General discussion

Locked

User Profile

By 4d_striker ·
I've a W3k dc and all users accts created. W98 clients have no problem logging on to dc. However, with W2k pro clients, other than administrator, all users are not able to logon. Err msg is unable to logon interactively. Please advise me on solution.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by kevin5597 In reply to User Profile

Hi,

Check your server Event Log to track the error...

Anyway, did you add your client computer to join domain and add a domain user to your client machine?

This option do not need in Win98.

Collapse -

by 4d_striker In reply to

Poster rated this answer.

Collapse -

by 4d_striker In reply to User Profile

Yes, computer acct & domain user added.

Collapse -

by EdLockett In reply to User Profile

Two things to check :

1. DNS. Are the clients configured by DHCP? If so check your DNS servers option on your DHCP server. If not, then you will need to specify your DNS server in the TCP/IP properties of the connection.

2. Group Policy. Check you have not restricted the log on locally right from within Computer Settings > Windows Settings > Security Settings > Local Policies > User Rights Assignment .
This setting is configured in the default domain controllers policy to restrict this right to members of the administrators group only. Check that this policy is linked only to the Domain Controllers OU.

Collapse -

by BFilmFan In reply to User Profile

You have an issue in your security settings in a GPO. As GPO's do not apply to Windows 98 systems and those systems are functioning correctly.

Most likely, you have restricted access this computer from the network, deny logon locally and logon locally in an incorrect manner. It is most likely being set by the Default Domain Group Policy Object.

You can check this with a resultant set of policies that are being applied to the workstation. The instructions for using RSOP can be found here:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/RSPhowto.asp?frame=true

Collapse -

by BFilmFan In reply to

A fast and efficient way of checking to see if it is a GPO issue is to do the following:

(You should note that this could cause significant ramifications on security policy in your environment; thus, you should always test this before attempting it in a production environment. This is the beauty of VMWare, which allows you to have a test bed for your AD environment.)

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, right-click the domain or organizational unit for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.

3. Highlight the GPO which you believe is causing the issue.

4. Right click and choose Rename.

5. Rename the GPO. As a best practice you may want to use the format "Current GPO name" appended with a "-" and "OLD."

Example:

Default Domain Policy becomes Default Domain Policy-OLD.

6. Allow replication occur within Active Directory. Depending on the speed of your Active Directory site links, this might be a significant amount of time.

7. Click the NEW button.

8. Name the new policy. In this case it would be Default Domain Policy. DO NOT enter any settings in the policy.

9. Allow replication to occurr again.

10. Force the GPO change to the workstations and users with the commands:

Windows 2000:

Force GPO change for a machine policy

secedit /refreshpolicy machine_policy /enforce

Force GPO change for a user policy

secedit /refreshpolicy user_policy /enforce

For Windows XP:

gpupdate /force

How to edit GPO's using the Microsoft Management Console Method are explained here:

http://support.microsoft.com/?kbid=322176

Microsoft has an excellent guide to securing Windows 2003 server available here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Collapse -

by 4d_striker In reply to User Profile

Thank you very much for all your assistance. You guys are right about gpo. My boss set a logon locally restriction on computers to domain admins only.

Collapse -

by 4d_striker In reply to User Profile

This question was closed by the author

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums