logon problem

[Jeff]

I have set up a new user in active directory for a support
company who will be logging in remotely. I want them to
access one server and multiple domain controllers. There
is no problem logging on to the server with the user
name. The problem is when they try to log on to the
domain controllers.

"The local policy of this system does not allow you to log
on interactively."

Any ideas? Thanks.

 

[Steven L Umbach]

Regular users do not have "logon locally" user right for a domain controller. You
will have to add that user/group to the logon locally user right in Domain Controller
Security Policy if you want them to access the domain controllers. If they are
logging in across the internet, try having them vpn in first to get remote access
preferably using l2tp. --- Steve

 

[Diana Smith [MSFT]]

Hi Jeff,

This is by design, because we do not want regular users logging on locally
to Domain Controllers.

To resolve this issue, check the default domain policy to confirm that the
Log on Locally user right, is not defined or is defined to include everyone
who is able to log on to domain member computers. To check the default
domain policy, follow these steps:

1. Start the Active Directory Users and Computers snap-in.

2. Right-click the domain and click Properties.

3. Click Group Policy.

4. Double-click Default Domain Policy.

5. Click Computer Configuration, click Windows Settings, and then click
Security Settings.

6. Click Local Policies, click User Rights Assignments, and then click Log
on Locally. NOTE: Only the users that are in the list for this user right
should have the right to log on locally to domain member computers.

7. Add the user to the "log on locally" user right.

8. Run the secedit command to refresh the policy.

9. User will have to reboot his machine to get the new policy.

Thank You.

Diana.

This posting is provided "AS IS" with no warranties, and confers no rights.