The Local Policy of This System Does Not Permit You to Logon Interactively

  • Thread starter Thread starter Jim
  • Start date Start date
J

Jim

We have been having a problem on our small Windows 2000 Server Domain. We
have about 15 workstations all running win2kpro. So far 3 systems have come
up with the error 'The Local Policy of This System Does Not Permit You to
Logon Interactively' when the user tries to logon. This after the systems
were working ok for over a year. It appears to start happening on some
workstations after installing Service Pack 4.

I ran the fix suggested by Microsoft in article 'Knowledge Base Article -
285793'
http://support.microsoft.com/default.aspx?scid=kb;en-us;285793&Product=win2000
which involves creating a new Organizational Unit. This worked for one of
the workstations and not the other 2, so I reformatted and reinstalled W2K
from scratch, since then one of the units has started coming up with this
error again.

When this message comes up during logon, it seems impossible to logon to the
system, either using the domain or logging on to the local computer with or
without Administrator access. This is frustrating. Any idea what's causing
this, and any other solutions, short of not using Service Pack 4?

Thanks,

Jim.....
 
Hi Jim. I have not heard of that. When you put the problem workstation in
the OU and were allowed to logon, did you check the Local Security Policy
for that machine in user rights assignments to see what was preventing the
logon?? I know a while back that there was virus/worm going around that
would run a secedit command on a computer to change the local policy
settings to deny the logon. Usually a user would notice a brief message on
the screen as it was executed. In regards to the KB link, try this. Also
configure the policy of the OU to contain just the guest account in deny
logon locally user right assignment. That way if the problem crops up again
and somehow your computers have a deny logon locally configured for the
users group, etc in Local Security Policy it will be overriden by the OU
policy to contain only the guest account. Good luck. --- Steve
 
Ok, thanks I will give that a try and let you know.

As to the Local security policy, all my other workstations that are working
ok, have all the local groups under 'Log on locally'. On the one that
started working after setting up the OU on the server, it is the same as the
others that are working properly. I guess setting up the OU resets the
permissions to what they should be.

Someone told me today that they have heard of this happening to workstations
that were upgraded to Windows 2000 from Windows 98. Not sure if that's the
case here but, on the one workstation I did a format and fresh install of
Win2K, and it popped up again after installing MS project which forces a
restart. I think that may have been a coincidence.

Thanks,

jim.....
 
That is interesting. Moving a computer to an OU with defined policy would only
override the Local Security Policy - not reset it. When you look in Local Security
Policy examine both the local setting and the effective setting. The effective
setting is the policy that is being applied, while the local policy is what is
defined in Local Security policy. --- Steve
 
Steve, Stupid me, I was thinking it was reset, but then again this is new to
me. I just checked and under the local policy setting it has,
3 users (1 of which is the IUSR user) and 4 groups (Admin's,Users,Power
Users, & Backup Ops) are checked off for 'Log on Locally'. Under 'Effective
Policy Setting' 1 user (IUSR user) and one group 'Users' is checked off, the
others are dimmed. Not sure if this tells you anything.

On the two I had to reformat, I could never get into them to check the
settings, of course.

Jim.....
 
OK. From what it looks like, there was nothing wrong with the log on locally
setting in Local Security policy for the computer you were having a problem
with. I would also check the settings on it for "deny logon locally" to see
if anything was there in the local setting. The "dimmed" boxes is the
effective setting that is being inherited from the domain or OU and only the
boxes that are checked there are the users/groups that are allowed to logon
locally. If you find any groups missing from the log on locally or that are
not supposed to be in the deny log on locally in the Local Security Policy,
be sure to correct them so that if the computer ever gets moved to another
OU that the problem will not start again assuming that was the problem in
the first place. --- Steve
 
Back
Top