Local Logon Policy for Windows Servers
The local policy of this system does not permit you to logon interactively
For Windows Server 2000, 2003, 2003 SP1 you can just add a user into the PRINT OPERATORS group to get around this message. However this doesn't seem to work for Windows 2003 R2 (or even Windows Standard Server 2003) and I believe that it may be because the Print Operator's Group on these versions is NOT added into the groups allow to logon locally. If you add either the user or the print Operators group then it works ok. This needs to be done in the domain controllers (local) policy as well as the group policy. You can click on START then RUN and then enter GPEDIT.MSC (Group Policy Editor) or SECPOL.MSC (Local Policy Editor) to make the security changes
have a look in Server management
- Advanced Management
- Group Policy Management
- Forest: GOSoft.local
- Default Domain Policy
- Right Click and EDIT
- Domain Controllers
- Default Domain Controllers Policy
- Right Click and EDIT
Then Computer Configuration
- Windows Settings
- Security Settings
- Local Policies
- User Rights Assignment
- Allow Logon Locally
When finished go to the MS-DOS prompt and run either "GPUpdate" or "GPUpdate /Force" as normally the group policy changes may take up to 90 minutes to filter through. A reboot will also fix this but takes much longer than just forcing a GPUpdate.
This issue occurs if the user account that you use to log on is a member of one or both of the following groups:
- The Domain Power Users group
- The Remote Operators group
In Windows Small Business Server 2003, the "Deny log on locally" policy setting is applied to the Remote Operators group in the Default Domain Controllers Group Policy object. This policy setting also applies to the Domain Power Users group because the Domain Power Users group is a member of the Remote Operators group.
Because a Deny permission overrides an Allow permission, this policy setting prevents users from logging on to domain controllers in the domain, even if the "Allow log on locally" policy applies to those same users.
Note Sometimes, the Administrator account may be a member of the Remote Operators group or the Domain Power Users group because of group nesting. For example, the Administrator account is a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account becomes a member of the Remote Operators group because of group nesting.
To resolve this issue, remove the Administrator account from the Remote Operators group and the Domain Power Users group. You also must remove any group that contains the Administrator account from the Remote Operators group and the Domain Power Users group.
You can make this change either by connecting to the Windows Small Business Server-based computer with a Remote Desktop connection or by installing the Microsoft Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a Microsoft Windows XP Professional-based computer. For additional information about the Windows Server Administration Tools Pack, click the following article number to view the article in the Microsoft Knowledge Base: 304718 Administering Windows Server-based computers using Windows XP> Professional-based clients
To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:
- After you connect to the Windows Small Business Server-based computer with a Remote Desktop connection or with the Windows Server Administration Tools Pack, start Active Directory Users and Computers.
- Expand the domain object, expand MyBusiness, and then click Security Groups.
- Double-click Remote Operators, and then click the Members tab. (Note By default, only the Domain Power Users group appears in the Members list.)
- Click the account or the group that you want to remove, click Remove, and then click Yes to confirm the removal of this user account or group.
- When you are finished removing user accounts and groups from the Members list, click OK. (Note Do not remove the Domain Power Users group from the Members list.)
- In the Security Groups list, double-click Domain Power Users.
- Click the Members tab. (Note By default, only the Power User Template and user accounts that the Power User Template is applied to appears in the Members list.)
- Click any group or account that you want to remove except for the Power User Template and except for the accounts that the Power User Template is applied to, click Remove, and then click Yes to confirm the removal of that user or group. In particular, remove the Administrator account or any group that might contain the Administrator account.
- When you are finished modifying the group membership, click OK.
By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Mobile Users
- Schema Admins
To check what groups an Administrator account is a member of, open the Users folder in Active Directory Users and Computers, double-click the Administrator account, and then click the Member Of tab. You can double-click the groups that are listed on the Member of tab to open their Properties. If the group membership settings on the server are much different from the default settings, make sure that the groups that contain the user account are not nested in other groups.
Allowing Joe User to log onto a terminal server that's also a domain controller is a two-step process. First, use the Domain Controller Security Policy tool on the DC in question to change the security policy for the DC to permit users (or Authenticated Users) to log on locally, then refresh the security policy.
- Open the Security Settings folder
- double-click Local Policies
- and then click User Rights Assignment
- Click the Log on Locally right
- and then click Add.
- Browse for the appropriate group
- click Add
- then OK your way out of the dialog box
- and refresh the security policy with secedit /refreshpolicy machine_policy /enforce or GPUpdate
- go to Terminal Services Configuration
- edit the properties for RDP
- Turn to the Permissions tab
- add Authenticated Users to the list of groups allowed to use RDP.
You can run GPEDIT.MSC (Group Policy Editor) or SECPOL.MSC (Local Policy Editor) to make the security changes