Managing user rights in Windows 2000 allows the IT professional to keep tabs on who’s using what and when and how. But system administrators must be careful when establishing workstation settings. User access, even though explicitly granted in one case, can be affected by previous overlapping security settings. A well-planned security hierarchy can often fall victim to logon errors. Such an error can be quite a headache, especially when the cause isn’t apparent.

Can’t log on interactively?
TechRepublic member joegrosskopf writes: “I have been battling this message ever since I started using Windows 2000. I am fed up. Each time, I cannot fix it and have to reinstall 2000. Can anyone tell me what I am doing wrong?” In this case, the member installed Windows 2000 using the workgroup setting. After installation, he can log on properly with no difficulties or hang-ups. But after granting “everyone” local logon rights to the workstation and then adding the computer to the domain, problems arise. The log on interactively error “appears whether I am logging in to the domain or the workstation. I cannot use administrator or the test user I set up.”

Searching for a solution, joegrosskopf turned to running Ntrights.exe. Unfortunately, doing so only compounded the problem, producing an Error Open Policy message. So what can this member do? Like most IT pros, the next course of action would call for a visit to Microsoft Support and its Knowledge Base. But according to this frustrated user, “there is nothing there,” so he asks TechRepublic members for their help.

Check your security parameters
Member Datacon can relate to joegrosskopf’s problem. “I had this stupid error come up last week as well. I was setting some security policies on my primary domain controller and my secondary domain controller would not let me log in with admin status.” Believing the problem to lie in admin and administrator user names, Datacon suggests looking at the local security policies. After adding a local user, Datacon experienced the same error message but soon discovered a security parameter was locking him out.

Member Deja_Vu reiterates this point, asking, “Are you sure that you are not selecting the option to deny everyone the Logon Locally right?” If this is the case, the solution might be as simple as changing a setting and rebooting. Deja_Vu continues, “Also do it without explicitly giving everyone [the Logon] Locally right. It will work without telling Windows 2000 that.” He refers joegrosskopf to the Microsoft KB article Q276590.

Will this fix the logon problem? According to the Knowledge Base article, the message “The Local policy of this system does not permit you to log on interactively” can occur when a user is a member of multiple groups. In Windows 2000, a policy that denies user rights takes precedence over a policy that enables user rights. You can resolve the problem by utilizing an administrative account situated on another client to access the problematic computer and then running the Ntrights.exe program (in the Microsoft Windows 2000 Resource Kit) to remove the user from the Deny Logon Locally user right.

We need your help

Do you have a fix to joegrosskopf’s logon problem? Experiencing a similar dilemma? Post a comment to this article or visit TechRepublic’s Technical Q&A section to share your thoughts.