Your interactive logon privilege has been disabled

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

We have XP workstations running on an NT domain. We have a PC set up
for users to use when they need to run a particular piece of software
that we only have one licence for, they have a shortcut to an .rdp
file on their desktops that connects them via remote desktop to the PC
where they logon with their standard NT logon.
On our PCs the standard setup for Remote Desktop is to allow the
Domain Administrators group and a global group called Remote Desktop
to logon through a connection, all other groups are denied (not
specifically but not allowing in this case denies)
On this particular PC the global group that uses the PC is added to
the allowed users. This has been working fine for a couple of months.
However I now have one user that can't get logged on, she gets 'Your
interactive logon privilege has been disabled' I have checked the
account and the PC; she is still in the group and the group still has
permissions.
Creating a copy of her account (within NT user Manager) for testing
revealed that this copy account also has the same problem. A fresh
account set up with the same global groups etc does not suffer from
this problem. Also a copy of another user's account within the same
department does not suffer.
I have also tried adding individual permission for the user to log
onto the PC and putting her in the global Remote Desktop group and
testing connecting to another PC with no joy.

The problem looks to be with the user's account but is not in any of
the settings configurable from User Manager. Now I am a bit stumped. I
am loath to delete and recreate her account as it would be a lot of
work changing permissions on all her stuff to allow for the new SID,
plus she has a laptop with a local profile.
Does anyone have any ideas?

Tim
6 answers Last reply
More about your interactive logon privilege disabled
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    This is a thought, but perhaps access to the terminal server is
    disabled in the domain user account. I know how and where to set this
    in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
    this to one of the Terminal Server newsgroups to see if any of them
    may remember where this setting was for NT 4.

    Jeffrey Randow (Windows Networking & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:

    >We have XP workstations running on an NT domain. We have a PC set up
    >for users to use when they need to run a particular piece of software
    >that we only have one licence for, they have a shortcut to an .rdp
    >file on their desktops that connects them via remote desktop to the PC
    >where they logon with their standard NT logon.
    >On our PCs the standard setup for Remote Desktop is to allow the
    >Domain Administrators group and a global group called Remote Desktop
    >to logon through a connection, all other groups are denied (not
    >specifically but not allowing in this case denies)
    >On this particular PC the global group that uses the PC is added to
    >the allowed users. This has been working fine for a couple of months.
    >However I now have one user that can't get logged on, she gets 'Your
    >interactive logon privilege has been disabled' I have checked the
    >account and the PC; she is still in the group and the group still has
    >permissions.
    >Creating a copy of her account (within NT user Manager) for testing
    >revealed that this copy account also has the same problem. A fresh
    >account set up with the same global groups etc does not suffer from
    >this problem. Also a copy of another user's account within the same
    >department does not suffer.
    >I have also tried adding individual permission for the user to log
    >onto the PC and putting her in the global Remote Desktop group and
    >testing connecting to another PC with no joy.
    >
    >The problem looks to be with the user's account but is not in any of
    >the settings configurable from User Manager. Now I am a bit stumped. I
    >am loath to delete and recreate her account as it would be a lot of
    >work changing permissions on all her stuff to allow for the new SID,
    >plus she has a laptop with a local profile.
    >Does anyone have any ideas?
    >
    >Tim
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    OK thanks, I have asked the question (
    http://makeashorterlink.com/?T2E325229 ) and will post the answer here
    if I find out.

    Tim

    "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
    > This is a thought, but perhaps access to the terminal server is
    > disabled in the domain user account. I know how and where to set this
    > in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
    > this to one of the Terminal Server newsgroups to see if any of them
    > may remember where this setting was for NT 4.
    >
    > Jeffrey Randow (Windows Networking & Smart Display MVP)
    > jeffreyr-support@remotenetworktechnology.com
    >
    > Please post all responses to the newsgroups for the benefit
    > of all USENET users. Messages sent via email may or may not
    > be answered depending on time availability....
    >
    > Remote Networking Technology Support Site -
    > http://www.remotenetworktechnology.com
    > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
    >
    > On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
    >
    > >We have XP workstations running on an NT domain. We have a PC set up
    > >for users to use when they need to run a particular piece of software
    > >that we only have one licence for, they have a shortcut to an .rdp
    > >file on their desktops that connects them via remote desktop to the PC
    > >where they logon with their standard NT logon.
    > >On our PCs the standard setup for Remote Desktop is to allow the
    > >Domain Administrators group and a global group called Remote Desktop
    > >to logon through a connection, all other groups are denied (not
    > >specifically but not allowing in this case denies)
    > >On this particular PC the global group that uses the PC is added to
    > >the allowed users. This has been working fine for a couple of months.
    > >However I now have one user that can't get logged on, she gets 'Your
    > >interactive logon privilege has been disabled' I have checked the
    > >account and the PC; she is still in the group and the group still has
    > >permissions.
    > >Creating a copy of her account (within NT user Manager) for testing
    > >revealed that this copy account also has the same problem. A fresh
    > >account set up with the same global groups etc does not suffer from
    > >this problem. Also a copy of another user's account within the same
    > >department does not suffer.
    > >I have also tried adding individual permission for the user to log
    > >onto the PC and putting her in the global Remote Desktop group and
    > >testing connecting to another PC with no joy.
    > >
    > >The problem looks to be with the user's account but is not in any of
    > >the settings configurable from User Manager. Now I am a bit stumped. I
    > >am loath to delete and recreate her account as it would be a lot of
    > >work changing permissions on all her stuff to allow for the new SID,
    > >plus she has a laptop with a local profile.
    > >Does anyone have any ideas?
    > >
    > >Tim
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Have discovered a solution. We use Hyena which is designed for both NT
    and Ad domains within the user settings in Hyena there is a an option
    to allow or disallow Terminal Services for the user. Changing this
    seems to have the affect you would expect, however I don't know how
    Microsoft expect you to access it without a third party tool!

    Tim

    talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408250540.c3a13cf@posting.google.com>...
    > OK thanks, I have asked the question (
    > http://makeashorterlink.com/?T2E325229 ) and will post the answer here
    > if I find out.
    >
    > Tim
    >
    > "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
    > > This is a thought, but perhaps access to the terminal server is
    > > disabled in the domain user account. I know how and where to set this
    > > in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
    > > this to one of the Terminal Server newsgroups to see if any of them
    > > may remember where this setting was for NT 4.
    > >
    > > Jeffrey Randow (Windows Networking & Smart Display MVP)
    > > jeffreyr-support@remotenetworktechnology.com
    > >
    > > Please post all responses to the newsgroups for the benefit
    > > of all USENET users. Messages sent via email may or may not
    > > be answered depending on time availability....
    > >
    > > Remote Networking Technology Support Site -
    > > http://www.remotenetworktechnology.com
    > > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
    > >
    > > On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
    > >
    > > >We have XP workstations running on an NT domain. We have a PC set up
    > > >for users to use when they need to run a particular piece of software
    > > >that we only have one licence for, they have a shortcut to an .rdp
    > > >file on their desktops that connects them via remote desktop to the PC
    > > >where they logon with their standard NT logon.
    > > >On our PCs the standard setup for Remote Desktop is to allow the
    > > >Domain Administrators group and a global group called Remote Desktop
    > > >to logon through a connection, all other groups are denied (not
    > > >specifically but not allowing in this case denies)
    > > >On this particular PC the global group that uses the PC is added to
    > > >the allowed users. This has been working fine for a couple of months.
    > > >However I now have one user that can't get logged on, she gets 'Your
    > > >interactive logon privilege has been disabled' I have checked the
    > > >account and the PC; she is still in the group and the group still has
    > > >permissions.
    > > >Creating a copy of her account (within NT user Manager) for testing
    > > >revealed that this copy account also has the same problem. A fresh
    > > >account set up with the same global groups etc does not suffer from
    > > >this problem. Also a copy of another user's account within the same
    > > >department does not suffer.
    > > >I have also tried adding individual permission for the user to log
    > > >onto the PC and putting her in the global Remote Desktop group and
    > > >testing connecting to another PC with no joy.
    > > >
    > > >The problem looks to be with the user's account but is not in any of
    > > >the settings configurable from User Manager. Now I am a bit stumped. I
    > > >am loath to delete and recreate her account as it would be a lot of
    > > >work changing permissions on all her stuff to allow for the new SID,
    > > >plus she has a laptop with a local profile.
    > > >Does anyone have any ideas?
    > > >
    > > >Tim
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    One question that arises in my mind:

    You mentioned that a newly created profile didn't have the problem.

    I wonder what mechanism created the change in the setting which you were
    able to reverse using the Hyena-related management tool?

    Is it possible that, in fact, the Hyena tool is both cause and cure?

    There is, of course, an NT-based terminal server. I've never used it, and
    don't have any idea what management tools were available for it. I assume
    you don't have one of those beasts, either.

    "Tim David" <talltim@hotmail.com> wrote in message
    news:4a59e422.0408260410.28de12fd@posting.google.com...
    > Have discovered a solution. We use Hyena which is designed for both NT
    > and Ad domains within the user settings in Hyena there is a an option
    > to allow or disallow Terminal Services for the user. Changing this
    > seems to have the affect you would expect, however I don't know how
    > Microsoft expect you to access it without a third party tool!
    >
    > Tim
    >
    > talltim@hotmail.com (Tim David) wrote in message
    > news:<4a59e422.0408250540.c3a13cf@posting.google.com>...
    >> OK thanks, I have asked the question (
    >> http://makeashorterlink.com/?T2E325229 ) and will post the answer here
    >> if I find out.
    >>
    >> Tim
    >>
    >> "Jeffrey Randow (MVP)" <jeffreyr-support@remotenetworktechnology.com>
    >> wrote in message news:<1p7li0lf7gcf6sv8cnv9upgqh58m51ticl@4ax.com>...
    >> > This is a thought, but perhaps access to the terminal server is
    >> > disabled in the domain user account. I know how and where to set this
    >> > in a Win2K/Win2K3 environment, but not in a NT 4 domain.. Try posting
    >> > this to one of the Terminal Server newsgroups to see if any of them
    >> > may remember where this setting was for NT 4.
    >> >
    >> > Jeffrey Randow (Windows Networking & Smart Display MVP)
    >> > jeffreyr-support@remotenetworktechnology.com
    >> >
    >> > Please post all responses to the newsgroups for the benefit
    >> > of all USENET users. Messages sent via email may or may not
    >> > be answered depending on time availability....
    >> >
    >> > Remote Networking Technology Support Site -
    >> > http://www.remotenetworktechnology.com
    >> > Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
    >> >
    >> > On 23 Aug 2004 06:39:02 -0700, talltim@hotmail.com (Tim David) wrote:
    >> >
    >> > >We have XP workstations running on an NT domain. We have a PC set up
    >> > >for users to use when they need to run a particular piece of software
    >> > >that we only have one licence for, they have a shortcut to an .rdp
    >> > >file on their desktops that connects them via remote desktop to the PC
    >> > >where they logon with their standard NT logon.
    >> > >On our PCs the standard setup for Remote Desktop is to allow the
    >> > >Domain Administrators group and a global group called Remote Desktop
    >> > >to logon through a connection, all other groups are denied (not
    >> > >specifically but not allowing in this case denies)
    >> > >On this particular PC the global group that uses the PC is added to
    >> > >the allowed users. This has been working fine for a couple of months.
    >> > >However I now have one user that can't get logged on, she gets 'Your
    >> > >interactive logon privilege has been disabled' I have checked the
    >> > >account and the PC; she is still in the group and the group still has
    >> > >permissions.
    >> > >Creating a copy of her account (within NT user Manager) for testing
    >> > >revealed that this copy account also has the same problem. A fresh
    >> > >account set up with the same global groups etc does not suffer from
    >> > >this problem. Also a copy of another user's account within the same
    >> > >department does not suffer.
    >> > >I have also tried adding individual permission for the user to log
    >> > >onto the PC and putting her in the global Remote Desktop group and
    >> > >testing connecting to another PC with no joy.
    >> > >
    >> > >The problem looks to be with the user's account but is not in any of
    >> > >the settings configurable from User Manager. Now I am a bit stumped. I
    >> > >am loath to delete and recreate her account as it would be a lot of
    >> > >work changing permissions on all her stuff to allow for the new SID,
    >> > >plus she has a laptop with a local profile.
    >> > >Does anyone have any ideas?
    >> > >
    >> > >Tim
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    The error that you are getting could either be from a user right that
    prevents interactive logon or a terminal server setting. User Rights
    are visible in User Manager or Hyena (look under User Rights under any
    domain). There is a specific right for interactive logon.

    Terminal server (TSE) settings are more complicated. Since NT was
    designed before Terminal Server, the settings can be in a state of
    'limbo' when creating new user accounts using User Manager. In Hyena,
    the Terminal tab on the user properties dialog will let you
    allow/disallow logon to terminal sever sessions. Without checking in
    more detail, I think the default is to disallow logon in Hyena to TSE
    (since it can be a security concern), but there was a bug in some
    versions of Windows that caused this setting to be corrupted when
    changing other non-TSE values, since they are kept in the same binary
    field. Perhaps your user account simply lost this setting and needed
    to have it re-enabled to logon.

    If you need more information, open a support case with us by sending
    an email to support@systemtools.com.

    Kevin Stanush
    SystemTools Software Inc.
    Home of 'Hyena' for Windows Adminstration
    http://www.systemtools.com

    talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408260410.28de12fd@posting.google.com>...
    > Have discovered a solution. We use Hyena which is designed for both NT
    > and Ad domains within the user settings in Hyena there is a an option
    > to allow or disallow Terminal Services for the user. Changing this
    > seems to have the affect you would expect, however I don't know how
    > Microsoft expect you to access it without a third party tool!
    >
    > Tim
    >
  6. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    I have since discovered that the settings to allow/disallow terminal
    services IS present in the Windows 2000 version of User Manager, so if
    you check from a 2000 server you should have no problems, meaning that
    you don't need Hyena.
    How the setting got changed in the first place is another matter!

    Tim

    kevin@systemtools.com (Kevin Stanush) wrote in message news:<8b0a3be0.0408271836.73ef8a1b@posting.google.com>...
    > The error that you are getting could either be from a user right that
    > prevents interactive logon or a terminal server setting. User Rights
    > are visible in User Manager or Hyena (look under User Rights under any
    > domain). There is a specific right for interactive logon.
    >
    > Terminal server (TSE) settings are more complicated. Since NT was
    > designed before Terminal Server, the settings can be in a state of
    > 'limbo' when creating new user accounts using User Manager. In Hyena,
    > the Terminal tab on the user properties dialog will let you
    > allow/disallow logon to terminal sever sessions. Without checking in
    > more detail, I think the default is to disallow logon in Hyena to TSE
    > (since it can be a security concern), but there was a bug in some
    > versions of Windows that caused this setting to be corrupted when
    > changing other non-TSE values, since they are kept in the same binary
    > field. Perhaps your user account simply lost this setting and needed
    > to have it re-enabled to logon.
    >
    > If you need more information, open a support case with us by sending
    > an email to support@systemtools.com.
    >
    > Kevin Stanush
    > SystemTools Software Inc.
    > Home of 'Hyena' for Windows Adminstration
    > http://www.systemtools.com
    >
    > talltim@hotmail.com (Tim David) wrote in message news:<4a59e422.0408260410.28de12fd@posting.google.com>...
    > > Have discovered a solution. We use Hyena which is designed for both NT
    > > and Ad domains within the user settings in Hyena there is a an option
    > > to allow or disallow Terminal Services for the user. Changing this
    > > seems to have the affect you would expect, however I don't know how
    > > Microsoft expect you to access it without a third party tool!
    > >
    > > Tim
    > >
Ask a new question

Read More

Remote Desktop Windows XP