Server 2008 R2 Login Problem "The local policy of this system does not permit you to logon interactively"
Hello all. I have a small business consisting of 1 machine running Windows Server 2008 R2, and 5 client machines all running either Windows 7 Professional or Windows XP Professional. I have added the role of Active Directory Domain Services to the Domain Controller, and have successfully joined a single XP and Windows 7 machine to the domain. I have not changed ANY other settings, except those below; Following basic instructions in the Enterprise Desktop Support Technician self-paced training kit, I have added a single user called "roaminguser" (where I have assigned a shared folder on the server for his profile path), joined him to the group "server operators" but every time I try to log in, after the password change GUI, I get the message "The local policy of this system does not permit you to logon interactively" I have searched far and wide, and one solution seems to be to create group policy that includes Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies - User Rights Assignment - Allow log on locally which I have created, and linked to my domain. I am however still getting the same message on both machines. I have tried linking that GPO to the Domain Controllers OU which did not help, I also made a new OU moved the domain controller into that and assigned the GPO to it instead, also did not help. I finally read that I could try adding the roaminguser to the administrators group, which I also tried and I am still getting this same error message. Can anyone please help me I am at a loss, and really want to get this up and running as soon as possible! After I have this working, there are just a few restrictions I want to implement which I already know how to do, it is just this holding me back. Thanks in advance! Edited to add: I can log in successfully from the client machines using the Administrator account that was created when I installed Server 2008 R2. If I add the user to the Domain Admins group, he can log in but still cannot log in when joined just the Administrator group. (I'd rather not have them all as domain admins!)
September 4th, 2010 12:12am
I would suggest checking the system properties (right-click my computer), and click on the remote tab. Be sure "enalbe remote desktop on this computer" is checked. then, check local policy (unless it's a DC, then Default Domain Controller Policy). Allow logon locally. Otherwise, add the specific user to the RDP configuration under properities of Terminal Server Configuration. Also Check http://support.microsoft.com/kb/289289 http://support.microsoft.com/default.aspx?scid=kb;en-us;285793&Product=win2000
September 4th, 2010 12:15pm
Hi, According to your description, I realize that you have moved the Domain Controller object to a new created OU. I highly recommend you move it back to the default Domain Controllers OU to avoid any unexpected issues. I would like to confirm if the issue occurred when trying to log on the Domain Controller or the Domain Members? I also would like to explain that only Account Operators, Administrators, Backup Operators, Print Operators and Server Operators have the “Allow log on locally” right to log on the Domain Controllers by default. This issue can be caused by the incorrect group policy settings, would you please send me more information for our further research? For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=9ea07630-b929-43f7-9e0a-c99908af93ca Password: uZlg]pOx0qMWVR Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding. Collect GPMC log ============ a. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed, b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) c. Right click the resulting group policy result and click the "Save Report…" => save report and upload it to the link I provided. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
September 6th, 2010 10:24am