Administrator can't logon locally

I've made a mess of something in Group Policy Management.
I was trying to change policy settings so that a specific
set of Users can login via terminal services.

Now, whenever I try to logon to the server console as
administrator, I get a message 'The local policy of this
machine does not allow you to logon interactively'

The 'Allow logon locally' setting includes administtors,
So I don't understand what is wrong. Fortunately, I have
another user account which is in the administators group.
This user can log on OK. Anyone any ideas?

Jeff
Tue Aug 17 14:16:01 CDT 2004

A user can be prevented from logging on locally either because:

a- they are not a member of a group or a user specified to have that right.
b-the are a member of a group or a user specified to be DENY for that right.

Two different rights involved.

I you have another Domain Admins account, you can inspect the root
Administrator account for membership, then examine the Default Domain
Controller policy to see what that is set for. If you don't find the cause
that way, then use the Local Security Policy MMC console to examine at the
SBS what the local policy is, and if it's different than the Default Domain
Controller policy.

In SBS 2003, you can also use the RSOP features in the console to see what
policies are accumulated at the folder that contains the SBS.

I've tried to be brief here, so if this isn't enough information, post back
whatever you understand or don't and I can try to make this a little more
detailed in that area.

As a best practice, you should avoid playing with the Default Domain or
Default Domain Controller policies if possible. However, in the case of
Logon Locally with the SBS, you have no choice.


"ian" <anonymous@discussions.microsoft.com> wrote in message
news:7c4801c48466$ae64d1b0$a601280a@phx.gbl...
> I've made a mess of something in Group Policy Management.
> I was trying to change policy settings so that a specific
> set of Users can login via terminal services.
>
> Now, whenever I try to logon to the server console as
> administrator, I get a message 'The local policy of this
> machine does not allow you to logon interactively'
>
> The 'Allow logon locally' setting includes administtors,
> So I don't understand what is wrong. Fortunately, I have
> another user account which is in the administators group.
> This user can log on OK. Anyone any ideas?
>

Susan
Tue Aug 17 14:44:03 CDT 2004

841188 - "The local policy of this system does not permit you to logon
interactively" error message when you try to log on to a computer that
is running Windows Small Business Server 2003 by using an Administrator
account:
http://support.microsoft.com/?kbid=841188


Jeff Middleton [SBS-MVP] wrote:
> A user can be prevented from logging on locally either because:
>
> a- they are not a member of a group or a user specified to have that right.
> b-the are a member of a group or a user specified to be DENY for that right.
>
> Two different rights involved.
>
> I you have another Domain Admins account, you can inspect the root
> Administrator account for membership, then examine the Default Domain
> Controller policy to see what that is set for. If you don't find the cause
> that way, then use the Local Security Policy MMC console to examine at the
> SBS what the local policy is, and if it's different than the Default Domain
> Controller policy.
>
> In SBS 2003, you can also use the RSOP features in the console to see what
> policies are accumulated at the folder that contains the SBS.
>
> I've tried to be brief here, so if this isn't enough information, post back
> whatever you understand or don't and I can try to make this a little more
> detailed in that area.
>
> As a best practice, you should avoid playing with the Default Domain or
> Default Domain Controller policies if possible. However, in the case of
> Logon Locally with the SBS, you have no choice.
>
>
> "ian" <anonymous@discussions.microsoft.com> wrote in message
> news:7c4801c48466$ae64d1b0$a601280a@phx.gbl...
>
>>I've made a mess of something in Group Policy Management.
>>I was trying to change policy settings so that a specific
>>set of Users can login via terminal services.
>>
>>Now, whenever I try to logon to the server console as
>>administrator, I get a message 'The local policy of this
>>machine does not allow you to logon interactively'
>>
>>The 'Allow logon locally' setting includes administtors,
>>So I don't understand what is wrong. Fortunately, I have
>>another user account which is in the administators group.
>>This user can log on OK. Anyone any ideas?
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Jeff
Tue Aug 17 15:15:04 CDT 2004

That KB illustrates an example of joining the Admin account to a group that
has Deny set for the Group.

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:%23AhLMKJhEHA.2952@TK2MSFTNGP09.phx.gbl...
> 841188 - "The local policy of this system does not permit you to logon
> interactively" error message when you try to log on to a computer that
> is running Windows Small Business Server 2003 by using an Administrator
> account:
> http://support.microsoft.com/?kbid=841188
>
>
> Jeff Middleton [SBS-MVP] wrote:
> > A user can be prevented from logging on locally either because:
> >
> > a- they are not a member of a group or a user specified to have that
right.
> > b-the are a member of a group or a user specified to be DENY for that
right.
> >
> > Two different rights involved.
> >
> > I you have another Domain Admins account, you can inspect the root
> > Administrator account for membership, then examine the Default Domain
> > Controller policy to see what that is set for. If you don't find the
cause
> > that way, then use the Local Security Policy MMC console to examine at
the
> > SBS what the local policy is, and if it's different than the Default
Domain
> > Controller policy.
> >
> > In SBS 2003, you can also use the RSOP features in the console to see
what
> > policies are accumulated at the folder that contains the SBS.
> >
> > I've tried to be brief here, so if this isn't enough information, post
back
> > whatever you understand or don't and I can try to make this a little
more
> > detailed in that area.
> >
> > As a best practice, you should avoid playing with the Default Domain or
> > Default Domain Controller policies if possible. However, in the case of
> > Logon Locally with the SBS, you have no choice.
> >
> >
> > "ian" <anonymous@discussions.microsoft.com> wrote in message
> > news:7c4801c48466$ae64d1b0$a601280a@phx.gbl...
> >
> >>I've made a mess of something in Group Policy Management.
> >>I was trying to change policy settings so that a specific
> >>set of Users can login via terminal services.
> >>
> >>Now, whenever I try to logon to the server console as
> >>administrator, I get a message 'The local policy of this
> >>machine does not allow you to logon interactively'
> >>
> >>The 'Allow logon locally' setting includes administtors,
> >>So I don't understand what is wrong. Fortunately, I have
> >>another user account which is in the administators group.
> >>This user can log on OK. Anyone any ideas?
> >>
> >
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>

Susan
Tue Aug 17 20:33:33 CDT 2004

We've obviously done it enough times in SBSland for a KB to be written ;-)

Jeff Middleton [SBS-MVP] wrote:
> That KB illustrates an example of joining the Admin account to a group that
> has Deny set for the Group.
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:%23AhLMKJhEHA.2952@TK2MSFTNGP09.phx.gbl...
>
>>841188 - "The local policy of this system does not permit you to logon
>>interactively" error message when you try to log on to a computer that
>>is running Windows Small Business Server 2003 by using an Administrator
>>account:
>>http://support.microsoft.com/?kbid=841188
>>
>>
>>Jeff Middleton [SBS-MVP] wrote:
>>
>>>A user can be prevented from logging on locally either because:
>>>
>>>a- they are not a member of a group or a user specified to have that
>
> right.
>
>>>b-the are a member of a group or a user specified to be DENY for that
>
> right.
>
>>>Two different rights involved.
>>>
>>>I you have another Domain Admins account, you can inspect the root
>>>Administrator account for membership, then examine the Default Domain
>>>Controller policy to see what that is set for. If you don't find the
>
> cause
>
>>>that way, then use the Local Security Policy MMC console to examine at
>
> the
>
>>>SBS what the local policy is, and if it's different than the Default
>
> Domain
>
>>>Controller policy.
>>>
>>>In SBS 2003, you can also use the RSOP features in the console to see
>
> what
>
>>>policies are accumulated at the folder that contains the SBS.
>>>
>>>I've tried to be brief here, so if this isn't enough information, post
>
> back
>
>>>whatever you understand or don't and I can try to make this a little
>
> more
>
>>>detailed in that area.
>>>
>>>As a best practice, you should avoid playing with the Default Domain or
>>>Default Domain Controller policies if possible. However, in the case of
>>>Logon Locally with the SBS, you have no choice.
>>>
>>>
>>>"ian" <anonymous@discussions.microsoft.com> wrote in message
>>>news:7c4801c48466$ae64d1b0$a601280a@phx.gbl...
>>>
>>>
>>>>I've made a mess of something in Group Policy Management.
>>>>I was trying to change policy settings so that a specific
>>>>set of Users can login via terminal services.
>>>>
>>>>Now, whenever I try to logon to the server console as
>>>>administrator, I get a message 'The local policy of this
>>>>machine does not allow you to logon interactively'
>>>>
>>>>The 'Allow logon locally' setting includes administtors,
>>>>So I don't understand what is wrong. Fortunately, I have
>>>>another user account which is in the administators group.
>>>>This user can log on OK. Anyone any ideas?
>>>>
>>>
>>>
>>>
>>--
>>http://www.sbslinks.com/really.htm
>>
>
>
>

--
http://www.sbslinks.com/really.htm