Local Policy doesn't allow logon interactively

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We have a windows 2000 serve computer running Active Directory. The
workstations are Windows 2000 prof. Just recently we noticed we were unable
to log into any of the workstations locally as administrator. After
replacing the security file from the repair directory using recovery console
we were able to log in locally. As soon as we joined the domain we were no
longer able to log locally into the workstations. I checked locally policy
and domain policy on the server and for both the administrator was allowed
log on locally rights. The deny log on locally was not defined. I tried
creating a new group, assigning the administrator to that group, giving that
group the log on locally permission for the default domaig policy, creating a
new OU and assigning the default domain policy and still unable to log into
the workstations locally. I am certain it's a domain policy setting rather
than corrupt SID or registry hive on workstation because we only ever have
the issue after joining the domain. Any other suggestions?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That did the trick. Thank you for your help.

"lforbes" wrote:

> "rbaker" wrote:
> > We have a windows 2000 serve computer running Active
> > Directory. The
> > workstations are Windows 2000 prof. Just recently we noticed
> > we were unable
> > to log into any of the workstations locally as administrator.
> > After
> > replacing the security file from the repair directory using
> > recovery console
> > we were able to log in locally. As soon as we joined the
> > domain we were no
> > longer able to log locally into the workstations. I checked
> > locally policy
> > and domain policy on the server and for both the administrator
> > was allowed
> > log on locally rights. The deny log on locally was not
> > defined. I tried
> > creating a new group, assigning the administrator to that
> > group, giving that
> > group the log on locally permission for the default domaig
> > policy, creating a
> > new OU and assigning the default domain policy and still
> > unable to log into
> > the workstations locally. I am certain it's a domain policy
> > setting rather
> > than corrupt SID or registry hive on workstation because we
> > only ever have
> > the issue after joining the domain. Any other suggestions?
>
> Hi,
>
> In the Default Domain policy - Comp Config- Windows Settings -
> Security Settings - Local Policies - User Rights assignment the
> DEFAULT setting is "Not Defined". The ONLY Place that these User
> Rights Assignments are defined by default is with the Defaut Domain
> Controllers Group Policy.
>
> Therefore someone set the policies in the Default Domain. Change all
> to Not Defined and you should be fine.
>
> IF you need to set User Rights Assignments in the future make sure you
> create an OU for the computers and then create a new group policy and
> set them there.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.WindowsForumz.com/Group [...] 42365.html
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740983
>