I already changed the domain GPO -Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Facundo Chamut Sent: Wednesday, May 01, 2002 9:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Log on Interactivly
local GPOs get overruled by domain GPOs. you need to change, or in your case, ask somebody to change for you, the domain GPOs Facus. -- To err is human. To really screw up, you need a computer. -----Original Message----- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Log on Interactivly Anyone? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Hummert Sent: Wednesday, May 01, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Log on Interactivly Ok so I went to the users computer and I looked at the local group policy. They deny logon locally was applied to the domain users group. I right clicked on it and hit security and then the box came up and the local policy setting box was unchecked but the effective policy setting box was checked but it was grayed out. It wouldn't let me uncheck this box. Any idea on how to change that? -Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan Sent: Wednesday, May 01, 2002 6:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Log on Interactivly Chris, Sorry I haven't replied - I backed out of the fray on this one. The right to log in locally is usually set at the local machine. It's a Deny Logon Locally or the Log on Locally permission that has been set. It will typically (unless someone has deemed to set it at the domain for ALL users and ALL computers in the domain) be set in the Local Policy on the machine. You can get to this by logging in as the Administrator and looking in the Admin tools on the local machine or load up an MMC and select the Local Security Policy, then set the focus to this machine. Look to the Deny Logon Locally permission. Make sure that the user is not defined here. Nexy look at the Log on Locally make that the user IS defined here. This is most likely not a Group Policy issue. When we deal with the Sec Policies, the closer to the Local machine, the more precedence these settings will take. This is opposite of the way that GPO works, as the farther from the Local settings we get, the less effect local settings can impose. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher > Hummert > Sent: Wednesday, May 01, 2002 1:44 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > I might have to do that.....argh....I don't want to though -Chris > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Bryan > Schlegel > Sent: Tuesday, April 30, 2002 9:49 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > Can anyone reference the Defaults for Logon Locally under the Domain > Security Policy? > > I think this would help Chris's problem out here. > > I tired this once on my DC > http://www.jsifaq.com/subg/tip3300/rh3329.htm > and for some reason I lost the ability to get into the local > machine on my domain controllers. > > So I am skeptical to dish out advise on messing with Group Policies, > after I failed to restore mine properly. I might have to pick up one > of those books mentioned about GPO's in that other thread :( > > -----Original Message----- > From: Christopher Hummert [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 30, 2002 9:51 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > When I log into his computer and chose to log onto the domain as the > admin I get the same error message. When I try to log onto the local > computer I can just fine. Is there an import feature for the Local > Users and Groups, so I can import his account from the domain? I'm at > home right now so I don't have physical access to his computer, but I > do have access to the server via Terminal Services > > -Chris > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Bryan > Schlegel > Sent: Tuesday, April 30, 2002 6:41 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > Chris, > > Go to the computer, Login as admin or yourself if you have domain > admin rights. > > Right click on my computer > manage > Local Users and Groups > > Go to groups make sure his NT account is added to at least > to the local users group, if not click add, find the account you are > trying to logon to. Logoff the machine, he should be able to login > now. -b > > -----Original Message----- > From: Christopher Hummert [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 30, 2002 9:35 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > I haven't looked at the local security policy. How do I check that? > -Chris > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan > Sent: Tuesday, April 30, 2002 6:15 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Log on Interactivly > > > Chris, > > Have you looked at the machine's Local Security Policy? I can't > determine why you're getting this error, but unless the Interactive > Logon Permissions have been modified, these are typically set at the > machine as the effective settings. The Domain policy would probably > be undefined, as the Local would take precedence in this case. > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher > > Hummert > > Sent: Tuesday, April 30, 2002 7:00 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Log on Interactivly > > > > > > I'm having problems with one of my users machines. When he tries to > > logon to the domain he gets the following message: > > > > "The local policy of this system does not permit you to log on > > interactively" > > > > Now I went to the MS KB and found article Q276590. I used > the ntrights > > > program as they said: > > > > ntrights -m \\dagobah -u rick -r SetDenyInteractiveLogonRight > > > > But I get the following: > > > > Revoking SetDenyInteractiveLogonRight from rick on > \\dagobah... failed > AddUserRightToAccount: > > ***Error*** AddUserRightToAccount -1073741728 > > Anyone know what's going on and what I need to do to fix it? This has > got my brain cramped. I checked the Domain Security policy and both > deny and logon interactively have been changed to not defined. Someone > here at the office changed that which is what I think caused the > problem in the first place. > > -Chris > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
