Strange! Strange! Strange! "User cannot logon locally"

Discussion in 'Active Directory' started by John, Jul 18, 2006.

  1. John

    John Guest

    Windows 2003 Std / Active Directory

    The AD structure:
    When I create user under OU_1_1, those user cannot login to the PC that
    joint the domain.
    The error message is "The local policy of this system does not permit you to
    logon interactively".

    I saw there are some group policy setup already, so I tried to insert user
    inside "Allow logon locally" of GP_ALL and GP_1_1 and force update of the
    GP. but failed.

    GP_ALL link with OU_1.
    GP_1_1 link with OU_1_1.
    User cannot login are under OU_1_1

    Which GP should I modify and should I modify Allow logon locally only?

    many thanks
    John, Jul 18, 2006
  2. First get GPMC into place and try to figure out which policy is setting
    this, this may speed up Your troubleshooting problem:

    And yes, You should be able to fix it with setting appropriate value for
    this policy
    Tomasz Onyszko, Jul 18, 2006
  3. John

    John Guest

    Thanks Tomasz.
    I am using this tools already. just no idea where to dig into
    John, Jul 18, 2006
  4. John

    Joe Guest


    Group Policies are applied in the following order:

    Organizational unit (OU)
    Child OU
    and so on

    therefore a policy setting defined at the Domain level can be overwritten if
    the same policy setting is configured at the OU level. To troubleshoot this
    problem I'd suggest you initially define the policy settings at the OU level
    the user resides and ensure that this policy has the highest precedence order
    if multiple GPOs are linked to this OU. The GPMC tool will allow you to
    define the precedence, with a link value of 1 having the highest precedence.
    If this resoles your problem you can step back and design this settin into
    your Group Policy design.

    Joe, Jul 18, 2006
  5. John

    John Guest

    in fact i use RSoP to trace alerady which GP is effective one and then
    change it and force again but no use.
    no idea why...

    most likely the right-hand side icon is a "Red Cross".
    John, Jul 20, 2006
