organizational Unit they are in. Since apparently you can logon , you
can use the gpresult support tool to see what computer policies are applied
to the computer and the last time the policy was applied. The support tools
are on the install cd in the support/tools folder where you need to run the
setup program there to install the set of support tools. I would also run
netdiag on one of your domain computers to see if any problems are reported
such as dc discovery, dns, kerberos, trust/secure channel. Review the link
below on Active Directory DNS to make sure your dns is set up correctly for
the domain. If it is not, problems can ensue such as changes to domain Group
Policy not propagating properly to domain computers and user.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382