Domain Controller GPO

[G]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

We had a domain controller fail the other day, which caused us to shift some
server rolls around. One of the changes we made was to turn our Terminal
server into domain controller until we buy some new equipment.

Since DCs don't allow normal users to sign on locally, users couldn't
terminal in anymore. I opened the Domain Controllers GPO, and added user
accounts to logon locally policy. Then I ran SECEDIT /refreshpolicy
machine_policy. However, unless I add the user to the Admin group , or
Backup Operators, etc. in AD, they are unable to log on to the terminal
server, and get that "The local policy of this system does not permit you to
logon interactively" message.

Any ideas?

Thanks in advance.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

IF it is a 2003 DC, there is now a "Allow Logon throughTerminal Services"
user right. Give that one a try.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Rusty" <Rusty@discussions.microsoft.com> wrote in message
news:E8713240-BE18-48CA-9AF7-7FD65A2F2818@microsoft.com...
> We had a domain controller fail the other day, which caused us to shift
some
> server rolls around. One of the changes we made was to turn our Terminal
> server into domain controller until we buy some new equipment.
>
> Since DCs don't allow normal users to sign on locally, users couldn't
> terminal in anymore. I opened the Domain Controllers GPO, and added user
> accounts to logon locally policy. Then I ran SECEDIT /refreshpolicy
> machine_policy. However, unless I add the user to the Admin group , or
> Backup Operators, etc. in AD, they are unable to log on to the terminal
> server, and get that "The local policy of this system does not permit you
to
> logon interactively" message.
>
> Any ideas?
>
> Thanks in advance.

 

[G]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

unfortunately its a 2000 DC.

"Derek Melber [MVP]" wrote:

> IF it is a 2003 DC, there is now a "Allow Logon throughTerminal Services"
> user right. Give that one a try.
>
> --
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Rusty" <Rusty@discussions.microsoft.com> wrote in message
> news:E8713240-BE18-48CA-9AF7-7FD65A2F2818@microsoft.com...
> > We had a domain controller fail the other day, which caused us to shift
> some
> > server rolls around. One of the changes we made was to turn our Terminal
> > server into domain controller until we buy some new equipment.
> >
> > Since DCs don't allow normal users to sign on locally, users couldn't
> > terminal in anymore. I opened the Domain Controllers GPO, and added user
> > accounts to logon locally policy. Then I ran SECEDIT /refreshpolicy
> > machine_policy. However, unless I add the user to the Admin group , or
> > Backup Operators, etc. in AD, they are unable to log on to the terminal
> > server, and get that "The local policy of this system does not permit you
> to
> > logon interactively" message.
> >
> > Any ideas?
> >
> > Thanks in advance.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Rusty schrieb:
> unfortunately its a 2000 DC.

If the "logon locally right" is not the problem, check the security
settings of the RDP protocol in TS management.

HTH
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

 

[G]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That was actually the first place I checked, all users who logon to TS have
the appropriate permissions. Thanks for you help though.

rusty.

"Mark Heitbrink [MVP]" wrote:

> Rusty schrieb:
> > unfortunately its a 2000 DC.
>
> If the "logon locally right" is not the problem, check the security
> settings of the RDP protocol in TS management.
>
> HTH
> Mark
> --
> Mark Heitbrink - MVP Windows Server
> Homepage: www.gruppenrichtlinien.de
> W2K FAQ : http://w2k-faq.ebend.de
> PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.
>