Local Policy Prevents Login Interactively

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Upgraded a Windows NT 4.o domain to Win2K03. Also had a
Citrix server that was Win2K. Had to promote Citrix
server to BDC so that Terminal Services Licensing would
work. All seems fine now with service but non Admin users
get error message at login that "local policy prevents
them from loggin in interactively". I get the same error
at either the console or through a Terminal Logon.

I have checked the following:

Local Security Policy has Authenticated Users in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"

Domain Controller Policy has Authenticated Users (and
Users) in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"


If I make a change to the Domain Controller Policy (it
seems any arbitrary change) and then use secedit to force
the update, the non-admin users can suddenly login fine
with GPO's applied as they should be. If I give it time
(15-20 minutes) for Group Policy to update, I am back to
where I started.

HELP!

Michael Cooper
1 answer Last reply
More about local policy prevents login interactively
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    By default, Domain Controllers Security Policy would be where to configure
    the user rights for logon locally. The user right for logon through Terminal
    Services can be configured in Local Security Policy. Keep in mind that any
    deny user right will override the allow user right so check that there are
    no conflicting settings. If you happen to have more than one GPO in the
    domain controllers container, the GPO at the top of the list takes
    precedence for defined settings and security policy is a subset of Group
    Policy/computer configuration. If you still are having problems you may have
    a misconfiguration and/or replication problem. The support tools gpotool,
    netdiag, and dcdiag can be used to check for health/proper configuration of
    domain controllers. Netdiag can be used on any computer also. Look in Event
    Viewer on the domain controllers to see if any related problems are
    reported. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
    and how to install support tools.

    "Michael Cooper" <mcooper06@yahoo.com> wrote in message
    news:02eb01c4aa67$abb53730$a601280a@phx.gbl...
    >
    >
    > Upgraded a Windows NT 4.o domain to Win2K03. Also had a
    > Citrix server that was Win2K. Had to promote Citrix
    > server to BDC so that Terminal Services Licensing would
    > work. All seems fine now with service but non Admin users
    > get error message at login that "local policy prevents
    > them from loggin in interactively". I get the same error
    > at either the console or through a Terminal Logon.
    >
    > I have checked the following:
    >
    > Local Security Policy has Authenticated Users in:
    > Security Settings..Local Policies..User Rights
    > Assignment.."Log On Locally"
    >
    > Domain Controller Policy has Authenticated Users (and
    > Users) in:
    > Security Settings..Local Policies..User Rights
    > Assignment.."Log On Locally"
    >
    >
    > If I make a change to the Domain Controller Policy (it
    > seems any arbitrary change) and then use secedit to force
    > the update, the non-admin users can suddenly login fine
    > with GPO's applied as they should be. If I give it time
    > (15-20 minutes) for Group Policy to update, I am back to
    > where I started.
    >
    > HELP!
    >
    > Michael Cooper
    >
    >
    >
Ask a new question

Read More

Policy Login Windows