Local policy does not permit you to logon interactively

  • Thread starter Thread starter Lesa H.
  • Start date Start date
L

Lesa H.

HELP! I've never had this happen before. I had a Windows 2000 Workstation
that was freshly loaded and working great. The domain controller is a
Windows 2000 server and I wasn't the person who configured it initially. I
configured the network settings on the workstation then joined the system to
the domain. Everything looked fine, but after I rebooted the system I
couldn't get in with ANY user account. Not the domain administrator account,
not even the local administrator account (which had been working before
joining the domain). I tried booting into safe mode and safe mode with
command prompt, but in both cases the login attempt produced the same
results (Local policy of the system does not allow you to logon
interactively). I REALLY don't want to reload this system and I need to find
out what caused the problem before I join any other systems to this domain.

Is there any way to fix the problem without a reload?

Thanks!

Lesa H.
 
Lesa H. said:
HELP! I've never had this happen before. I had a Windows 2000 Workstation
that was freshly loaded and working great. The domain controller is a
Windows 2000 server and I wasn't the person who configured it initially. I
configured the network settings on the workstation then joined the system to
the domain. Everything looked fine, but after I rebooted the system I
couldn't get in with ANY user account. Not the domain administrator account,
not even the local administrator account (which had been working before
joining the domain). I tried booting into safe mode and safe mode with
command prompt, but in both cases the login attempt produced the same
results (Local policy of the system does not allow you to logon
interactively). I REALLY don't want to reload this system and I need to find
out what caused the problem before I join any other systems to this domain.

Is there any way to fix the problem without a reload?

Thanks!

Lesa H.
Click to expand...

Google gave me this
http://support.microsoft.com/?kbid=841188

Might be what you need

Jud
 
Open Domain Security Policy on the domain controller and go to security
settings/local policies/user rights. Check the two user rights for logon
locally and deny logon locally. These are usually undefined but someone may
have modified them and if they did the domain settings will override local
settings. If the are undefined you could try setting logon locally to
include users and administrators and for deny logon locally add just the
guest account. Then run secedit /refreshpolicy machine_policy /enforce on
the domain controller and reboot the domain workstation. Another possibility
is a startup script is applying a security template via secedit during
startup as a domain computer. If you are finally able to logon, I would open
Local Security policy on that workstation and check those two user rights
for local and effective settings. --- Steve
 
Hi Lesa,

Please check the domain security policies has Steve has suggested and then
use the following steps to check the problematic machine by using the
following steps:

1. On a machine which working normally, key in "mmc" in the Run box.
2. Click File menu->Add/Remove Snap-in
3. Click Add button in Stand-alone tab to choose Group Policy Object Editor
and click Add
4. In the Welcome to Group Policy wizard, click Browse button
5. Click Computer tab and choose Another Computer.
6. Input the problematic machine name or IP address and click Finish.

You can then configure the problematic machine' local policy:

7. Under "Computer Configuration", expand "Windows Settings", expand
"Security Settings", expand "Local Policies", and then click "User
Rights Assignment".

8. In the right pane of the "Group Policy" dialog box, right-click "Log
on locally", and then click "Security".

9. Click to select the "Define these policy settings" check box, click
"Add", and then click "Browse".

10. Click those users to whom you want to grant the "Log on locally"
policy, click "Add", and then click "OK" two times. To select multiple
users or groups, press and hold the CTRL key down, and then click
individual objects.

For more details about this policy, please refer to the following article:
285793 Error Message: The Local Policy of This System Does Not Permit You to
http://support.microsoft.com/?id=285793

NOTE: You need to use a domain admin account to manager the problematic
machine or use the problematic machine's local administrator account to
logon.


Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I'll try Steve's suggestion, I'm not sure I'll be able to manage this system
remotely. It's giving me a problem with access denied errors when I try to
do anything remotely.

I'll try the suggestions I have and report back.

Lesa H.
 
I used Steve's suggestion and was able to get into the system with the
domain administrator password. All is well. Thanks loads!

Lesa H.
 
Good to hear it!

BTW, access denied error has indicated that the user name and password does
not match the target machine's local account. For example, the local
administrator on machine1 with the password 123, the taget machine's local
administrator with the password 456, you will receive this error message.

Further questions, let us get in touch!


Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top