Local Policy Prevents Login Interactively

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Upgraded a Windows NT 4.o domain to Win2K03. Also had a
Citrix server that was Win2K. Had to promote Citrix
server to BDC so that Terminal Services Licensing would
work. All seems fine now with service but non Admin users
get error message at login that "local policy prevents
them from loggin in interactively". I get the same error
at either the console or through a Terminal Logon.

I have checked the following:

Local Security Policy has Authenticated Users in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"

Domain Controller Policy has Authenticated Users (and
Users) in:
Security Settings..Local Policies..User Rights
Assignment.."Log On Locally"


If I make a change to the Domain Controller Policy (it
seems any arbitrary change) and then use secedit to force
the update, the non-admin users can suddenly login fine
with GPO's applied as they should be. If I give it time
(15-20 minutes) for Group Policy to update, I am back to
where I started.

HELP!

Michael Cooper

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

By default, Domain Controllers Security Policy would be where to configure
the user rights for logon locally. The user right for logon through Terminal
Services can be configured in Local Security Policy. Keep in mind that any
deny user right will override the allow user right so check that there are
no conflicting settings. If you happen to have more than one GPO in the
domain controllers container, the GPO at the top of the list takes
precedence for defined settings and security policy is a subset of Group
Policy/computer configuration. If you still are having problems you may have
a misconfiguration and/or replication problem. The support tools gpotool,
netdiag, and dcdiag can be used to check for health/proper configuration of
domain controllers. Netdiag can be used on any computer also. Look in Event
Viewer on the domain controllers to see if any related problems are
reported. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 -- netdiag
and how to install support tools.

"Michael Cooper" <mcooper06@yahoo.com> wrote in message
news:02eb01c4aa67$abb53730$a601280a@phx.gbl...
>
>
> Upgraded a Windows NT 4.o domain to Win2K03. Also had a
> Citrix server that was Win2K. Had to promote Citrix
> server to BDC so that Terminal Services Licensing would
> work. All seems fine now with service but non Admin users
> get error message at login that "local policy prevents
> them from loggin in interactively". I get the same error
> at either the console or through a Terminal Logon.
>
> I have checked the following:
>
> Local Security Policy has Authenticated Users in:
> Security Settings..Local Policies..User Rights
> Assignment.."Log On Locally"
>
> Domain Controller Policy has Authenticated Users (and
> Users) in:
> Security Settings..Local Policies..User Rights
> Assignment.."Log On Locally"
>
>
> If I make a change to the Domain Controller Policy (it
> seems any arbitrary change) and then use secedit to force
> the update, the non-admin users can suddenly login fine
> with GPO's applied as they should be. If I give it time
> (15-20 minutes) for Group Policy to update, I am back to
> where I started.
>
> HELP!
>
> Michael Cooper
>
>
>