Does not permit login interactively

[Ryan]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi everyone,

Quick question:
(1) May I know what could be the reason lead to prompting of "Local Policy
of this system does not permit you to login interactively" message.

(2) Based on what I did, is there anything I did that can cause the error:
I didn't do any changes on the GPO, actually I'm having problem
bringing up the GPO from the properties menu of "Active Directory Users and
Computers", (right-click domain, click properties). I was troubleshooting
the DNS and did some changes on DNS, I have "disabled" one of our 3 DC as
the GC (not on the server I'm working on, it's another DC in the same
domain); I also take off the preferred IP transport as preferred bridgehead
to the other 2 DC. After all these changes made, I reboot the server into
DS Reovery Mode (to restore the last best known good system state). We are
unable to log on to the local machine, we have no choice but to boot it back
to normal mode again, after that reboot, we no longer can logon to the
server.

Thank you so much. Your prompt replies are very much appreciated.

Ryan

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't know exactly what happened but what you describe is due to either not having
the right to logon locally or being a member of a group listed in the deny logon
locally user right. I believe you are saying this is happening on a domain
controller. You want the Domain Controller Security Policy to have at least
administrators listed in the logon locally user right and have the deny logon locally
user right defined but not including any user/groups. If the users/authenticated
users group is included in deny logon locally, that will prevent administrators from
logging on locally.

If you can logon to a domain member computer as a domain administrator, install
adminpak on that computer from the install cdrom for Windows 2000 Server in the /I386
folder and use that Windows 2000 domain workstation to manage Domain Controller
Security Policy to configure logon locally user right to have the administrators
group and the deny logon locally user right to be defined but empty. Go to security
settings/local policies/user rights to find those user rights. Keep in mind that if
your domain is in native mode that users must have access to a catalog server to
logon to the domain though administrators, at least the built in domain administrator
account, should still be able to logon if one can not be contacted. --- Steve


"Ryan" <ryanrhyme@excite.com> wrote in message
news:edC4sIdeEHA.2848@TK2MSFTNGP10.phx.gbl...
> Hi everyone,
>
> Quick question:
> (1) May I know what could be the reason lead to prompting of "Local Policy
> of this system does not permit you to login interactively" message.
>
> (2) Based on what I did, is there anything I did that can cause the error:
> I didn't do any changes on the GPO, actually I'm having problem
> bringing up the GPO from the properties menu of "Active Directory Users and
> Computers", (right-click domain, click properties). I was troubleshooting
> the DNS and did some changes on DNS, I have "disabled" one of our 3 DC as
> the GC (not on the server I'm working on, it's another DC in the same
> domain); I also take off the preferred IP transport as preferred bridgehead
> to the other 2 DC. After all these changes made, I reboot the server into
> DS Reovery Mode (to restore the last best known good system state). We are
> unable to log on to the local machine, we have no choice but to boot it back
> to normal mode again, after that reboot, we no longer can logon to the
> server.
>
> Thank you so much. Your prompt replies are very much appreciated.
>
> Ryan
>
>

 

[Ryan]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have actually solved the problem by resetting the machine password and do
a system state restore. Yes, I cannot logon to the DC with the Domain
Administrator password. I do not know how it happened, that's why I want to
find out the cause of the problem, the starnge thing is that I didn't do
anything on GPO.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:HvZPc.85680$eM2.74490@attbi_s51...
> I don't know exactly what happened but what you describe is due to either
not having
> the right to logon locally or being a member of a group listed in the deny
logon
> locally user right. I believe you are saying this is happening on a domain
> controller. You want the Domain Controller Security Policy to have at
least
> administrators listed in the logon locally user right and have the deny
logon locally
> user right defined but not including any user/groups. If the
users/authenticated
> users group is included in deny logon locally, that will prevent
administrators from
> logging on locally.
>
> If you can logon to a domain member computer as a domain administrator,
install
> adminpak on that computer from the install cdrom for Windows 2000 Server
in the /I386
> folder and use that Windows 2000 domain workstation to manage Domain
Controller
> Security Policy to configure logon locally user right to have the
administrators
> group and the deny logon locally user right to be defined but empty. Go to
security
> settings/local policies/user rights to find those user rights. Keep in
mind that if
> your domain is in native mode that users must have access to a catalog
server to
> logon to the domain though administrators, at least the built in domain
administrator
> account, should still be able to logon if one can not be contacted. ---
Steve
>
>
> "Ryan" <ryanrhyme@excite.com> wrote in message
> news:edC4sIdeEHA.2848@TK2MSFTNGP10.phx.gbl...
> > Hi everyone,
> >
> > Quick question:
> > (1) May I know what could be the reason lead to prompting of "Local
Policy
> > of this system does not permit you to login interactively" message.
> >
> > (2) Based on what I did, is there anything I did that can cause the
error:
> > I didn't do any changes on the GPO, actually I'm having problem
> > bringing up the GPO from the properties menu of "Active Directory Users
and
> > Computers", (right-click domain, click properties). I was
troubleshooting
> > the DNS and did some changes on DNS, I have "disabled" one of our 3 DC
as
> > the GC (not on the server I'm working on, it's another DC in the same
> > domain); I also take off the preferred IP transport as preferred
bridgehead
> > to the other 2 DC. After all these changes made, I reboot the server
into
> > DS Reovery Mode (to restore the last best known good system state). We
are
> > unable to log on to the local machine, we have no choice but to boot it
back
> > to normal mode again, after that reboot, we no longer can logon to the
> > server.
> >
> > Thank you so much. Your prompt replies are very much appreciated.
> >
> > Ryan
> >
> >
>
>