Sign in with
Sign up | Sign in
Your question

Local policy does not allow interactive login

Last response: in Windows 2000/NT
Share
September 8, 2004 3:10:40 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Recently, various users on my network have been receiving the following
error message when attempting to login: "The local policy of this system
does not permit you to logon interactively". It will then not allow a login
to the machine under any user ID, even when trying to log in as
Administrator to the local computer domain. The only solution thus far is
to restart and try again, sometimes up to 10 times or more. Ultimately,
after restarting multiple times, it will allow the user to log in. This is
only happening on Windows 2000 workstations and Win2K servers that are not
PDCs or BDCs. It does not have any effect on my NT 4.0 Terminal Server,
Windows 98, or Windows XP Professional

I have checked all security policies that I can find and there are no users
or groups defined in the "Deny logon locally" security policy in any of them
(Domain Security Policy, Domain Controller Security Policy, Local Security
Policy, etc.). I have tried putting the users and/or groups into the "Log
on locally" security policy to no avail. I have also tried creating another
Organizational Unit in Active Directory to put these machines in and then
created a new group policy for it to allow "Log on locally". That doesn't
work, either.

The only things different on the network that I am aware of is that I
installed a new firewall device a few weeks ago and I've taken our old
antivirus server offline and installed a new one. I don't think I've
installed any new Windows updates on the servers since this problem starting
happening about 2 weeks ago (the antivirus software was moved to the new
server about 4 weeks ago and the firewall has been up and running for about
2 months now).

Any help would be greatly appreciated.
Anonymous
September 9, 2004 6:43:55 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

There have been various worms that use secedit to reset the user rights on a computer
so you may want to make sure the computers are clean and use Autoruns from
SysInternals to see if there any strange startup entries for these computers.

http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...

The other thing to try is to define the deny logon locally user right. You can define
it and leave no entries or I usually add the guest account to the list. In addition
enable auditing of policy change on those computers and then check the security log
in Event Viewer for "policy change" events under category such as Event ID 622 that
may help you track down what is going on. It is curious that it is not affecting the
Windows XP computers.--- Steve

"Dave" <dave_advantage@hotmail.com> wrote in message
news:eZ9cU4blEHA.3392@TK2MSFTNGP14.phx.gbl...
> Recently, various users on my network have been receiving the following
> error message when attempting to login: "The local policy of this system
> does not permit you to logon interactively". It will then not allow a login
> to the machine under any user ID, even when trying to log in as
> Administrator to the local computer domain. The only solution thus far is
> to restart and try again, sometimes up to 10 times or more. Ultimately,
> after restarting multiple times, it will allow the user to log in. This is
> only happening on Windows 2000 workstations and Win2K servers that are not
> PDCs or BDCs. It does not have any effect on my NT 4.0 Terminal Server,
> Windows 98, or Windows XP Professional
>
> I have checked all security policies that I can find and there are no users
> or groups defined in the "Deny logon locally" security policy in any of them
> (Domain Security Policy, Domain Controller Security Policy, Local Security
> Policy, etc.). I have tried putting the users and/or groups into the "Log
> on locally" security policy to no avail. I have also tried creating another
> Organizational Unit in Active Directory to put these machines in and then
> created a new group policy for it to allow "Log on locally". That doesn't
> work, either.
>
> The only things different on the network that I am aware of is that I
> installed a new firewall device a few weeks ago and I've taken our old
> antivirus server offline and installed a new one. I don't think I've
> installed any new Windows updates on the servers since this problem starting
> happening about 2 weeks ago (the antivirus software was moved to the new
> server about 4 weeks ago and the firewall has been up and running for about
> 2 months now).
>
> Any help would be greatly appreciated.
>
>
September 9, 2004 1:18:08 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

> There have been various worms that use secedit to reset the user rights on
> a computer so you may want to make sure the computers are clean and use
> Autoruns from SysInternals to see if there any strange startup entries for
> these computers.
>
> http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...

There doesn't appear to be anything out of the ordinary running on startup.
I've also performed a virus sweep on the network and that came up with
nothing also.

> The other thing to try is to define the deny logon locally user right.
You can define
> it and leave no entries or I usually add the guest account to the list. In
> addition enable auditing of policy change on those computers and then
> check the security log in Event Viewer for "policy change" events under
> category such as Event ID 622 that may help you track down what is going
> on. It is curious that it is not affecting the Windows XP computers.---
> Steve

I've defined the Deny Logon Locally policy on both the Domain Security
Policy and the Domain Controller Security Policy and put only Guests in the
list. I don't see anything out of the ordinary in the Event Viewer.

Here's one other curious piece to the puzzle...The old antivirus server is
listed as a Domain Controller when I look in active directory. I don't
think it was a DC before and I'm sure that I've never promoted it. I've not
been doing this job for very long, so it's possible that it may have been
there before, but I wouldn't think you would want an antivirus server as a
DC. Anyway, when I try to go into either Domain Security Policy or Domain
Controller Security Policy, I get an error saying "Failed to open the Group
Policy Object. You may not have appropriate rights. Logon failure: the
target account name is incorrect". Now when I take this machine offline, my
users still get the "interactive logon" error message. So it doesn't matter
if that server is up and running or not. However, when it is up and
running, they are also not able to connect to the PDC, though they can
eventually get logged into the domain. Could it be that the other machines
are trying to pull down the security policy from this server and are unable
to, thus causing the "interactive logon" error?
Anonymous
September 9, 2004 8:20:08 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hmm. I am not sure what the exact problem is but if the server you took offline was a
domain controller that certainly can cause problems with domain policy replicating
and being applied properly.

If this is a native mode domain, the users will need to be able to access a global
catalog server in order to logon so you may want to verify that one is available if
you are in native mode as shown in Active Directory Users and Computers. Right click
the domain and look in properties to see what mode it is in.

http://support.microsoft.com/default.aspx?scid=kb;en-us;816105 -- same for W2K

Dns configuration is critical in an Active Directory Domain. Shutting down the old dc
could have upset this. In short domain controllers must point to themselves or pdc
fsmo domain controller as their preferred dns server in tcp/ip properties as shown by
Ipconfig /all. Domain members must point to only domain controllers running dns with
the AD domain zone which all do in W2K by default. Possibly they were pointing to the
old dc?? Use Ipconfig /all to find out and you may need to adjust DHCP scope to
reflect any changes. See the link below on FAQ for AD dns.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294328 -- may be of help.

The fact that you can not access Domain Security Policy may be due to the fact that
the pdc fsmo can not be reached and may have been your old dc? See the link below for
more info on that error.

http://support.microsoft.com/?id=294257
http://support.microsoft.com/default.aspx?scid=kb;en-us;197132 -- explanation of the
five fsmo role holder.

I would use the support tools netdiag and dcdiag to check the general health of your
domain configuration. First run netdiag and then dcdiag on a domain controller
looking for any pertinent errors. Also look in the Event Viewer of your domain
controllers for any errors that may indicate a problem with replication, etc. Use
netdiag on a domain member computer looking for any errors that may indicate a
problem particularly for dns, dclist, kerberos, and secure channel. Hopefully some of
this will provide a clue for you. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag and how to
install support tools.

"Dave" <dave_advantage@hotmail.com> wrote in message
news:%234ypFenlEHA.3876@TK2MSFTNGP15.phx.gbl...
>> There have been various worms that use secedit to reset the user rights on a
>> computer so you may want to make sure the computers are clean and use Autoruns
>> from SysInternals to see if there any strange startup entries for these computers.
>>
>> http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...
>
> There doesn't appear to be anything out of the ordinary running on startup. I've
> also performed a virus sweep on the network and that came up with nothing also.
>
> > The other thing to try is to define the deny logon locally user right.
> You can define
>> it and leave no entries or I usually add the guest account to the list. In
>> addition enable auditing of policy change on those computers and then check the
>> security log in Event Viewer for "policy change" events under category such as
>> Event ID 622 that may help you track down what is going on. It is curious that it
>> is not affecting the Windows XP computers.--- Steve
>
> I've defined the Deny Logon Locally policy on both the Domain Security Policy and
> the Domain Controller Security Policy and put only Guests in the list. I don't see
> anything out of the ordinary in the Event Viewer.
>
> Here's one other curious piece to the puzzle...The old antivirus server is listed
> as a Domain Controller when I look in active directory. I don't think it was a DC
> before and I'm sure that I've never promoted it. I've not been doing this job for
> very long, so it's possible that it may have been there before, but I wouldn't
> think you would want an antivirus server as a DC. Anyway, when I try to go into
> either Domain Security Policy or Domain Controller Security Policy, I get an error
> saying "Failed to open the Group Policy Object. You may not have appropriate
> rights. Logon failure: the target account name is incorrect". Now when I take
> this machine offline, my users still get the "interactive logon" error message. So
> it doesn't matter if that server is up and running or not. However, when it is up
> and running, they are also not able to connect to the PDC, though they can
> eventually get logged into the domain. Could it be that the other machines are
> trying to pull down the security policy from this server and are unable to, thus
> causing the "interactive logon" error?
>
!