General discussion


Log on Locally

By NateH ·
Hi all,

Relative novice in AD admin.

As a test and to learn a bit more, I created a new OU
called SpecialUser. I then created a Group (called
SpecialGroup) and User (called SpecialUser) in that OU.

Then I created a new Group Policy and linked it to that
OU. In the group policy I set the permission "Log On
Locally" for the SpecialGroup in that OU.

The problem is that when I try to log on locally to the
server as the SpecialUser, I get the error message that
the local policy does not permit me to log on locally.

I know that I can set that permission in the Default
Domain Policy, but I want this permission only for this
special group, not to anyone else.

Any ideas why this OU policy would not work?



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by birzes In reply to Log on Locally

the local policies on the local computer is overriding the group policy you set on the domain

Collapse -

by NateH In reply to

Poster rated this answer.

Collapse -

by timwalsh In reply to Log on Locally

If the server is a DC, that is the problem. All DCs exist in an OU called Domain Controllers. There is a separate default Domain Controller Group Policy object (GPO). The DC GPO takes precedence over the Domain GPO.

By the way, local machine GPOs NEVER take precedence over other GPOs. GPOs are applied in the following order, with GPOs applied later in the order taking precedence: local computer, (AD) site, domain, OU. Since the OU GPO is applied last it takes precedence (if there are conflicts) over ALL other GPOs.

Collapse -

by NateH In reply to

Poster rated this answer.

Collapse -

by NateH In reply to Log on Locally

This question was closed by the author

Related Discussions

Related Forums