PSS ID Number: 285793
Article Last Modified on 6/6/2003
----------------------------------------------------------------------------
----
The information in this article applies to:
a.. Microsoft Windows 2000 Professional
b.. Microsoft Windows 2000 Server
c.. Microsoft Windows 2000 Advanced Server
----------------------------------------------------------------------------
----
This article was previously published under Q285793
SYMPTOMS
When you try to log on to the domain or your local computer, you may receive
the following error message:
The local policy of this system does not permit you to logon interactively
CAUSE
This issue may occur if the "Deny logon locally" policy is set on your
computer.
RESOLUTION
To resolve this issue, create an organizational unit for computers that you
want to exclude from the "Deny logon locally" policy, and then grant the
"Log on locally" policy to individual users or groups in the organizational
unit:
1.. Click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2.. Right-click the domain name, point to New, and then click
Organizational Unit.
3.. Type the name of the new Organizational Unit, and then click OK. For
example, you might type MyTestOU.
4.. Put the computers to which you want to grant the Logon Locally right
in the Organizational Unit that you created in step 3:
1.. Click the container that contains the computer or computers that you
want to move.
2.. Select the computers, right-click the computers, and then click
Move.
3.. In the Move dialog box, click the organizational unit that you
created in step 3, and then click OK.
5.. Right-click the organizational unit, and then click Properties.
6.. Click the Group Policy tab, click New, type the Group Policy Object
name, and then click Edit.
7.. Under Computer Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click User Rights Assignment.
8.. In the right pane of the Group Policy dialog box, right-click Log on
locally, and then click Security.
9.. Click to select the Define these policy settings check box, click Add,
and then click Browse.
10.. Click those users to whom you want to grant the "Log on locally"
policy, click Add, and then click OK two times. To select multiple users or
groups, press and hold the CTRL key down, and then click individual objects.
11.. Click OK to close the Security Policy Setting dialog box.
PSS ID Number: 276590
Article Last Modified on 7/3/2003
----------------------------------------------------------------------------
----
The information in this article applies to:
a.. Microsoft Windows 2000 Server SP1
b.. Microsoft Windows 2000 Advanced Server SP1
c.. Microsoft Windows 2000 Professional SP1
d.. Microsoft Windows 2000 Datacenter Server
----------------------------------------------------------------------------
----
This article was previously published under Q276590
SYMPTOMS
When you add a group, such as, Domain Users, Everyone, or Authenticated
Users, to the "Deny Logon Locally" user right, users that are members of
those groups can no longer log on to certain computers. When a user tries to
log on to the computer, the user may receive the following error message:
The Local policy of this system does not permit you to log on interactively.
The administrator of your system may find this behavior to be unexpected.
CAUSE
This behavior may occur because the user (such as, the administrator, who is
a member of a group that has been explicitly granted the "Logon Locally"
user right) may also be a member of the preceding groups. Any of the
preceding groups may deny users access to the computer in which case a
policy that sets the denial of user rights takes precedence over a policy
that enables user rights.
RESOLUTION
To work around this behavior, you can access the computer that is denying a
user access by means of an administrative account situated on another
client. Then you can use the Ntrights.exe program from the Microsoft Windows
2000 Resource Kit to remove the user from the "Deny Logon Locally" user
right.
To perform this procedure, use the following (case-sensitive) syntax:
ntrights -m \\computer -u group or user to remove -r
SeDenyInteractiveLogonRight
STATUS
This behavior is by design.
MORE INFORMATION
Most of the preceding problems occur when the Everyone group has been
removed from the user right. You can use the Ntrights utility to add user
rights.
For additional information about how to add a group back to the user right,
click the article number below to view the article in the Microsoft
Knowledge Base:
279664 How to Set Logon User Rights with the Ntrights.exe Utility
