The local policy of this system does not permit you to logon interactively

  • Thread starter Thread starter asamol_it
  • Start date Start date
A

asamol_it

" The local policy of this system does not permit you to logon
interactively"

I get this message with I try to log on as a domain user. The administrator
account can logon without any errors. I understand this is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Go into the user rights portion of your group policies and
give each user the ability to "log on locally"

-M
 
Thank you,
I'm on it...alex
Matthew Harris said:
Go into the user rights portion of your group policies and
give each user the ability to "log on locally"

-M
 
I added the TS group and the user to "log on locally" Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also the machine refresh
policy. I'm still getting the same error, "The local policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any other thoughts......
 
If you are in a domain, make sure that you have the right
to logon locally in your domain security policy.

-M
 
I thought we have been talking about the default domain security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the security policy on the
member server that I'm using as the TS client...
a;ex
 
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M
-----Original Message-----
I thought we have been talking about the default domain security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the security policy on the
member server that I'm using as the TS client...
a;ex

Sorry...ignore that last post. I meant to say...check the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M
the
machine refresh other
thoughts...... understand
this


.
 
I've change the group policy as I said but I still can not logon. I get the
same error message...so I've rebooted the server...no change...I'm going to
not configure the Logon Locally policy and try rebooting. Than I add all
the users to the Logon Locally and see if that helps. I'll keep you
posted...
Matthew Harris said:
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M
-----Original Message-----
I thought we have been talking about the default domain security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the security policy on the
member server that I'm using as the TS client...
a;ex

Sorry...ignore that last post. I meant to say...check the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also the
machine refresh
policy. I'm still getting the same error, "The local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]" <[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not permit
you to
logon
interactively"

I get this message with I try to log on as a domain
user. The administrator
account can logon without any errors. I understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server







.


.
 
For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom
-----Original Message-----
I've change the group policy as I said but I still can not logon. I get the
same error message...so I've rebooted the server...no change...I'm going to
not configure the Logon Locally policy and try rebooting. Than I add all
the users to the Logon Locally and see if that helps. I'll keep you
posted...
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M
-----Original Message-----
I thought we have been talking about the default domain security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also the
machine refresh
policy. I'm still getting the same error, "The local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not permit
you to
logon
interactively"

I get this message with I try to log on as a domain
user. The administrator
account can logon without any errors. I understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server







.



.


.
 
No I'm running it in application mode. Is there any other GP that could
effect this logon problem> I tried to logon onto the server with the uses
account and received the same error message, "local policy does not permit
you to logon interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP setting effecting
this...something must be going wrong with the propagation...any other ideas?
Alex

Tom said:
For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom
-----Original Message-----
I've change the group policy as I said but I still can not logon. I get the
same error message...so I've rebooted the server...no change...I'm going to
not configure the Logon Locally policy and try rebooting. Than I add all
the users to the Logon Locally and see if that helps. I'll keep you
posted...
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

in message
Sorry...ignore that last post. I meant to say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server







.



.


.
 
Just to rule out the confusion: since your TS is also a DC, you
must mahe this change in the Default Domain Controller Security
Policy (which is not a good thing to do, that's why it is not
recommended to run TS in Application mode on a DC).

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

No I'm running it in application mode. Is there any other GP
that could effect this logon problem> I tried to logon onto the
server with the uses account and received the same error
message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with the
propagation...any other ideas? Alex

Tom said:
For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom
-----Original Message-----
I've change the group policy as I said but I still can not logon. I get the
same error message...so I've rebooted the server...no change...I'm going to
not configure the Logon Locally policy and try rebooting. Than I add all
the users to the Logon Locally and see if that helps. I'll keep you
posted...
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

in message
Sorry...ignore that last post. I meant to say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Yes I understand what you are saying, but this is my test machine so not to
worry. This DC only has one GP setup and it's the Default Domain policy.
What changes are required to logon locally as a user...I must be missing
something. Is there a way to run a utility to check what is blocking the
logon like win2003 server has?
Alex
Vera Noest said:
Just to rule out the confusion: since your TS is also a DC, you
must mahe this change in the Default Domain Controller Security
Policy (which is not a good thing to do, that's why it is not
recommended to run TS in Application mode on a DC).

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

No I'm running it in application mode. Is there any other GP
that could effect this logon problem> I tried to logon onto the
server with the uses account and received the same error
message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with the
propagation...any other ideas? Alex

Tom said:
For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
You bring up an interesting point...what are the best practices for running
TS...should you run TS on a member server?
Alex
asamol_it said:
Yes I understand what you are saying, but this is my test machine so not to
worry. This DC only has one GP setup and it's the Default Domain policy.
What changes are required to logon locally as a user...I must be missing
something. Is there a way to run a utility to check what is blocking the
logon like win2003 server has?
Alex
Vera Noest said:
Just to rule out the confusion: since your TS is also a DC, you
must mahe this change in the Default Domain Controller Security
Policy (which is not a good thing to do, that's why it is not
recommended to run TS in Application mode on a DC).

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

No I'm running it in application mode. Is there any other GP
that could effect this logon problem> I tried to logon onto the
server with the uses account and received the same error
message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with the
propagation...any other ideas? Alex

For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Yes, TS should preferably be run on a member server, for a couple
of reasons:

1. Security. It's no good to give all users the right to logon
locally to all Domain Controllers, which you will have to give
them if the TS is on a DC

2. Performance. Domain Controllers in an AD domain (can) have a
lot of other tasks to perform. If the TS slows down, all non-TS
users will also get slower logons etc.

3. Stability. A TS is in practice less stable than other servers,
since users run a lot of software on it (which might or might not
be completely TS-compatible) and then there are 3th party printer
drivers ;-) If your TS goes down because of a printer issue, you
don't want your DC (+ DNS + GC + ....) to go down as well.

I'm sure there are more reasons, but these must be the main ones.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

You bring up an interesting point...what are the best practices
for running TS...should you run TS on a member server?
Alex
asamol_it said:
Yes I understand what you are saying, but this is my test
machine so not to
worry. This DC only has one GP setup and it's the Default
Domain policy. What changes are required to logon locally as a
user...I must be missing something. Is there a way to run a
utility to check what is blocking the logon like win2003 server
has? Alex
in message
Just to rule out the confusion: since your TS is also a DC,
you must mahe this change in the Default Domain Controller
Security Policy (which is not a good thing to do, that's why
it is not recommended to run TS in Application mode on a DC).

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---


No I'm running it in application mode. Is there any other
GP that could effect this logon problem> I tried to logon
onto the server with the uses account and received the same
error message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with
the propagation...any other ideas? Alex

message For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only
on the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default
domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx? scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and
also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

message
Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Error message:
The local policy of this system does not allow you to log on
interactively.

Description: The user attempting to log on does not have the
"logon locally" permission available under Security Settings\Local
Policies\User Rights Assignment\Log On Locally. Modify the
appropriate Group Policy Object in your environment to grant the
user or group this permission.

But the weird thing is that you *must* have a Domain Controller
Security Policy if this TS is a DC. Check:

247989 - Domain Controllers Require the "Log on Locally" Group
Policy Object for Terminal Services Client Connections
http://support.microsoft.com/?kbid=247989

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

Yes I understand what you are saying, but this is my test
machine so not to worry. This DC only has one GP setup and it's
the Default Domain policy. What changes are required to logon
locally as a user...I must be missing something. Is there a way
to run a utility to check what is blocking the logon like
win2003 server has? Alex

in message
Just to rule out the confusion: since your TS is also a DC, you
must mahe this change in the Default Domain Controller Security
Policy (which is not a good thing to do, that's why it is not
recommended to run TS in Application mode on a DC).


No I'm running it in application mode. Is there any other GP
that could effect this logon problem> I tried to logon onto
the server with the uses account and received the same error
message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with
the propagation...any other ideas? Alex

For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Thank you thank you...that's it finally...so it's not the Default Domain
Policy...I love it when something works! Again thanks, I was on the right
track but I didn't realize the Domain Controller Security Policy had to be
changed also or maybe only?
Thanks, Alex
Vera Noest said:
Error message:
The local policy of this system does not allow you to log on
interactively.

Description: The user attempting to log on does not have the
"logon locally" permission available under Security Settings\Local
Policies\User Rights Assignment\Log On Locally. Modify the
appropriate Group Policy Object in your environment to grant the
user or group this permission.

But the weird thing is that you *must* have a Domain Controller
Security Policy if this TS is a DC. Check:

247989 - Domain Controllers Require the "Log on Locally" Group
Policy Object for Terminal Services Client Connections
http://support.microsoft.com/?kbid=247989

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

Yes I understand what you are saying, but this is my test
machine so not to worry. This DC only has one GP setup and it's
the Default Domain policy. What changes are required to logon
locally as a user...I must be missing something. Is there a way
to run a utility to check what is blocking the logon like
win2003 server has? Alex

in message
Just to rule out the confusion: since your TS is also a DC, you
must mahe this change in the Default Domain Controller Security
Policy (which is not a good thing to do, that's why it is not
recommended to run TS in Application mode on a DC).



No I'm running it in application mode. Is there any other GP
that could effect this logon problem> I tried to logon onto
the server with the uses account and received the same error
message, "local policy does not permit you to logon
interactively". I'm stating to wonder if the GP is no
propagating my changes. If it's only the logon locally GP
setting effecting this...something must be going wrong with
the propagation...any other ideas? Alex

For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only on
the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this logon...any
other
thoughts......

Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Pffff, glad you got it fixed!
Yes, the Domain Controller Security Policy is the 'only' policy
you should have to change (but also the most dangerous one, of
course).

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

Thank you thank you...that's it finally...so it's not the
Default Domain Policy...I love it when something works! Again
thanks, I was on the right track but I didn't realize the Domain
Controller Security Policy had to be changed also or maybe only?
Thanks, Alex

in message
Error message:
The local policy of this system does not allow you to log on
interactively.

Description: The user attempting to log on does not have the
"logon locally" permission available under Security
Settings\Local Policies\User Rights Assignment\Log On Locally.
Modify the appropriate Group Policy Object in your environment
to grant the user or group this permission.

But the weird thing is that you *must* have a Domain Controller
Security Policy if this TS is a DC. Check:

247989 - Domain Controllers Require the "Log on Locally" Group
Policy Object for Terminal Services Client Connections
http://support.microsoft.com/?kbid=247989


Yes I understand what you are saying, but this is my test
machine so not to worry. This DC only has one GP setup and
it's the Default Domain policy. What changes are required to
logon locally as a user...I must be missing something. Is
there a way to run a utility to check what is blocking the
logon like win2003 server has? Alex

"Vera Noest [MVP]" <[email protected]>
wrote in message
Just to rule out the confusion: since your TS is also a DC,
you must mahe this change in the Default Domain Controller
Security Policy (which is not a good thing to do, that's why
it is not recommended to run TS in Application mode on a
DC).



No I'm running it in application mode. Is there any other
GP that could effect this logon problem> I tried to logon
onto the server with the uses account and received the
same error message, "local policy does not permit you to
logon interactively". I'm stating to wonder if the GP is
no propagating my changes. If it's only the logon locally
GP setting effecting this...something must be going wrong
with the propagation...any other ideas? Alex

message For me it look like you're running TS in administrative
mode (Only domain administrators can connect to that kind
of Terminal Server). Change mode to application server to
connect as a domain user!

Regards

Tom

-----Original Message-----
I've change the group policy as I said but I still can
not logon. I get the
same error message...so I've rebooted the server...no
change...I'm going to
not configure the Logon Locally policy and try
rebooting. Than I add all
the users to the Logon Locally and see if that helps.
I'll keep you
posted...
"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry to be so confusing. I just meant to adjust the
domain security policy, like the link says to. You
shouldn't need to adjust anything on the client, only
on the server.

Did you do that and it didn't have any affect?

-M

-----Original Message-----
I thought we have been talking about the default
domain
security policy all
along...[yes this is a DC running TS]
So to backup, are you saying I need to change the
security policy on the
member server that I'm using as the TS client...
a;ex

"Matthew Harris [MVP]" <[email protected]>
wrote
in message
Sorry...ignore that last post. I meant to
say...check
the
domain controller security policy.

check out this link:
http://support.microsoft.com/default.aspx? scid=kb;en
- us;q247989

-M

-----Original Message-----

I added the TS group and the user to "log on
locally"
Group Policy Ran the
secedit /refreshpolicy user_policy /enforce and
also
the
machine refresh
policy. I'm still getting the same error, "The
local
policy of this system
does not permit you to logon interactively"
Must be some other policy blocking this
logon...any
other
thoughts......

message
Thank you,
I'm on it...alex
"Matthew Harris [MVP]"
<[email protected]>
wrote in message
Go into the user rights portion of your group
policies and
give each user the ability to "log on locally"

-M

-----Original Message-----
" The local policy of this system does not
permit
you to
logon
interactively"

I get this message with I try to log on as a
domain
user. The administrator
account can logon without any errors. I
understand
this
is a GP issue but
with win2k how do I find the problem.
Setup: win2k server w/AD running TS
Client: win2k member server
 
Back
Top