Question : "The local policy of this system does not permit you to logon interactively"

Hello.

Issue: User cannot login to the domain, through a client, because of the  "The local policy of this system does not permit you to logon interactively", error.

Setup:
Server: Windows Server 2003 SP2 (Not R2) - DNS, DHCP, File Server, DC all working correctly.
Client: Windows XP - virtual client using Virtual PC.

Now the user in question has been added to the Remote Desktop group.  The OU, for the user, has GPO's of setup of;

**Allow log on locally (the user has been added, as well as the remote desktop group)
**Allow log on through terminal services, again the remote desktop user group, and user name has been added.

On the users profile, the Deny this user permission to log on to any Terminal Sever, is not checked.

Now, if I go an add the user, manually on the XP client - that is to say I login as the network administrator, and add the user - entering user name + domain name, then the user can login to the domain via that client.

So, the issue here is why can a user not connect to the domain, unless he's been added manually to the client, with his domain credential.  This rules out domain issues, and must be because of some policy.   Its strange that once the user has been added, manually, to the local machine he can logon just fine.  

If I have to manually add each user to a specific machine, defeats the purpose of having a DC, as you know.  But, I'm not adding the user locally, I'm actually adding the domain credentials of the user.

Any ideas.
Thanks.

Answer : "The local policy of this system does not permit you to logon interactively"

Hi again,

I'm a bit confused now.

Do you want to exclude reporting on userids which has been su'ed to?

In this case your report is indeed fine.

The "time_last_login" value of a user doesn't reflect su'ing to that user. Successful use of su resets the "unsuccessful_login_count" attribute only if the user's rlogin and login attributes are both set to false.

Of course the last login time of the user who issued "su" is recorded.

If you want to report on "su" use you will have to examine /var/adm/sulog. The drawback with that file is that the date is contained in mm/dd hh:mm format - that's not seconds since epoch, and there is no year!

Anyway - your script is a real nice thing - I can't see anything wrong with it!

wmp

 

Random Solutions  
 
programming4us programming4us