Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New user cannot login on SBS 2003 client


  • Please log in to reply
7 replies to this topic

#1 adaniel

adaniel

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 August 2010 - 12:21 PM

OK, I am obviously missing something. I have an established SBS 2003 server with established users and client PC's. I replaced seven PC's with new ones, still running XP Pro. I added the computers to the domain by //server/connectcomputer. After I had added all the PC's, I added a new user. That user is a member of Domain Users, Domain Power Users and Remote Web Workplace Users. He can log in to the server via RDT, but cannot login on any of the XP clients. The error is "The local policy of this system does not allow you to login interactively."

I know I could probably disconnect and rejoin all the PC's to the domain and resolve this, but there has to be an easier way.

Thanks in advance.
adaniel

BC AdBot (Login to Remove)

 


#2 tfitz17

tfitz17

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 27 August 2010 - 01:45 PM

Did you check the local security policies on the XP machines?

Control Panel -> Administrative Tools -> Local Security Policy -> Local Policy -> User Rights Assignment

Check to see what is listed under "Log on locally"

#3 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 August 2010 - 03:51 PM

tfitz17, thanks for your response. I did check that. there are two goups allowed to log on locally:administrators and UBL Users (my software). The thing is, there are users who are not members of either group who can login locally. In fact, any user that existed prior to adding the machines to the domain can login locally on any machine. No new user, added after machines were added to the domain, can log in on any machine, but they can remote desktop into the server. If I add the new user to the Domain Admin group or the UBL Users group they can log in; but they do not need to be members of either group. Two questions: why can old users, not members of either group, login? and Where can I change the settings in the domain to allow Domain Users to login locally? That must have been the case previously for all the old users to be able to log in.

Thanks for your help
adaniel

Edited by adaniel, 27 August 2010 - 03:52 PM.


#4 tfitz17

tfitz17

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 August 2010 - 09:54 AM

To check whether or not something is set on the domain level for "log on locally" you will want to go to the Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignments section of the GPO

This KB article seems to be similar, but not identical to the issue you are having:

http://support.microsoft.com/kb/841188

Although it talks about logging into the SBS2003 server itself, not clients...are the old users members of both Domain Power Users and Remote Web Workplace Users groups? Try removing the new users from one of the groups to see if that helps. I guess Domain Power Users and Remote Web Workplace are something they added in SBS2003, because I don't see them on my 2003R2 server.

EDIT:

Also check the Group Policy setting to make sure that there is nothing in "Deny logon locally". It can be found in the section of the GPO I listed above.

Edited by tfitz17, 28 August 2010 - 09:58 AM.


#5 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:08:41 AM

Posted 28 August 2010 - 10:07 PM

The log on locally setting is only to allow people to log on to the server locally is has nothing to do with the workstations. Since other users can log on the new PC's and only the new ones cannot then the issue must reside with the user settings. Double check your setting for the remote web place users to make sure there is nothing checked to prevent the user from logging in locally either on the user profile or in the RAS server if you are using that.
Get your facts first, then you can distort them as you please.
Mark Twain

#6 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 30 August 2010 - 08:07 AM

Thank you tfitz17 and Baltboy for your responses. I have added the new user to my UBL Users group temporarily so he can log in. My question really boils down to: How to I change the domain-wide "login interactively" setting to add users or groups? It seems there should be a way to change it on the server and have that setting be set on each client when they log off/on or reboot.

#7 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:08:41 AM

Posted 30 August 2010 - 11:39 AM

Any member of the domain users has the ability to log on to the domain unless there is login restrictions for day or time on the user profile. Remote log on properties can affect the ability to log on to the domain locally. Since all of those settings are cumulative the remote settings can stop a domain user from logging on locally. I would start there since it seems the most likely culprit. Remove the user from every group except the domain users group and try to log on. If you succeed add the user into groups one at a time until you can no longer log in and the policy settings in that group are the issue.
Get your facts first, then you can distort them as you please.
Mark Twain

#8 adaniel

adaniel
  • Topic Starter

  • Members
  • 206 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 03 September 2010 - 08:04 AM

Thanks to Robert Pearman at smallbizserver.net for the answer I was looking for. As always, thank you to everyone here as well for all the help you give.

"Go to an affected pc, run GPRESULT from a command prompt if xp ( GPRESULT / R from vista/7)

See which policies are being applied.

On the SBS Server load up the group policy management console, and see which policies are linked to you domain.

Look at each policy and look on the settings tab, look for a setting defined under..

Security Settings > Local Policies > User Rights Assignment >

Under this you are looking for a policy defined named 'Log on Locally'

You will probably find this has been modified in a policy it should not have been.

Off the top of my head it should only be defined for the Default Domain Controllers Policy."

adaniel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users