Archived from groups: microsoft.public.win2000.security (
More info?)
Any domain or Organizational Unit Group Policy that is enabled will override
Local Security Policy defined settings assuming everything is configured
correctly and the policy propagates. Domain Controllers by default have user
rights for logon locally and deny logon locally defined in Domain Controller
Security Policy and that will override the Local Security Policy for those
user rights. I would first double check the Domain Controller Security
Policy from your other server to make sure that those user rights are
correct. If you change them, reboot the domain controller. Note that if you
have more than one GPO in the domain controller container [or any container]
that the GPO at the top of the list has the highest precedence which means
you need to check all policies in that container. I would also examine Event
Viewer for the domain controller from the other server to see if there any
errors/warnings reported that may be helpful. You can use Computer
Management and then select another computer to view the Event Viewer of
another network computer assuming you have proper credentials. --- Steve
"Dave W" <anonymous@discussions.microsoft.com> wrote in message
news:019801c4a4cc$947cd870$a601280a@phx.gbl...
> Just a thought here and I want to know what your opinion
> is, from what I understand, Domain security settings over
> ride local security settings. If that's true, then what if
> I enable Domain level GP, making certain that those
> particular logon rights are set correctly and thereby
> superceding any local security settings that are
> preventing a logon to that server?
>
> Dave
>>-----Original Message-----
>>Just to add you may need to first install adminpak from
> the install cdrom
>>for Windows 2000 on your other computer first. It is
> located in the I386
>>folder. Also be sure to check for "deny logon locally "
> user right entries
>>as they will override any allow logon locally user right.
> Keep in mind that
>>administrators are part of the everyone and users group
> whenever configuring
>>permissions - particularly deny permissions. --- Steve
>>
>>
>>"Miha Pihler" <mihap-news@atlantis.si> wrote in message
>>news:OYuGDWMpEHA.592@TK2MSFTNGP11.phx.gbl...
>>> Dave,
>>>
>>> If you can connect to domain using Active Directory
> Users and Computer
>>> from
>>> your computer then Right click Domain Controller OU.
> Click on
>>> Properties ->
>>> Group Policy tab and click to select on Default Domain
> Controllers Policy.
>>> Click on Edit.
>>>
>>> In Group Policy Editor under Computer Configuration ->
> Windows Settings ->
>>> Security Settings -> Local Policies -> Users Rights
> Assignment open Allow
>>> log on locally (double click on this policy). Make sure
> that
>>> administrators
>>> group is listed in this policy.
>>>
>>> Mike
>>>
>>> "Dave W" <anonymous@discussions.microsoft.com> wrote in
> message
>>> news:301201c4a4c2$103b50f0$a301280a@phx.gbl...
>>>> I apologize for being vague.
>>>> Yes, it is a DC with the only other 2000 server being
> the
>>>> PC that I use for a workstation, of sorts. The failed
>>>> logon was with the Admin's account at the server's
>>>> keyboard. However, I first received the message over
> the
>>>> weekend when I tried logging into a terminal session
> from
>>>> home over the weekend. This is the only machine in our
>>>> network that this problem is happening on. I am
> positive
>>>> that I accidentally changed a policy setting last week
>>>> when I was trying to get a problematic application on a
>>>> workstation to allow me to log on to it's service.
> Thank
>>>> you.
>>>>
>>>> >-----Original Message-----
>>>> >Hi Dave,
>>>> >
>>>> >You will have to give us more information.
>>>> >
>>>> >Is this domain controller that you are trying to
> logon?
>>>> Did you try using
>>>> >Administrator account. Did you try using terminal
>>>> services to logon... Do
>>>> >you have same problem on domain controllers, server
> and
>>>> clients?
>>>> >
>>>> >Mike
>>>> >
>>>> >"Dave W" <anonymous@discussions.microsoft.com> wrote
> in
>>>> message
>>>> >news:2f8501c4a4bc$3b3f0810$a301280a@phx.gbl...
>>>> >> Some changes were made to group policy several days
> ago
>>>> >> and something musta got screwed up because I cannot
> log
>>>> >> back in now that I have logged out. I get the
> following
>>>> >> message after the failed login: "the local policy of
>>>> this
>>>> >> system does not permit you to logon interactively"
>>>> >> Is there anything that I can do?
>>>> >
>>>> >
>>>> >.
>>>> >
>>>
>>>
>>
>>
>>.
>>