The local policy does not permit you to logon interactively

[tkaplan1983]

Hi all. I am having the weirdest problem. I work in a company that has all our computers on a domain. I think about two years ago I did some registry hack that overrode the Group Policy or Local Policy.

Here is some history:

I am a local administrator on both computers. I have compared all the terminal services local policy line by line on both computers and they are exactly the same.

I ran rsop.msc on both computers and they are exactly the same.

I tried manually adding myself to the remote desktop users on the remote tab of the computer I can't logon and it still doesn't work. The weird thing is that when I check the remote tab it says that my user already has access whether or not im on the list. I never was added any global list of users in GPO.

I checked all the areas that I could think of in the registry for fDenyTSConnections and they are all set to 0. I am totally stumped I have no idea why one computer works with no issue and the other one gives me:

The local policy of this system does not permit you to logon interactively. everytime I try to login through remote desktop. If anyone has any ideas how to fix this it would be greatly appreciated.

 

[ahhgeez]

Are you tring to RDP or is this a terminal server? We need a little info about the setup and why you had to override the original global policy.

 

[proedros]

ahhgeez is right, we need more info....
Was the remote desktop working and now it doesn't ?
Are the terminals fire walled?
Are you trying to remote within the domain or from outside?
Local administrator gives you only locally rights and only in the computer that you use, not to the domain profiles (i suppose) the computer has. Is that why you did the hack?

 

[techdeuce]

If it is a server, Ask the administrator for the domain to adjust the policy for the machine.
If it is a regular workstation (while logged in as local admin) hit start, run type in secpol.msc
on the left hand side of the window that opens click local policies
then click User rights assignment
on the right hand side of the window click Deny login locally and adjust the users there and scroll down to "log on locally" and adjust the users there so you are allowed and not denied.

Be careful you can really mess stuff up in there for all users of the machine. I have made mistakes here that caused a lot of grief, and I have been doing tech/server support for 16 years. No one is immune from catastrophic errors and you are on the cliff of one, if this is a server. Murphy's laws apply to this post.

 

[tkaplan1983]

Hey all. I have given you all the information that you need.

I have checked all the policies in secpol.msc They are all grayed out anyways I couldn't change them if I wanted too since its on a domain. But to answer your questions Deny login locally is not even configured.

Firewalled? No all the systems on the domain by default have no firewalls on.

If you read my original post I have compared policy line by line and they are the same. I can remote into one of them but the other one I can't and never have been able too.

Yes both computers have RDP enabled.

No im not trying to remote from outside the domain.

Yes I have local admin on both machines and yes I did the hack because I am not a domain admin.

Yes I am trying to use regular windows RDP. By default RDP is not allowed and I some how overroad the global policy. This has to have been done in the registry since local policy changes are corrected every time you re-update the GPO.

I could ask an admin to adjust it for me but this is just for my information. I want to know what I did to override this.

Hope that helps.

 

[proedros]

Try this mstsc /v:xxx.xxx.xxx.xxx:3389 /admin <--- try it first without the admin, where xxx are you internal ip.
If you cant connect maybe there will an issue with terminal server licence.

 

[tkaplan1983]

Try this mstsc /v:xxx.xxx.xxx.xxx:3389 /admin <--- try it first without the admin, where xxx are you internal ip.
If you cant connect maybe there will an issue with terminal server licence.

I gave that a try and it still gives me the same error. the /admin was not a valid command.

Thanks.

 

[montyuk]

http://articles.techrepublic.com.com/5100-10878_11-5313668.html might help

 

[ksthomas]

If you are running SBS or a Domain Controller and the Workstation is a member of the Domain you will need to do the following.

Logon to the workstation as the administrator. Right click on the computer icon then click properties, then select the remote tab. You will see a button that alllows you to select users allowed to access the ws remotely. Add the domain user that you would like to allow access to that ws, in the form of domain\username

That should do it.

Scott Thomas,
www.systemsolutions.ws

 

[kkoray]

Scoot Thank you. Worked like charm.

 

[Guest]

If you are running SBS or a Domain Controller and the Workstation is a member of the Domain you will need to do the following.

Logon to the workstation as the administrator. Right click on the computer icon then click properties, then select the remote tab. You will see a button that alllows you to select users allowed to access the ws remotely. Add the domain user that you would like to allow access to that ws, in the form of domain\username

That should do it.

Scott Thomas,
www.systemsolutions.ws

Please let me know what be the problem for following error. when i will loging client machine by remotely.
"the local policy of the system does not permit you to logon interactively"

I tried in GPO and domain Security system also and Terminal services but its coming same problem. please Gide me what would be the problem in server.

Ramesh

 

[Guest]

I tried so many solutions, including replacing the security file and also checking the registry, in the end i had to restore the registry from an earlier time, this fixed the problem. By doing this I got a Windows activation prompt, so it may have been that the cause of the problem may be that Windows was not activated so local interactive logons were blocked. Follow the instructions on http://support.microsoft.com/kb/307545 to restore the registry. You don't have to use the recovery console if you can plug the hard drive into another working computer, and you can copy the security,sam,default,software,system files from another hard drive with a working XP installation.
Good luck.

 

[subu09]

If the Local Security Policy is set to disallow local logons to Everyone, then the error message will pop up for any user who tries to log on, including an administrator. This can be fixed in a couple of ways:

1.You can use the resource kit tool, Ntrights.exe, to change the local logon rights. For example, you could run this command: ntrights -m \\ProblemComputer(Host name or IP Address) -u Administrator +r SeInteractiveLogonRight.
2.You can open a command prompt from another computer on the same network, issue the command Net use x: \\ProblemComputer(Host name or IP Address)\C$ <Password> /u:Administrator, and then change to the directory %SystemRoot%\Security\Database. Rename Secedit.sdb to Secedit.old_sdb and copy a working version of a Secedit.sdb file from another computer running the same operating system (for example, Windows 2000 Professional,XP..).

 

[Mousemonkey]

This topic has been closed by Mousemonkey