Allow users to log on locally to the server - is wrong, Because it is a Server, not a workstation.
But I have my own reasons to do this (this is not an actual server in my case. I use VM to do some testing).
The Problem:
Users from the Users group or any other custom group are not able to login locally onto the AD controller machine:
"You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more information."
Solution (no AD):
- run gpedit.msc
- navigate to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment
- check "Allow log on locally" policy and "Deny log on *" policies. Add\Remove Groups\Users from policies.
In case if you have AD you will not be able to add new Groups\Users to the "Allow log on locally" policy:
Solution 1 (AD):
- run "Group Policy Management" console
- select your domain under the "Forest"\Domains
- select "Default Domain Controllers Policy" under the "Domain Controllers", right click on it and select "Edit..."
- in the opened "Group Policy Management Editor" window, navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment
- Add Groups\Users to the "Allow Log on locally" policy.
Solution 2 (AD):
- run mmc
- select "add snap-in" in the main menu
- select "Group Policy Management Editor" and press add. Select Group Policy Object (your domain) in the popup window. Press finish.
- Press ok to close "Add or remove snap-ins" window
- navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment
- Add Groups\Users to the "Allow Log on locally" policy.
No comments:
Post a Comment