Local Policy - No one can log in - total lock out

  • Thread starter Thread starter Larry K. Reynolds
  • Start date Start date
L

Larry K. Reynolds

System: W2K Server (no problem) with SP4.
W2K Pro on Workstation (problem)
All other Workstation (8) are NT4 Boxes

Problem: On Workstation, Administrator and User login gets message "local
policy does not allow you to login interactively." So, total lock out from
access!

Timing: This WS has been working for about 6 months.

What I did: Installed: SP4 on WS. It still allowed login by both
Administrator and User. The WS had been sluggish so I decided to set the
TCP/IP to get the address automatically and indicated the DNS suffix
(probably should have manually done this in the LMHOSTS file). Rebooted
and the problem was there.

What I need: A method to set the log in policy so I can get access.

Thanks - Larry K. Reynolds
 
Hello Larry.

First, verify that the workstation is correctly configured for TCP/IP
communication. Verify that it has a valid IP address, subnet mask, DNS
server, and default gateway.

Then, move the workstation's computer account in a new Organizational Unit
(OU) in Active Directory. Create a new policy and link it to this OU.
Next, define in this policy to allow Administrators the right to "Log on
locally". Reboot the workstation.

If the workstation is working properly and can communicate with a domain
controller, at reboot it will apply the new policy just defined.
Administrators should now have the right to "log on locally". Take a look
at the computer's local security policy and ensure that it is correctly
defined (especially the "log on locally" right).

A common cause of this error is when an administrator accidentally edits the
Default Domain Policy and defines the "log on locally" user right with no
one defined. This causes no user accounts to be allowed to logon locally...

If policies do not correct the problem, use the NETDIAG.EXE tool (found in
the Windows 2000 Support Tools, provided with Windows 2000) to analyze the
networking configuration of the system.

David Fisher
Enterprise Platform Support
 
Larry,

It sounds as if you may have set the Windows 2000 workstation's local
security policy to deny everyone the right to logon locally. One thing you
can try is to use ntrights from the Windows 2000 resource kit to remove the
deny that may be in the workstation's local security policy. You can run
this tool remotely from another computer in the domain.

The command would be "ntrights -m \\workstationname -u everyone -r
SedenyInteractiveLogonRight"

You could then run this command to give everyone the right to log on
locally: "ntrights -m \\workstationname -u everyone +r
InteractiveLogonRight"

Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights
 
Back
Top