cannot login locally to 2k servers after live comm server install

Discussion in 'Active Directory' started by Eric Peterson, Nov 11, 2006.

  1. I installed Live Communications Sever 2k5 on a Windows 2k3 Server(DC). Now
    on all my 2k member servers, I cannot login to the system with the
    Administrator account on the domain. The servers are under an OU in my AD
    which is governed by a GP. I have changed that GP to specifically allow
    logon locally to the Administrator account, but it does not affect the

    Here's where it gets really nuts. When I use ntrights to revoke the deny
    permission ( -r SeDenyInteractiveLogonRight), and to grant the allow
    permission (+r SeInteractiveLogonRight) against the servers in question, the
    user is then allowed to logon locally. However, when the GP policy synchs
    up, the user is no longer allowed to logon locally. What I've done
    temporarly is set a scheduled .cmd file to use the ntrights program to set
    the permissions every 10 min, but that is garbage and I'd really like to get
    this fixed properly.

    Has anybody seen anything like this, or have any insight as to what I can do
    to fix this?

    Eric Peterson, Nov 11, 2006
    1. Advertisements

  2. Eric Peterson

    John W. Guest

    Yeah, remember policies are applied in this order

    Local, Site, Domain, OU
    John W., Nov 17, 2006
    1. Advertisements

  3. The problem was the GP policy. However, my OU is not applying in the order I
    expect it to. I have

    -Company OU (w/GP)
    -Department OU (no GP)
    -Department 2 OU (w/GP)

    The Department 2 OU GP is not taking precedence over the Company OU GP.
    This behavior is not what I expected. I cannot change the order either. It
    only allows me to have Company OU GP over Department 2 OU GP. I must be
    missing something in my understanding of the heirarchy of precedence.

    Eric Peterson, Nov 17, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.