IPAddr

Local Logon Policy for Windows Servers

The local policy of this system does not permit you to logon interactively

For Windows Server 2000, 2003, 2003 SP1 you can just add a user into the PRINT OPERATORS group to get around this message. However this doesn't seem to work for Windows 2003 R2 (or even Windows Standard Server 2003) and I believe that it may be because the Print Operator's Group on these versions is NOT added into the groups allow to logon locally. If you add either the user or the print Operators group then it works ok. This needs to be done in the domain controllers (local) policy as well as the group policy. You can click on START then RUN and then enter GPEDIT.MSC (Group Policy Editor) or SECPOL.MSC (Local Policy Editor) to make the security changes

have a look in Server management

Then Computer Configuration

When finished go to the MS-DOS prompt and run either "GPUpdate" or "GPUpdate /Force" as normally the group policy changes may take up to 90 minutes to filter through. A reboot will also fix this but takes much longer than just forcing a GPUpdate.


This issue occurs if the user account that you use to log on is a member of one or both of the following groups:

In Windows Small Business Server 2003, the "Deny log on locally" policy setting is applied to the Remote Operators group in the Default Domain Controllers Group Policy object. This policy setting also applies to the Domain Power Users group because the Domain Power Users group is a member of the Remote Operators group.

Because a Deny permission overrides an Allow permission, this policy setting prevents users from logging on to domain controllers in the domain, even if the "Allow log on locally" policy applies to those same users.

Note Sometimes, the Administrator account may be a member of the Remote Operators group or the Domain Power Users group because of group nesting. For example, the Administrator account is a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account becomes a member of the Remote Operators group because of group nesting.

RESOLUTION

To resolve this issue, remove the Administrator account from the Remote Operators group and the Domain Power Users group. You also must remove any group that contains the Administrator account from the Remote Operators group and the Domain Power Users group.

You can make this change either by connecting to the Windows Small Business Server-based computer with a Remote Desktop connection or by installing the Microsoft Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a Microsoft Windows XP Professional-based computer. For additional information about the Windows Server Administration Tools Pack, click the following article number to view the article in the Microsoft Knowledge Base: 304718 Administering Windows Server-based computers using Windows XP> Professional-based clients

To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:

  1. After you connect to the Windows Small Business Server-based computer with a Remote Desktop connection or with the Windows Server Administration Tools Pack, start Active Directory Users and Computers.
  2. Expand the domain object, expand MyBusiness, and then click Security Groups.
  3. Double-click Remote Operators, and then click the Members tab. (Note By default, only the Domain Power Users group appears in the Members list.)
  4. Click the account or the group that you want to remove, click Remove, and then click Yes to confirm the removal of this user account or group.
  5. When you are finished removing user accounts and groups from the Members list, click OK. (Note Do not remove the Domain Power Users group from the Members list.)
  6. In the Security Groups list, double-click Domain Power Users.
  7. Click the Members tab. (Note By default, only the Power User Template and user accounts that the Power User Template is applied to appears in the Members list.)
  8. Click any group or account that you want to remove except for the Power User Template and except for the accounts that the Power User Template is applied to, click Remove, and then click Yes to confirm the removal of that user or group. In particular, remove the Administrator account or any group that might contain the Administrator account.
  9. When you are finished modifying the group membership, click OK.

By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:

To check what groups an Administrator account is a member of, open the Users folder in Active Directory Users and Computers, double-click the Administrator account, and then click the Member Of tab. You can double-click the groups that are listed on the Member of tab to open their Properties. If the group membership settings on the server are much different from the default settings, make sure that the groups that contain the user account are not nested in other groups.


Allowing Joe User to log onto a terminal server that's also a domain controller is a two-step process. First, use the Domain Controller Security Policy tool on the DC in question to change the security policy for the DC to permit users (or Authenticated Users) to log on locally, then refresh the security policy.

You can run GPEDIT.MSC (Group Policy Editor) or SECPOL.MSC (Local Policy Editor) to make the security changes