Strange! Strange! Strange! "User cannot logon locally"

Discussion in 'Active Directory' started by John, Jul 18, 2006.

  1. John

    John Guest

    Windows 2003 Std / Active Directory

    The AD structure:
    domain.local
    When I create user under OU_1_1, those user cannot login to the PC that
    joint the domain.
    The error message is "The local policy of this system does not permit you to
    logon interactively".

    I saw there are some group policy setup already, so I tried to insert user
    inside "Allow logon locally" of GP_ALL and GP_1_1 and force update of the
    GP. but failed.

    GP_ALL link with OU_1.
    GP_1_1 link with OU_1_1.
    User cannot login are under OU_1_1

    Which GP should I modify and should I modify Allow logon locally only?

    many thanks
     
    John, Jul 18, 2006
    #1
    1. Advertisements

  2. First get GPMC into place and try to figure out which policy is setting
    this, this may speed up Your troubleshooting problem:
    http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

    And yes, You should be able to fix it with setting appropriate value for
    this policy
     
    Tomasz Onyszko, Jul 18, 2006
    #2
    1. Advertisements

  3. John

    John Guest

    Thanks Tomasz.
    I am using this tools already. just no idea where to dig into
     
    John, Jul 18, 2006
    #3
  4. John

    Joe Guest

    John

    Group Policies are applied in the following order:

    Local
    Site
    Domain
    Organizational unit (OU)
    Child OU
    and so on

    therefore a policy setting defined at the Domain level can be overwritten if
    the same policy setting is configured at the OU level. To troubleshoot this
    problem I'd suggest you initially define the policy settings at the OU level
    the user resides and ensure that this policy has the highest precedence order
    if multiple GPOs are linked to this OU. The GPMC tool will allow you to
    define the precedence, with a link value of 1 having the highest precedence.
    If this resoles your problem you can step back and design this settin into
    your Group Policy design.

    Joe
     
    Joe, Jul 18, 2006
    #4
  5. John

    John Guest

    in fact i use RSoP to trace alerady which GP is effective one and then
    change it and force again but no use.
    no idea why...

    most likely the right-hand side icon is a "Red Cross".
     
    John, Jul 20, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.