Tech Support Guy banner
Status
Not open for further replies.
1 - 17 of 17 Posts

· Registered
Joined
·
37 Posts
The better way would be to adjust the local policy to allow Domain Users to log on locally.

By default, server only allows certain local groups with high level access (Admins, power users, backup operators, etc...) to log on locally. If there is no explicit reason to add all user to one of these groups, then adjust the policy.

Don't give them more rights than they need is the general rule.
 

· Registered
Joined
·
8,981 Posts
Lardog,

Can you give details?

Does it require Active Directory?

I have read a lot about both of these issues but I don't have a lot of experience working with them and I would like to learn more.
 

· Registered
Joined
·
202 Posts
Discussion Starter · #5 ·
i have done that but still doesn't work.
i noticed that the effective setting is not updated.

Originally posted by Lardog:
The better way would be to adjust the local policy to allow Domain Users to log on locally.

By default, server only allows certain local groups with high level access (Admins, power users, backup operators, etc...) to log on locally. If there is no explicit reason to add all user to one of these groups, then adjust the policy.

Don't give them more rights than they need is the general rule.
 

· Registered
Joined
·
8,981 Posts
No AD changes are required. Go to the server, Logon as an Admin, and run Microsoft Management Console (MMC).

It allows you to creates and manages local users and groups. It is available on Active Directory Domain Controller servers, which is a good thing as you would never want an non admin touching it.
 

· Registered
Joined
·
37 Posts
I would not suggest creating local user accounts. Kind of defeats the purpose of having a domain.

Setting the local policy should work, unless there is other domain policy that has defined this behavior explicitly. Remember that domain policy will override local policy. This sounds like what is happening in your case, assuming you are doing it correctly.

Is your machine a DC? If so, then you would need to edit the Default Domain Controllers policy as this is defined by default.

Otherwise, check with your network or domain admin to find out.
 

· Registered
Joined
·
37 Posts
Originally posted by Dan O:
I have also added Domain user names to a Local Group and I was able to logon locally.
You're missing the point.

I was actually incorrect about the default settings in W2K. I guess I was flashing back on NT4 user rights. Anyhow, the defaults for log on locally rights for W2K are outlined at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/547.asp.

However, regardless of the defaults, if adjusting the local policy does not reflect in the effective policy, that would mean that the effective policy is most likely being pushed down from a higher level, meaning it is probably being defined in either domain or OU level policy. Both of these would result in overriding your local policy settings. Creating local users or adding domain users to any groups, other than those defined within the effective policy, will not yield successful results.

Additionally, there could be a specific "Deny logon locally" policy set. This would override the logon locally setting as well.

Sentme,
When you view the policy settings, can you see the effective policy settings also? They should list the users and/or groups that have the logon locally right. Typically, this will display as greyed out check boxes when domain policy is in place. Only those users that fall within these defined rights will be able to log on locally. Also, check the Deny policy to see if it has been defined.
 

· Registered
Joined
·
37 Posts
There you go. Effective policy=actual policy. If the users you want to add are not reflected in the effective policy, it's not gonna happen.

Check with your domain admin. That's all you can do at this point.
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top