log on locally problem in W2K pro & server

  • Thread starter Thread starter Harold Youtzy
  • Start date Start date
H

Harold Youtzy

I am presently working with a client that has a global
security group defined within an user OU of the domain.
User Jane is a member of that global security group.
That global security group is one of the members listed in
the global policy of the default domain controllers with
log on locally rights. If I remove Jane from the global
security group and place her individually in the default
domain controllers policy for log on locally rights, then
she is unable to log onto her W2K pro workstation.
When a member of the global security group, Jane's local
group policy of the W2K workstation for log on locally
rights, shows the global security group as an empty box
under local policy setting and a greyed-out checked box
under effective policy setting, and she is able to log
onto her W2K workstation.
I do not understand how removing her from the global
security group, yet placing her in the log on locally list
on the default domain controller policy would not permit
her to log on to her W2K workstation. Shouldn't the right
be the same whether she is a member of a group given the
log on locally right or listed indidually in that same
right? Help me to understand why this is not so.
 
It appears that you are dealing with resultant set of policies and policy
precedence. Your scenario indicates that membership in this group is
essential for logging on locally to most computers in your enterprise, which
is not the default. So, you might want to check if any GPOs have been
altered for the logon locally user right. (client computers and servers have
Authenticed Users as having the ability to logon locally, DCs do not.)

When you see a gray box for the User rights, that means that that setting is
coming from a GPO that is linked to the site, domain, or OU, where that
computer account resides in the AD. (User rights are computer policies, not
user policies). So, when Jane is in the group, she can logon locally, but
when you move her out of the group, she can't, since she is in no group that
gives her that ability.
 
Back
Top