logon locally

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
Joined
Dec 25, 2002
Messages
37
The better way would be to adjust the local policy to allow Domain Users to log on locally.

By default, server only allows certain local groups with high level access (Admins, power users, backup operators, etc...) to log on locally. If there is no explicit reason to add all user to one of these groups, then adjust the policy.

Don't give them more rights than they need is the general rule.
 
Joined
Feb 13, 1999
Messages
8,974
Lardog,

Can you give details?

Does it require Active Directory?

I have read a lot about both of these issues but I don't have a lot of experience working with them and I would like to learn more.
 

sentme_mail

Thread Starter
Joined
Apr 30, 2002
Messages
200
i have done that but still doesn't work.
i noticed that the effective setting is not updated.

Originally posted by Lardog:
The better way would be to adjust the local policy to allow Domain Users to log on locally.

By default, server only allows certain local groups with high level access (Admins, power users, backup operators, etc...) to log on locally. If there is no explicit reason to add all user to one of these groups, then adjust the policy.

Don't give them more rights than they need is the general rule.
 
Joined
Feb 13, 1999
Messages
8,974
sentme_mail,

What I suggested does work because it is what I do all the time.
 
Joined
Feb 13, 1999
Messages
8,974
No AD changes are required. Go to the server, Logon as an Admin, and run Microsoft Management Console (MMC).

It allows you to creates and manages local users and groups. It is available on Active Directory Domain Controller servers, which is a good thing as you would never want an non admin touching it.
 

sentme_mail

Thread Starter
Joined
Apr 30, 2002
Messages
200
it don't work.
the users that i configured to have logon locally rights are not reflected as effective settings in the local security
 
Joined
Feb 13, 1999
Messages
8,974
You have to have the user change the Domain name to the Computer name, which is the third line on Logon.
 
Joined
Dec 25, 2002
Messages
37
I would not suggest creating local user accounts. Kind of defeats the purpose of having a domain.

Setting the local policy should work, unless there is other domain policy that has defined this behavior explicitly. Remember that domain policy will override local policy. This sounds like what is happening in your case, assuming you are doing it correctly.

Is your machine a DC? If so, then you would need to edit the Default Domain Controllers policy as this is defined by default.

Otherwise, check with your network or domain admin to find out.
 
Joined
Feb 13, 1999
Messages
8,974
I have also added Domain user names to a Local Group and I was able to logon locally.
 
Joined
Dec 25, 2002
Messages
37
Originally posted by Dan O:
I have also added Domain user names to a Local Group and I was able to logon locally.
You're missing the point.

I was actually incorrect about the default settings in W2K. I guess I was flashing back on NT4 user rights. Anyhow, the defaults for log on locally rights for W2K are outlined at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/547.asp.

However, regardless of the defaults, if adjusting the local policy does not reflect in the effective policy, that would mean that the effective policy is most likely being pushed down from a higher level, meaning it is probably being defined in either domain or OU level policy. Both of these would result in overriding your local policy settings. Creating local users or adding domain users to any groups, other than those defined within the effective policy, will not yield successful results.

Additionally, there could be a specific "Deny logon locally" policy set. This would override the logon locally setting as well.

Sentme,
When you view the policy settings, can you see the effective policy settings also? They should list the users and/or groups that have the logon locally right. Typically, this will display as greyed out check boxes when domain policy is in place. Only those users that fall within these defined rights will be able to log on locally. Also, check the Deny policy to see if it has been defined.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top