Need to reboot Win2K to logon locally?

P

Pat Coghlan

I want domain users to be able to logon at the server in the machine
room, so I changed the default GP for the domain to enable local logons.
After making this change and logging out, domain user accounts are
still unable to logon (they receive the "group policy does not allow..."
message).

Shouldn't this take effect right away?

I had to do something silly like give individual users membership in the
print operators security group so they could logon at the server.
 
H

Herb Martin

Pat Coghlan said:
I want domain users to be able to logon at the server in the machine
room, so I changed the default GP for the domain to enable local logons.
Click to expand...

First let me say: Ugh!

Then to your issue

Is this a "server" or more specifically a DC?

Doesn't the Default (or other) Domain Controller policy
override that setting?
After making this change and logging out, domain user accounts are
still unable to logon (they receive the "group policy does not allow..."
message).
Click to expand...

Is there one DC or did you make sure this replicated
to every other DC of the domain (which might be
authenticating the computer and providing the GPO)?

Did you EITHER reboot, wait for automatic policy
update (periodically), or refresh the policy manually
with something like SecEdit or GPUpdate (in XP-Win2003)?
Shouldn't this take effect right away?
Click to expand...

After replication AND (update OR reboot.)

Unless overriddden by a later (more specific) policy.
 
H

Hank Arnold

First of all..... WHY???? You are disabling the primary security protection
for the server. I've never heard of *ANYONE* allowing domain users to log on
locally to a server..... Period!!! VERY BAD IDEA!!! Why can't they do a
remote login (still a bad idea...)?

Now that I have that off my chest, is the server in question a Domain
Controller? If so, IIRC, there is no ability to log onto a DC locally. It's
disabled..... You can only do a domain logon....
 
P

Pat Coghlan

Hmmm, maybe we're onto something here.

We have two DCs in our machine room, and we want our techs to be able to
logon to the domain there so they can troubleshoot telecomm-related
problems on some gear that is in the adjoining rack. They only need to
run our application to be able to do this.

Is it possible that the domain logon is handled by the other DC before
the security objects have been replicated over?

Thinking more about this, is Logon Locally even the right parameter to
be changing to allow domain users to logon at the DC???
 
P

Pat Coghlan

As stated in my other post, I wonder if this is the right policy to be
changing to allow domain logons at the DC (vs local logons).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Deny logon locally 1
Ftp and Logon locally rights 3
cannot login locally to 2k servers after live comm server install 3
Crashed Controller, Recreated, Logon Problems 3
What could cause this 'administrator' to experience "unable to logon locally" ? 2
GC Question 10
Windows 2000 domain / Account logon auditing 1
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer. 1

Top