The local policy of this system logon interactively

Today 2 home windows xp workstations (I recognize...I know) on our doprimary won"t permit the user to login. Tbelow isn"t a password error however a message that claims "Local plan does not permit you to log on interactively"

The domajor controller for these dinosaurs is via Windows 2000.

You watching: The local policy of this system logon interactively

I"ve found a bunch of stuff on google that talks about the local protection plan which I"ve tweaked but to no avail.

What"s weird is that I have the right to login with the local administrator. And I can login via a domajor admin account. 

I tried taking the computer off the domain, and also then joining it aget too. But that didn"t work-related.




Best Answer
*

Jalapeno
OP
Mike Keighley
This perchild is a showed experienced.
Verify your account to enable IT peers to check out that you are a skilled.
Sep 25, 2014 at 15:13 UTC

Go_Devils42 wrote:

And I deserve to login with a domain admin account. 

I tried taking the computer system off the domain, and also then joining it again too. But that didn"t work-related.



Yes, that is the usual one in my experience: the machine account password gets out of sync via the DC. Usually though, that breaks domain-admin login and also domain-user login and also needs regional admin in order to leave/re-join the domain. So, maybe not in this case...

The cramelted doprimary controller sounds choose a suspicious coincidence ! Have you run dcdiag given that it came earlier up ? Also repadmin /showrepl (assuming you have actually more than one DC ?)

Also inspect the workstations for any kind of event log entries which might imply challenge talking to the DC (any kind of DC, not just the one you think they are authenticating against)


View this "Best Answer" in the replies listed below »

12 Replies


· · ·
*

Serrano
OP
rtash32785 Sep 24, 2014 at 21:07 UTC

Just making sure what the issue is - did you check ?

http://assistance.microsoft.com/kb/289289


2
· · ·

Ghold Chili
OP
Sid Phiilips Sep 24, 2014 at 21:10 UTC

My guess is something is up via the prorecords. You said it"s random, what execute you carry out, simply save rebooting until it let"s you in?


1
· · ·
*

Jalapeno
OP
Go_Devils42 Sep 24, 2014 at 21:27 UTC

rtash - tried that and no luck sadly

trel - I misoffered the word random. Just expected that there were 4 workstations in this area through the exact same GPO. They"ve been offered daily for months through no problems.

It actually never before permits the user that demands accessibility in. It only permits regional administrator or the domain administrator access.

Now... here"s the kicker. The DC that runs ADs for these XP machines shed its power throughout an outage last night once the UPS ran out of juice. I"ve rebooted the DC. I"ve done device restores on the two workstations yet to no avail.

Any further thoughts?


0
· · ·

Gorganize Chili
OP
Sid Phiilips Sep 24, 2014 at 21:33 UTC

You said you can login using the domajor admin account, include an additional user from the domajor (one that has never before been on this machine) and also check out if it will login effectively.


1
· · ·
Pure Capsaicin
OP
DragonsRule
This person is a proved experienced.
Verify your account to allow IT peers to view that you are a skilled.
Sep 24, 2014 at 21:45 UTC
Active Directory & GPO expert
150 Best Answers
142 Helpful Votes

Do you have actually any type of GPOs with Deny Logon Locally? Maybe the customers in question have actually that applied?


0
· · ·
· · ·
Jalapeno
OP
Go_Devils42 Sep 24, 2014 at 21:53 UTC

I guess my question is why would certainly this have actually changed? That was the random statement. Our GPO is the very same for all workstations. And we have no difficulties via any type of other makers.

See more: How To Bypass Factory Reset Protection ( Frp Bypass Note 5, Frp Bypass Galaxy Note 5 Android 7

Will attempt logging in with one more non-admin user though. Great idea


0
· · ·
Thai Pepper
OP
RobT64
This perkid is a showed skilled.
Verify your account to permit IT peers to view that you are a expert.
Sep 25, 2014 at 00:36 UTC

Some protection upday that was applied and also never rebooted after maybe? As a test perhaps add domain customers to the neighborhood administrators group and also watch if they have the right to log in then. That will tell you if it"s a neighborhood plan point.

RobT.


3
· · ·
Serrano
OP
Steve Consolini Sep 25, 2014 at 02:18 UTC

You can try to run RSOP against among the offfinishing equipments to see which GP is leading to the worry.


0
· · ·
Jalapeno
OP
Matthew666 Sep 25, 2014 at 05:54 UTC

Try checking the neighborhood plan of the COMPUTER by making use of gpmodify.msc

Check that the protection team Users is detailed under Computer Configuration -> Windows Settings -> Security Setups -> Local Policies -> User Right Assignments -> Allow log on locally

Make certain that user account that is having trouble is also a member of the Users team.


1
· · ·
Jalapeno
OP
Best Answer
Mike Keighley
This perchild is a showed professional.
Verify your account to enable IT peers to watch that you are a experienced.
Sep 25, 2014 at 15:13 UTC

Go_Devils42 wrote:

And I deserve to login with a doprimary admin account. 

I tried taking the computer off the domain, and then joining it again too. But that didn"t job-related.



Yes, that is the usual one in my experience: the machine account password gets out of sync with the DC. Usually though, that breaks domain-admin login as well as domain-user login and demands regional admin in order to leave/re-join the domain. So, maybe not in this situation...

The crashed doprimary controller sounds favor a suspicious coincidence ! Have you run dcdiag considering that it came back up ? Also repadmin /showrepl (assuming you have actually even more than one DC ?)

Also check the workstations for any type of event log entries which can indicate obstacle talking to the DC (any DC, not just the one you think they are authenticating against)


1
· · ·
Pimiento
OP
phuongle2 Sep 25, 2014 at 20:38 UTC

Not sure if you tried this but I would certainly dis-sign up with and delete the computer system object in AD and then re-resign up with.

See more: Called A Phone But Got User Busy Iphone Meaning, What Does User Busy Mean


0
· · ·
Jalapeno
OP
Go_Devils42 Sep 26, 2014 at 18:46 UTC

So basically somehow the workstations gained kicked out of the group they were in and required to be re-included in order for their particular login to work-related per the team plan. This is the watered dvery own variation of what occurred, but I appreciate all the help and currently understand way even more than I had prior to functioning on this.

But that"s the great part of the jiyuushikan.org right? What does not make you pull your hair out makes you more practical of an ascollection. Or something... :)


2

This topic has been locked by an administrator and also is no longer open for commenting.