Windows 2000 Server Logon Problem

Jim

Distinguished
Mar 31, 2004
2,444
0
19,780
Archived from groups: microsoft.public.win2000.setup (More info?)

I have setup a Windows 2000 Server that I intend to
eventually load Terminal Services on to. I have joined
the domain and can logon both locally and onto the network.
as long as it's as an Administrator.

The problem I'm having is that I can not add a user and
have them logon with anything less then Administrator
Rights. If I do, I get a message that says,

"The Local Policy of this system does not permit you to
logon interactively".

If I set the user as an Administrator, they can logon
without any problem... But I can't allow that.

I have searched the local policy settings and haven't been
able to locate the correct setting. Please point me in the
right direction.

Thank you,
Jim
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup (More info?)

Jim

I assume you have promoted this Win2k server to a domain
controller.

On the server, logon with administrative rights
Point Start-Programs-Admin Tools-Domain Controller
Security Policy.
Expand Local Policies-User Rights Assignments.
In the right pane scroll to Log on Locally, right click
and choose security. Here you can add users or groups with
permission to log on to the DC.

Hope this helps
Paul
>-----Original Message-----
>I have setup a Windows 2000 Server that I intend to
>eventually load Terminal Services on to. I have joined
>the domain and can logon both locally and onto the
network.
>as long as it's as an Administrator.
>
>The problem I'm having is that I can not add a user and
>have them logon with anything less then Administrator
>Rights. If I do, I get a message that says,
>
>"The Local Policy of this system does not permit you to
>logon interactively".
>
>If I set the user as an Administrator, they can logon
>without any problem... But I can't allow that.
>
>I have searched the local policy settings and haven't
been
>able to locate the correct setting. Please point me in
the
>right direction.
>
>Thank you,
>Jim
>
>.
>
 

Jim

Distinguished
Mar 31, 2004
2,444
0
19,780
Archived from groups: microsoft.public.win2000.setup (More info?)

As to whether or not the server was promoted to a domain
controller, I "think" it was, but to be honest I'm not
sure. How can that be proven one way or the other?

>-----Original Message-----
>Jim
>
>I assume you have promoted this Win2k server to a domain
>controller.
>
>On the server, logon with administrative rights
>Point Start-Programs-Admin Tools-Domain Controller
>Security Policy.
>Expand Local Policies-User Rights Assignments.
>In the right pane scroll to Log on Locally, right click
>and choose security. Here you can add users or groups
with
>permission to log on to the DC.
>
>Hope this helps
>Paul
>>-----Original Message-----
>>I have setup a Windows 2000 Server that I intend to
>>eventually load Terminal Services on to. I have joined
>>the domain and can logon both locally and onto the
>network.
>>as long as it's as an Administrator.
>>
>>The problem I'm having is that I can not add a user and
>>have them logon with anything less then Administrator
>>Rights. If I do, I get a message that says,
>>
>>"The Local Policy of this system does not permit you to
>>logon interactively".
>>
>>If I set the user as an Administrator, they can logon
>>without any problem... But I can't allow that.
>>
>>I have searched the local policy settings and haven't
>been
>>able to locate the correct setting. Please point me in
>the
>>right direction.
>>
>>Thank you,
>>Jim
>>
>>.
>>
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup (More info?)

Jim
If you can follow my previous instructions, then the
machine is a domain controller.
Another way to check is: When you logon, do you have the
choice of logging on to the local machine? (%computername%
(This Computer) in the bottom drop down box)
Regards
Paul
>-----Original Message-----
>As to whether or not the server was promoted to a domain
>controller, I "think" it was, but to be honest I'm not
>sure. How can that be proven one way or the other?
>
>>-----Original Message-----
>>Jim
>>
>>I assume you have promoted this Win2k server to a domain
>>controller.
>>
>>On the server, logon with administrative rights
>>Point Start-Programs-Admin Tools-Domain Controller
>>Security Policy.
>>Expand Local Policies-User Rights Assignments.
>>In the right pane scroll to Log on Locally, right click
>>and choose security. Here you can add users or groups
>with
>>permission to log on to the DC.
>>
>>Hope this helps
>>Paul
>>>-----Original Message-----
>>>I have setup a Windows 2000 Server that I intend to
>>>eventually load Terminal Services on to. I have joined
>>>the domain and can logon both locally and onto the
>>network.
>>>as long as it's as an Administrator.
>>>
>>>The problem I'm having is that I can not add a user and
>>>have them logon with anything less then Administrator
>>>Rights. If I do, I get a message that says,
>>>
>>>"The Local Policy of this system does not permit you to
>>>logon interactively".
>>>
>>>If I set the user as an Administrator, they can logon
>>>without any problem... But I can't allow that.
>>>
>>>I have searched the local policy settings and haven't
>>been
>>>able to locate the correct setting. Please point me in
>>the
>>>right direction.
>>>
>>>Thank you,
>>>Jim
>>>
>>>.
>>>
>>.
>>
>.
>
 

Jim

Distinguished
Mar 31, 2004
2,444
0
19,780
Archived from groups: microsoft.public.win2000.setup (More info?)

Paul,

Yes I can do these steps and I can choose whether to log
on locally or to the domain. I added users to the local
security list. Unfortunately for whatever reason they
still can't log on unless I give them "Administrator
Rights".

Jim

>-----Original Message-----
>Jim
>If you can follow my previous instructions, then the
>machine is a domain controller.
>Another way to check is: When you logon, do you have the
>choice of logging on to the local machine? (%
computername%
>(This Computer) in the bottom drop down box)
>Regards
>Paul
>>-----Original Message-----
>>As to whether or not the server was promoted to a domain
>>controller, I "think" it was, but to be honest I'm not
>>sure. How can that be proven one way or the other?
>>
>>>-----Original Message-----
>>>Jim
>>>
>>>I assume you have promoted this Win2k server to a
domain
>>>controller.
>>>
>>>On the server, logon with administrative rights
>>>Point Start-Programs-Admin Tools-Domain Controller
>>>Security Policy.
>>>Expand Local Policies-User Rights Assignments.
>>>In the right pane scroll to Log on Locally, right click
>>>and choose security. Here you can add users or groups
>>with
>>>permission to log on to the DC.
>>>
>>>Hope this helps
>>>Paul
>>>>-----Original Message-----
>>>>I have setup a Windows 2000 Server that I intend to
>>>>eventually load Terminal Services on to. I have
joined
>>>>the domain and can logon both locally and onto the
>>>network.
>>>>as long as it's as an Administrator.
>>>>
>>>>The problem I'm having is that I can not add a user
and
>>>>have them logon with anything less then Administrator
>>>>Rights. If I do, I get a message that says,
>>>>
>>>>"The Local Policy of this system does not permit you
to
>>>>logon interactively".
>>>>
>>>>If I set the user as an Administrator, they can logon
>>>>without any problem... But I can't allow that.
>>>>
>>>>I have searched the local policy settings and haven't
>>>been
>>>>able to locate the correct setting. Please point me in
>>>the
>>>>right direction.
>>>>
>>>>Thank you,
>>>>Jim
>>>>
>>>>.
>>>>
>>>.
>>>
>>.
>>
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup (More info?)

Jim

>Yes I can do these steps and I can choose whether to log
>on locally or to the domain.

This machine is not a domain controller. When logging on
to a domain controller the option to logon to the local
machine is not available.

>I added users to the local
>security list. Unfortunately for whatever reason they
>still can't log on unless I give them "Administrator
>Rights".

By default, members of the users group, either local or
domain, cannot loggon to server machines.

To resolve this, create a group in Active Directory ie
Terminal Services User Group, add any domain user accounts
who wishes to use the terminal server to this group.

Next, right click the domain name in Active Directory ie
yourdomain.com, choose properties - group policy - edit -
computer configuration - windows settings - security
settings - local policies - user rights assignments.
Scroll down to "log on locally" and add your Terminal
Services User Group.

When the domain users wishes to loggon to the terminal
server, ensure they loggon to the domain on the server,
not the local machine. Note: the terminal server may need
to be rebooted in order to pick up the new domain policy.

Regards
Paul Basham
MCP
 

Jim

Distinguished
Mar 31, 2004
2,444
0
19,780
Archived from groups: microsoft.public.win2000.setup (More info?)

Paul,

I hope you see this reply... It has been awhile since I
posted. I finally solved the problem due in large effect
to your help. I finally brought the computer back to
square one by loading an image that I created when I
originally set the server up.

As soon as I was back to the start point, terminal
services installed perfectly and works like it is suppose
too. Apparently a registry key did not set correctly when
I originally started or something, because I redid
everything exactly as I had previously done, except this
time it worked. Thank goodness that I made an image
and thank you sir for your input!

Jim

>-----Original Message-----
>Jim
>
>>Yes I can do these steps and I can choose whether to log
>>on locally or to the domain.
>
>This machine is not a domain controller. When logging on
>to a domain controller the option to logon to the local
>machine is not available.
>
>>I added users to the local
>>security list. Unfortunately for whatever reason they
>>still can't log on unless I give them "Administrator
>>Rights".
>
>By default, members of the users group, either local or
>domain, cannot loggon to server machines.
>
>To resolve this, create a group in Active Directory ie
>Terminal Services User Group, add any domain user
accounts
>who wishes to use the terminal server to this group.
>
>Next, right click the domain name in Active Directory ie
>yourdomain.com, choose properties - group policy - edit -
>computer configuration - windows settings - security
>settings - local policies - user rights assignments.
>Scroll down to "log on locally" and add your Terminal
>Services User Group.
>
>When the domain users wishes to loggon to the terminal
>server, ensure they loggon to the domain on the server,
>not the local machine. Note: the terminal server may need
>to be rebooted in order to pick up the new domain policy.
>
>Regards
>Paul Basham
>MCP
>
>.
>