interactive logon not permitted

can anyone help with this problem before i throw my server out of the windows.

have installed server 2003 enterprise on server. promoted to dc created 2 basic user accounts. at client end when these 2 try to log into domain get this

this system does not permit interactive logins.

if i make the 2 users members of domain admins log in no problem once i remove dom admin membership can't login again.
and i don't want all my users to be admins.

any help

ps i have looked at allow logon locally- not that.
i have not changed any domain gpo's since install so system is setup as is.

any ideas

cheers

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Silver Bullet

I am kinda confused by your post.....please elaborate.

First you said:

ps i have looked at allow logon locally- not that.

Then you said:

i have not changed any domain gpo's since install so system is setup as is.

By default, Windows server 2003 does not allow users to log on to the Server locally. In order to change this you have to edit the group policy and define the users/groups you want to allow to log on locally. Even though this machine is a domain controller, any logon attempt to the server is considered a local logon.

To change this you will need to open Active Directory Users and Computers. Right click on your domain controller and choose properties. Choose the Group Policy tab. Highlight the "Default Domain Policy" and choose Edit. You will find this setting under Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment. The policy you want to edit is Allow Log on Locally. Add the User/Group that needs to log on to the Server.

Repost if that is not the info needed or if you have already done that and I misread your post.

RussS

Silver Bullit has it covered .... Server 2003 does not allow users to log on interactively.
I am not sure that I would want to change the security policy to allow this though. IMHO you are better installing Terminal Services if you want users to log on interactively as you can control things better.

cknape

what i mean is new users can't login to domain.
i don't want users logging in to server. but someone had already said check allow logon locally to try to solve problem.
but thats nothing to do with it.

i just want users to log into domain from their client machines which they can't unless i make them admins.

i don't know why the error message no interactive login permitted comes up. i just want users to login on to the domain i have created.

is this a bit more clear.

cheers

Silver Bullet

http://support.microsoft.com/?kbid=276590
http://support.microsoft.com/?kbid=267553
http://support.microsoft.com/?kbid=227904
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q247/9/89.ASP&NoWebContent=1

Here are a couple M$ KB articles about that error message. I think it is the last one that says to do what I suggested you do previously.

rossonieri#1

hello,

very simple maybe - to answer your q.
if you dont want your user to access the server locally - why would you setup 2 w2k3 server as client and server?

cheers...

sprkymrk

Please excuse if this is a stupid question - did you first join the work stations to the new domain? Are they logging into the domain or the work station? Big difference...