Local Policy Does not permit logon interactively ~ Urgent help nee

I have two DCs...

we have 1500 users ...... out to these my some of the users are not able to
login to domain they are getting eror "Local Policy Does not permit logon
interactively"

To solve I did following things

1) I have changed Domain Default GP addedd Domain Users in Allow login locally
2) Removed affected PC from domain and added agian,,,but it worked for some
one how? On some of the machine this policy has applied but some of the PC
this policy not getting affected........

I did gpupdate / force restarted the pcs but still same issue.....
I have applied above policy yesterday & retarted my both DCs but still some
the PC not taking this policy?


Pls help to solve this issue............~

Hi,
Now as you already know, all domain users should be able to logon to any PC
on the network by default except for Domain Controllers, as you already
troubleshooted the problem and worked with group policies and the problem was
not sorted out, and since the problem in occuring on some PCs only, I have a
feeling that the local computer policy might have been edited (maybe by a
virus or so) to prevent users from logging on, to try to solve the problem
please do the following:
1- Logon to the affected PC using a local admin account and run gpedit.msc
and check the Interactive Logon settings and change it if needed
2- Create a Domain-wide policy and explicitly allow domain users to logon
locall, block the Domain Controller OU from inheriting this policy.

Have a nice day and let me know...
--
Ziad K. Chafi

Hi

Wht we are trying is to block the inheritance of the default domain
controller policy to all OU's except for the DC's .

Is it required to move the computers from the Comuters OU to the respected
OU's.

Hello,
The Default Domain Controllers Policy should only be applied to the Domain
Controllers OU, which contains only Domain Controllers by default. From what
you are saying, I understand that the Default Domain Controllers Policy is
affecting all computers, so some one might have linked the policy to the
domain, this will cause lots of inconveniences, so if this is the case, you
have to immedeiatly remove the link at the domain level and this should solve
the problem.

Let me know...
--
Ziad K. Chafi

Dear Ziad

If we block Inheritance of default domain controller policy to the rest of
the OUs will it solve the issue.

Is it required to moved the computers from the OU - Computers to the
respective OU's.

Hello,
As I told you before, the Default Domain Controllers Policy should not be
linked to the domain and should not affect any computer but DCs.
Now if you prefer to link the policy to the domain you have to know the
following:
1- The policy has restrictions on how can log on locally, and this is what
is causing your problems
2- Blocking inheritace will not solve your problem since all computers are
created by default in the default Computers container, which is not an OU, so
you can't block inheritance on the container

To solve the problem you have to move all computers to their respected OU
and then block inheritance on the OU.

Hope it helps.
--

I've seen this before in some domains when time synchronization fails
on some machines.
Authentication is apparently time-synchronous sensitive. Compare the
times on the machines
that users are having problems with and reset if necessary. You might
also consider rebooting
one of these machines as a service might have become wedged.

Hi Sammy,
Actually what you said is true, the Authentication process in Microsoft
domains depend mainly on Kerberos protocol, which uses system time in the
process of encrypting user credentials and sending them to a DC, so if there
is no time sync between a client computer and the DC, the user can not logon,
but he will not receive the "Local Policy Does not permit logon
interactively" message, he will receive a message saying that the user can
not logon due to dime difference.

Have a nice day.
--
Ziad K. Chafi

Hi ,

I am facing the same issue , which virus is this ...how to remove it. please help...i moved the infected users in to the new OU but problem is still persists....I even format some of the windows xp machine but even though the problem persists...please help...i am having a windows server 2008 and 9000 users in my network and about 500 users are suffering...please help...